Good afternoon, my network worker friend
There are so many knowledge points about Vlan , such as what broadcast domain, mechanism to implement Vlan, Vlan access link, aggregation link, aggregation method, inter-Vlan routing, design of LAN... only you can't think of it, there is nothing it doesn't have.
With so many technical points, it is not friendly to novice network workers, what to do?
In today's article, I intend to use 20,000 words + 50 pictures to sort out the basic knowledge points of Vlan for you in one go.
Want to get rid of theory and study practical? This HCIA course is involved. Teach you how to realize inter-VLAN communication, and other more practical courses, find out for you.
Friends who want to read all the syllabus can directly contact Mr. Yang.
Today's article reading benefits: "VLAN Explanation (Detailed Explanation of Key and Difficult Points)"
I found a learning document for you, which contains classic VLAN-related cases and complete configuration commands, and some key and difficult points will be explained in detail.
Private message me , note "VLAN" , and the first 30 private messages will send out the study notes.
01 Why do network engineers need VLAN?
01What is VLAN?
VLAN (Virtual LAN), translated into Chinese is "virtual local area network". A LAN can be a network of a few home computers or an enterprise network of hundreds of computers. The LAN referred to by VLAN refers to a network divided by a router—that is, a broadcast domain.
Let's review the concept of broadcast domains first.
The broadcast domain refers to the range to which the broadcast frame (the target MAC address is all 1) can be transmitted, that is, the range where direct communication is possible.
Strictly speaking, not only broadcast frames, multicast frames (Multicast Frame) and target unknown unicast frames (Unknown Unicast Frame) can also travel unimpeded in the same broadcast domain.
Originally, a Layer 2 switch can only construct a single broadcast domain, but after using the VLAN function, it can divide the network into multiple broadcast domains.
02 When the broadcast domain is not divided...
So, why do you need to split the broadcast domain?
That's because, if there is only one broadcast domain, it may affect the overall transmission performance of the network. For specific reasons, please refer to the accompanying drawings for a deeper understanding.
In the figure, it is a network composed of 5 Layer 2 switches (switches 1-5) connected to a large number of clients.
Suppose at this time, computer A needs to communicate with computer B. In Ethernet-based communication, the target MAC address must be specified in the data frame to communicate normally, so computer A must first broadcast "ARP request (ARP Request) information" to try to obtain the MAC address of computer B.
After switch 1 receives the broadcast frame (ARP request), it will forward it to all ports except the receiving port, which is Flooding.
Then, Switch 2 will also Flood after receiving the broadcast frame. Switches 3, 4, and 5 will also be Flooding. Eventually the ARP request will be forwarded to all clients on the same network.
Please note that this ARP request was originally sent to obtain the MAC address of computer B. That is to say: as long as computer B can receive it, everything will be fine.
But in fact, the data frame is spread throughout the network, causing all computers to receive it.
In this way, on the one hand, the broadcast information consumes the overall bandwidth of the network; on the other hand, the computer that receives the broadcast information also consumes part of the CPU time to process it. It causes a lot of unnecessary consumption of network bandwidth and CPU computing power.
03Is the broadcast message sent out so often?
After reading this, you may ask: Do broadcast messages really appear so frequently?
The answer is: yes.
In fact, broadcast frames will appear very frequently. When using the TCP/IP protocol stack to communicate, in addition to the ARP that appeared above, there may be many other types of broadcast information such as DHCP and RIP.
ARP broadcasts are sent when communication with other hosts is required. When the client requests the DHCP server to assign an IP address, it must issue a DHCP broadcast. When RIP is used as the routing protocol, the router will broadcast routing information to other adjacent routers every 30 seconds.
Routing protocols other than RIP use multicast to transmit routing information, which is also forwarded by switches (Flooding). In addition to TCP/IP, protocols such as NetBEUI, IPX, and Apple Talk often need to use broadcasting.
For example, when double-clicking to open "Network Computer" under Windows, a broadcast (multicast) message will be sent. (Except for Windows XP...)
In short, broadcasting is all around us. Here are some common broadcast communications:
(1) ARP request: establish the mapping relationship between IP address and MAC address.
(2) RIP: A routing protocol.
(3) DHCP: A protocol for automatically setting an IP address.
(4) NetBEUI: The network protocol used under Windows.
(5) IPX: The network protocol used by Novell Netware.
(6) Apple Talk: A network protocol used by Apple's Macintosh computers.
If there is only one broadcast domain in the entire network, once the broadcast information is sent out, it will spread throughout the network and bring additional burden to the hosts in the network. Therefore, when designing a LAN, attention needs to be paid to how to effectively segment the broadcast domain.
04Segmentation of broadcast domain and necessity of VLAN
When splitting broadcast domains, routers must generally be used. After using a router, the broadcast domain can be divided in units of network interfaces (LAN Interfaces) on the router.
However, under normal circumstances, there will not be too many network interfaces on the router, and the number of them is about 1 to 4 at most.
With the popularity of broadband connections, broadband routers (or IP sharers) have become more common, but it should be noted that although they have multiple (generally about 4) network interfaces connected to the LAN side, but That is actually a switch built into the router, and it cannot split the broadcast domain.
Moreover, if a router is used to divide a broadcast domain, the number of divisions that can be divided depends entirely on the number of network interfaces of the router, making it impossible for users to freely divide a broadcast domain according to actual needs.
Compared with routers, Layer 2 switches generally have multiple network interfaces. Therefore, if it can be used to divide the broadcast domain, the flexibility of use will undoubtedly be greatly improved.
The technology used to divide the broadcast domain on the Layer 2 switch is VLAN. By using VLAN, we can freely design the composition of the broadcast domain and improve the freedom of network design.
02 Mechanism to realize VLAN
01Mechanism to realize VLAN
After understanding "why VLAN is needed", let's take a look at how switches use VLAN to divide broadcast domains.
First of all, on a Layer 2 switch without any VLAN, any broadcast frame will be forwarded to all other ports except the receiving port (Flooding). For example, after computer A sends broadcast information, it will be forwarded to ports 2, 3, and 4.
At this time, if two VLANs, red and blue, are generated on the switch; at the same time, set ports 1 and 2 to belong to the red VLAN, and ports 3 and 4 to belong to the blue VLAN.
If a broadcast frame is sent from A, the switch will only forward it to other ports that belong to the same VLAN—that is, port 2 that also belongs to the red VLAN, and will not forward it to the port that belongs to the blue VLAN.
Similarly, when C sends broadcast information, it will only be forwarded to other ports belonging to the blue VLAN, and will not be forwarded to ports belonging to the red VLAN.
In this way, VLANs divide broadcast domains by limiting the scope of forwarding of broadcast frames. In the figure above, for the sake of illustration, different VLANs are identified by red and blue colors, but in actual use, they are distinguished by "VLAN ID".
02 Intuitively describe VLAN
If we want to describe VLAN more intuitively, we can understand it as logically dividing a switch into several switches.
Generating two VLANs, red and blue, on one switch can also be regarded as replacing one switch with two virtual switches, one red and one blue.
When a new VLAN is generated outside of the red and blue VLANs, it can be imagined that a new switch has been added.
However, logical switches generated by VLANs are not connected to each other. Therefore, after the VLAN is set on the switch, if no other processing is done, communication between VLANs cannot be performed.
It is obviously connected to the same switch, but it cannot communicate - this fact may be difficult to accept. But it's both a convenient and easy-to-use feature of VLANs and what makes VLANs so confusing.
03What should I do when inter-VLAN communication is required?
So, what should we do when we need to communicate between different VLANs?
Please recall again: VLAN is a broadcast domain. Usually, two broadcast domains are connected by routers, and data packets between broadcast domains are relayed by routers.
Therefore, the communication between VLANs also requires routers to provide relay services, which is called "inter-VLAN routing".
For inter-VLAN routing, you can use a common router or a Layer 3 switch. Let's talk about the specific content when we have a chance.
Here, I hope everyone remembers that the routing function needs to be used when different VLANs communicate with each other.
03 VLAN access link (Access Link)
01 switch port type
Switch ports can be divided into the following two types:
(1) Access Link
(2) Trunk Link
Next, let us learn the characteristics of these two different ports in turn. In this lecture, first learn "access links".
02Access link
An access link refers to a port that "belongs to only one VLAN and only forwards data frames to this VLAN". In most cases, the access link is connected to the client computer.
Usually the order of setting VLAN is:
(1) Generate VLAN
(2) Set the access link (determine which VLAN each port belongs to)
The method of setting the access link may be fixed in advance, or may be dynamically changed according to the connected computer. The former is called "static VLAN", and the latter is naturally "dynamic VLAN".
1. Static VLAN - based on port
Static VLAN is also called port-based VLAN (PortBased VLAN). As the name suggests, it is a setting method that clearly specifies which VLAN each port belongs to.
Due to the need to specify ports one by one, when the number of computers in the network exceeds a certain number (such as hundreds), the setting operation will become extremely complicated.
Moreover, every time the client computer changes the connected port, the setting of the VLAN to which the port belongs must be changed at the same time-this is obviously not suitable for those networks that need to change the topology structure frequently.
2. Dynamic VLAN
On the other hand, dynamic VLAN is to change the VLAN to which the port belongs at any time according to the computer connected to each port.
This avoids operations such as changing settings as described above. Dynamic VLAN can be roughly divided into 3 categories:
(1) VLAN based on MAC address (MAC Based VLAN)
(2) Subnet Based VLAN (Subnet Based VLAN)
(3) User Based VLAN (User Based VLAN)
The difference between them mainly lies in the information of which layer of the OSI reference model determines the VLAN to which the port belongs.
3. VLAN based on MAC address
MAC address-based VLAN is to determine the port's ownership by querying and recording the MAC address of the computer's network card connected to the port.
Assuming that there is a MAC address "A" set by the switch to belong to VLAN "10", then no matter which port the computer with the MAC address "A" is connected to, the port will be assigned to VLAN 10.
When the computer is connected to port 1, port 1 belongs to VLAN 10; and when the computer is connected to port 2, port 2 belongs to VLAN 10.
Since the VLAN is determined based on the MAC address, it can be understood that this is a method of setting the access link at the second layer of OSI.
However, when setting a MAC address-based VLAN, it is necessary to check and register the MAC addresses of all connected computers. And if the computer has swapped network cards, you still need to change the settings.
4. VLAN based on IP address
Based on the subnet VLAN, the VLAN to which the port belongs is determined by the IP address of the connected computer.
Unlike the VLAN based on the MAC address, even if the computer's MAC address changes due to the exchange of network cards or other reasons, as long as its IP address remains unchanged, it can still join the originally set VLAN.
Therefore, compared with the MAC address-based VLAN, the network structure can be changed more easily.
The IP address is the information of the third layer in the OSI reference model, so we can understand that the subnet-based VLAN is a method of setting access links at the third layer of the OSI.
The user-based VLAN determines which VLAN the port belongs to based on the currently logged-in user on the computer connected to each port of the switch.
The user identification information here is generally a user logged in by a computer operating system, for example, it may be a user name used in a Windows domain. These user name information belong to the information above the fourth layer of OSI.
Generally speaking, the higher the OSI level of the information used to determine the VLAN to which a port belongs, the more suitable it is for building a flexible and changeable network.
04 VLAN aggregation link (Trunk Link)
01 When you need to set up a VLAN spanning multiple switches...
So far, what we have learned is the case when a single switch is used to set up VLANs.
So, what if you need to set up a VLAN that spans multiple switches?
When planning an enterprise-level network, it is very likely that users belonging to the same department are scattered on different floors in the same building. At this time, it may be necessary to consider how to set up VLANs across multiple switches.
Assume that there is a network as shown in the figure below, and A, C, B, and D on different floors need to be set to the same VLAN.
At this time, the most critical thing is "how to connect switch 1 and switch 2?"
The easiest way, of course, is to set up a red and blue VLAN-dedicated interface on Switch 1 and Switch 2 respectively and interconnect them.
However, this approach is not good in terms of scalability and management efficiency. For example, when creating a new VLAN on the basis of an existing network, in order to allow the VLAN to communicate with each other, it is necessary to connect a new network cable between the switches.
The vertical wiring between the floors of the building is troublesome, and generally cannot be carried out by the grassroots management personnel at will.
Moreover, the more VLANs, the more ports required for interconnection between floors (strictly speaking, switches). The low utilization efficiency of switch ports is a waste of resources and limits the expansion of the network.
In order to avoid this low-efficiency connection method, people find a way to concentrate the network cables interconnected between switches into one, and at this time, a trunk link (Trunk Link) is used.
02What is an aggregation link?
A trunk link (Trunk Link) refers to a port capable of forwarding communications of multiple different VLANs.
The data frames circulating on the aggregation link are all appended with special information for identifying which VLAN they belong to.
Now let us go back and think about what would happen if the network used aggregation links just now?
Users only need to simply set the interconnected ports between switches as aggregated links.
At this time, the network cable used is still an ordinary UTP cable, not any other special wiring.
In the illustration, it is the interconnection between switches, so a crossover cable is required to connect.
Next, let's take a look at how the aggregation link is implemented across VLANs between switches.
When the data frame sent by A arrives at switch 2 through the aggregation link from switch 1, a tag indicating that it belongs to the red VLAN is attached to the data frame.
After switch 2 receives the data frame, it finds that the data frame belongs to the red VLAN after checking the VLAN ID, so after removing the mark, the restored data frame is only forwarded to other ports belonging to the red VLAN.
Forwarding at this time refers to only forwarding to the port connected to the target MAC address after confirming the target MAC address and comparing it with the MAC address list.
Only if the data frame is a broadcast frame, a multicast frame or a frame with unknown destination, it will be forwarded to all ports belonging to the red VLAN.
The situation is the same when the blue VLAN sends data frames.
It is possible to support the standard "IEEE 802.1Q" protocol, or the unique "ISL (Inter Switch Link)" of Cisco products through the additional VLAN identification information when the link is aggregated.
If the switch supports these specifications, users can efficiently build VLANs spanning multiple switches.
In addition, data of multiple VLANs flows on the aggregation link, which naturally has a heavy load. Therefore, when setting up the aggregation link, there is a premise that it must support a transmission speed of more than 100Mbps.
In addition, by default, the aggregation link will forward the data of all VLANs existing on the switch.
From another perspective, it can be considered that the aggregation link (port) belongs to all VLANs on the switch at the same time.
Since the data of all VLANs may not need to be forwarded in practical applications, in order to reduce the load on the switch and reduce the waste of bandwidth, we can limit the VLANs that can be interconnected through the aggregation link through user settings.
The specific content of IEEE 802.1Q and ISL will be mentioned in the next lecture.
03 Summary of access links
To sum up, there are two methods of setting access links: static VLAN and dynamic VLAN, and dynamic VLAN can be further subdivided into several subcategories.
Among them, subnet-based VLAN and user-based VLAN may be implemented by network equipment manufacturers using unique protocols, and there may be compatibility issues between devices from different manufacturers;
Therefore, when choosing a switch, be sure to pay attention to confirming in advance.
05 VLAN Aggregation Method IEEE802.1Q and ISL
01 Convergence method
On the aggregation link of the switch, VLAN information spanning multiple switches can be constructed by adding VLAN information to the data frame.
The most representative methods for attaching VLAN information are:
(1)IEEE 802.1Q
(2)ISL
Now let us see how these two protocols attach VLAN information to data frames respectively.
02 IEEE 802.1Q
IEEE 802.1Q, commonly known as "Dot One Q", is an IEEE-certified protocol for attaching VLAN identification information to data frames.
Here, please recall the standard format of Ethernet data frames.
The VLAN identification information added by IEEE 802.1Q is located between the "sending source MAC address" and the "Type Field" in the data frame. The specific content is 2 bytes of TPID (Tag Protocol IDentifier) and 2 bytes of TCI (Tag Control Information), totaling 4 bytes.
If 4 bytes are added to the data frame, the CRC value will naturally change. At this time, the CRC on the data frame is the value obtained after recalculating the entire data frame including them after inserting the TPID and TCI.
When the data frame leaves the aggregation link, the TPID and TCI will be removed, and a CRC recalculation will be performed at this time.
The position of the TPID field in the Ethernet packet is the same as that of the protocol type field in the packet without VLAN Tag.
The value of TPID is fixed at 0x8100, which indicates the 802.1Q type carried by the network frame, and the switch uses it to determine that the VLAN information based on IEEE 802.1Q is attached to the data frame.
The actual VLAN ID is 12 bits in TCI. Since there are 12 bits in total, a maximum of 4096 VLANs can be identified.
VLAN information attached based on IEEE 802.1Q is like a tag attached when delivering items. Therefore, it is also called "Tagging VLAN".
03 ISL(Inter Switch Link)
ISL is a protocol supported by Cisco products that is similar to IEEE 802.1Q and is used to attach VLAN information to aggregation links.
After using ISL, each data frame header will be appended with a 26-byte "ISL Header (ISL Header)", and the 4 words obtained after calculating the entire data frame including the ISL header on the frame tail Section CRC value. In other words, a total of 30 bytes of information has been added.
In the environment using ISL, when the data frame leaves the aggregation link, it is enough to simply remove the ISL header and the new CRC. Since the original data frame and its CRC are completely preserved, there is no need to recalculate the CRC.
ISL is like wrapping the original data frame with the ISL header and new CRC, so it is also called "encapsulated VLAN".
It should be noted that neither the "Tagging VLAN" of IEEE802.1Q nor the "Encapsulated VLAN" of ISL is a very strict term. In different books and reference materials, the above words may be used mixedly, so you need to pay special attention when learning.
And because ISL is a Cisco unique protocol, it can only be used for the interconnection between Cisco network devices.
06 Inter-VLAN routing
01 The necessity of inter-VLAN routing
According to the knowledge learned so far, we already know that even if two computers are connected to the same switch, as long as they belong to different VLANs, they cannot communicate directly.
The next thing we will learn is how to route between different VLANs so that hosts belonging to different VLANs can communicate with each other.
First of all, let's review why different VLANs cannot communicate without routing.
For communication within the LAN, the MAC address of the communication target must be specified in the data frame header.
In order to obtain the MAC address, ARP is used under the TCP/IP protocol. The method of ARP to resolve the MAC address is through broadcasting.
That is to say, if the broadcast message cannot arrive, the MAC address cannot be resolved, that is, direct communication cannot be performed.
Computers belong to different VLANs, which means that they belong to different broadcast domains, so naturally they cannot receive broadcast messages from each other.
Therefore, computers belonging to different VLANs cannot communicate with each other directly.
In order to be able to communicate between VLANs, it is necessary to use the information (IP address) of the higher layer in the OSI reference model-the network layer for routing. Regarding the specific content of routing, I will explain it in detail later.
The routing function is generally mainly provided by the router. But in today's LAN, we often use switches with routing function - Layer 3 Switch (Layer 3 Switch) to achieve. Next, let us look at the situation when using routers and Layer 3 switches for inter-VLAN routing.
02Using routers for inter-VLAN routing
When using routers for inter-VLAN routing, similar to the situation when constructing VLANs spanning multiple switches, we still encounter the problem of "how to connect routers and switches".
There are roughly two ways to connect routers and switches:
(1) Connect the router to each VLAN on the switch separately
(2) No matter how many VLANs there are, the router and the switch are connected by only one network cable
The easiest thing to think of, of course, is "connect the router and the switch with network cables in units of VLANs".
Set each port on the switch that is used to connect to the router as an Access Link, and then use a network cable to connect to an independent port on the router.
As shown in the figure below, there are 2 VLANs on the switch, so you need to reserve 2 ports on the switch for interconnection with the router; there also need to be 2 ports on the router; connect them with 2 network cables.
If this method is adopted, it should not be difficult for everyone to imagine that its scalability is very problematic. Every time a new VLAN is added, the ports on the router and the access links on the switch need to be consumed, and a network cable needs to be re-routed.
Routers, on the other hand, usually don't have too many LAN interfaces. When creating a new VLAN, in order to correspond to the ports required by the added VLAN, the router must be upgraded to a high-end product with multiple LAN interfaces. This part of the cost, as well as the overhead caused by rewiring, make this wiring method become an unpopular approach.
Then, what about the second method of "connecting the router and the switch with only one network cable regardless of the number of VLANs"? When using a network cable to connect the router and the switch for inter-VLAN routing, aggregation links are required.
The specific implementation process is:
First, set the switch port used to connect to the router as a Trunk Link, and the ports on the router must also support Trunk Link. Naturally, the protocols used by both parties to aggregate links must also be the same.
Then define the "sub interface" (Sub Interface) corresponding to each VLAN on the router.
Although there is only one physical port actually connected to the switch, in theory we can divide it into multiple virtual ports.
A VLAN logically divides a switch into multiple switches, so routers used for inter-VLAN routing must also have virtual interfaces corresponding to each VLAN.
If this method is adopted, even if a new VLAN is created on the switch later, only one network cable is needed to connect the switch and the router.
The user only needs to set up a new sub-interface corresponding to the new VLAN on the router. Compared with the previous method, the scalability is much stronger, and there is no need to worry about upgrading routers with insufficient LAN interfaces or rewiring.
03Communication within the same VLAN
Next, we continue to learn how inter-VLAN routing is performed when using aggregation links to connect switches and routers. As shown in the figure below, set the IP address for each computer and the sub-interface of the router.
The network address of the red VLAN (VLAN ID=1) is 192.168.1.0/24, and the network address of the blue VLAN (VLAN ID=2) is 192.168.2.0/24.
The MAC addresses of each computer are A/B/C/D, and the MAC address of the aggregation link port of the router is R.
The switch generates the following MAC address list by learning the MAC addresses of the computers connected to each port.
First consider the situation when computer A communicates with computer B in the same VLAN.
Computer A sends an ARP request message, requesting to resolve B's MAC address. After the switch receives the data frame, it retrieves the entry in the MAC address list that belongs to the same VLAN as the receiving port.
It turns out that computer B is connected to port 2, so the switch forwards the data frame to port 2, and finally computer B receives the frame.
The communication between the sending and receiving parties belongs to the same VLAN, and all processing is completed in the switch.
04 Communication between different VLANs
Next is the core content of this lecture, the communication between different VLANs. Let's consider the situation when computer A communicates with computer C.
Computer A concludes from the IP address (192.168.2.1) of the communication target that C and this computer do not belong to the same network segment. Therefore, the data frame will be forwarded to the set default gateway (DefaultGateway, GW).
Before sending a data frame, you need to use ARP to obtain the MAC address of the router.
After obtaining the MAC address R of the router, the next step is to send the data frame to C according to the steps shown in the figure.
In the data frame of ①, the target MAC address is the address R of the router, but the contained target IP address is still the address of the object C to be communicated.
The content of this part involves the communication steps when forwarding through the router in the LAN, and I will explain it in detail when I have the opportunity.
After receiving the data frame of ① on port 1, the switch retrieves entries in the MAC address list that belong to the same VLAN as port 1.
Since the aggregation link will be regarded as belonging to all VLANs, port 6 of the switch also belongs to the referenced object at this time.
In this way, the switch knows that sending data frames to the MAC address R needs to be forwarded through port 6.
When sending a data frame from port 6, because it is a trunk link, it will be attached with VLAN identification information.
Since the data frame originally came from the red VLAN, as shown in ② in the figure, it will be added with the identification information of the red VLAN and enter the aggregation link.
After the router receives the data frame of ②, it confirms its VLAN identification information. Since it belongs to the data frame of the red VLAN, it is received by the sub-interface responsible for the red VLAN.
Then, according to the routing table inside the router, determine where to relay.
Since the target network 192.168.2.0/24 is a blue VLAN, and the network is directly connected to the router through a sub-interface, it only needs to be forwarded from the sub-interface responsible for the blue VLAN.
At this time, the destination MAC address of the data frame is rewritten as the destination address of computer C; and because it needs to be forwarded through the aggregation link, the identification information belonging to the blue VLAN is added. This is the data frame of ③ in the figure.
After the switch receives the data frame of ③, it retrieves the entry belonging to the blue VLAN from the MAC address list according to the VLAN identification information.
Since the communication target—computer C is connected to port 3, and port 3 is an ordinary access link, the switch will forward the data frame to port 3 after removing the VLAN identification information (data frame ④), and finally computer C can successfully receive to this dataframe.
When communicating between VLANs, even if both communication parties are connected to the same switch, they must go through the process of "sender—switch—router—switch—receiver".
07 Layer 3 switch
01Problems when using a router for inter-VLAN routing
Now, we know that as long as inter-VLAN routing can be provided, computers belonging to different VLANs can communicate with each other.
However, if a router is used for inter-VLAN routing, as the traffic between VLANs continues to increase, the router may become the bottleneck of the entire network.
The switch uses a dedicated hardware chip called ASIC (Application Specified Integrated Circuit) to process the switching operation of the data frame, and can realize the switching at the cable speed (Wired Speed) on many models.
The router is basically based on software processing.
Even if a packet is received at cable speed, it cannot be forwarded at unlimited speed, thus becoming a speed bottleneck.
As far as inter-VLAN routing is concerned, traffic will be concentrated on the aggregation link connecting routers and switches, and this part is especially likely to become a speed bottleneck.
And from the hardware point of view, due to the need to set up routers and switches separately, in some environments with small spaces, even the location of the settings may become a problem.
02 Layer 3 Switch
In order to solve the above problems, the three-layer switch came into being. A Layer 3 switch is essentially a "(Layer 2) switch with routing function".
Routing belongs to the function of the third layer network layer in the OSI reference model, so the switch with the third layer routing function is called "three-layer switch".
For the internal structure of the three-layer switch, you can refer to the following diagram.
In one body, a switch module and a router module are respectively set; and the built-in routing module is the same as the switching module, using ASIC hardware to process routing.
Therefore, high-speed routing can be achieved compared with conventional routers. Moreover, the routing and switching modules are aggregated and linked, and because they are internally connected, considerable bandwidth can be ensured.
1. Use Layer 3 switches for inter-VLAN routing (intra-VLAN communication)
How does the data spread inside the Layer 3 switch? Basically, it is the same as when connecting routers and switches using trunk links.
Assume that there are 4 computers interconnected with a Layer 3 switch as shown in the figure below. When using a router to connect, it is generally necessary to set sub-interfaces corresponding to each VLAN on the LAN interface; while a Layer 3 switch generates a "VLAN Interface" (VLAN Interface) internally.
The VLAN interface is an interface for sending and receiving data in each VLAN. (Note: On Cisco's Catalyst series switches, VLAN Interface is called SVI - Switched Virtual Interface)
In contrast to using a router for inter-VLAN routing, let's also consider the situation when computer A communicates with computer B.
First, the data frame with the destination address B is sent to the switch; by retrieving the MAC address list of the same VLAN, it is found that computer B is connected to port 2 of the switch; therefore, the data frame is forwarded to port 2.
2. Use a Layer 3 switch for inter-VLAN routing (inter-VLAN communication)
Next, imagine the situation when computer A communicates with computer C. For the target IP address, computer A can determine that the communication object does not belong to the same network, so it sends data to the default gateway (Frame 1).
After retrieving the MAC address list, the switch forwards the data frame to the routing module via the internal aggregation link. When passing through the internal aggregation link, the data frame is appended with VLAN identification information belonging to the red VLAN (Frame 2).
When the routing module receives a data frame, it first distinguishes that it belongs to the red VLAN by the VLAN identification information attached to the data frame, and judges that the red VLAN interface is responsible for receiving and routing processing.
Because the target network 192.168.2.0/24 is a network directly connected to the router and corresponds to the blue VLAN; therefore, it will be forwarded from the blue VLAN interface back to the switch module through the internal aggregation link. When passing through the aggregation link, this time the data frame is attached with identification information belonging to the blue VLAN (Frame 3).
When the switch receives this frame, it retrieves the list of MAC addresses for the blue VLAN, confirming that it needs to forward it to port 3.
Since port 3 is a common access link, the VLAN identification information will be removed before forwarding (Frame 4). Finally, computer C successfully receives the data frame forwarded by the switch.
The overall process is very similar to the situation when using an external router - all need to go through "sender→switch module→routing module→switch module→receiver".
08 Means to speed up communication between VLANs
01 Flow (Flow)
According to the study so far, we already know that inter-VLAN routing must pass through an external router or a built-in routing module of a Layer 3 switch.
However, sometimes not all data needs to go through the router (or routing module).
For example, when using FTP (File Transfer Protocol) to transfer a large file with a capacity of several MB or more, due to the limitation of the MTU, the IP protocol will divide the data into small pieces and transmit them, and then reassemble them at the receiver.
The "sent destination" of these divided data is exactly the same. The sending destination is the same, which means the same destination IP address and destination port number (note: it is especially emphasized that this refers to the TCP/UDP port).
Naturally, the source IP address and source port number should also be the same. Such a series of data flow is called "flow" (Flow).
As long as the initial data of a flow is routed correctly, subsequent data should be routed in the same way.
Accordingly, subsequent data does not need to be routed by the router; by omitting repeated routing operations, the speed of inter-VLAN routing can be further improved.
02 Mechanism to speed up inter-VLAN routing
Next, let's consider specifically how to use Layer 3 switches for high-speed inter-VLAN routing.
First, the first piece of data of the entire flow is forwarded by the switch as usual → routed by the router → forwarded by the switch again to the port connected to the target.
At this time, record the result of the first piece of data routing into the cache and save it. The information that needs to be recorded is:
(1) Target IP address
(2) Source IP address
(3) Target TCP/UDP port number
(4) Source TCP/UDP port number
(5) Receive port number (switch)
(6) Forwarding port number (switch)
(7) Forwarding target MAC address
etc.
After the data of the second block or later of the same flow arrives at the switch, it can be forwarded to the target port after the "forwarding port number" is found out by querying the information previously stored in the cache.
In this way, there is no need to relay through the internal routing module again and again, and only the buffer information inside the switch is enough to determine the port that should be forwarded.
At this time, the switch will perform similar processing on the data frame when it is relayed by the router, such as rewriting the MAC address, the TTL and Check Sum check code information in the IP header, and so on.
By caching the routing results on the switch, the data transmitted by the sender can be received at the cable speed (Wired Speed), and the data can be routed and forwarded to the receiver at full speed.
It should be noted that similar methods of accelerating inter-VLAN routing are mostly realized by the unique technology of each manufacturer, and the name of this function varies from manufacturer to manufacturer.
For example, on Cisco's Catalyst series switches, this function is called "Multi Layer Switching". In addition, in addition to the internal routing modules of Layer 3 switches, some models of external routers also support similar high-speed inter-VLAN routing mechanisms.
09 The significance of traditional routers
01 The necessity of a router
The price of Layer 3 switches was very expensive at the beginning, but now their prices have dropped a lot.
At present, the price of some cheap foreign models is only more than 10,000 yuan after being converted into RMB, and it is still falling.
Since Layer 3 switches can provide higher-speed routing processing than traditional routers, is it necessary to use routers in the network?
The answer is: "yes".
The necessity of using a router is mainly manifested in the following aspects:
1. Used to connect with WAN
A Layer 3 switch is a "switch" after all. In other words, most models are only equipped with LAN (Ethernet) interface.
There are also serial or ATM interfaces for connecting to WAN on a few high-end switches, but in most cases, a router is still required to connect to WAN.
2. Ensure network security
On Layer 3 switches, a certain degree of network security can also be ensured through packet filtering. But using various network security functions provided by routers, users can build a more secure and reliable network.
Among the network security functions provided by the router, in addition to the most basic data packet filtering function, it can also build a VPN (Virtual Private Network) based on IPSec, use RADIUS for user authentication, and so on.
3. Support heterogeneous network architectures other than TCP/IP
Although TCP/IP has become the mainstream of the current network protocol architecture, there are still many networks using network protocols such as IPX/SPX under Novell Netware or AppleTalk under Macintosh.
Among the three-layer switches, except for some high-end models, basically only support TCP/IP. Therefore, in the environment where other network protocols other than TCP/IP need to be used, routers are still essential.
Note: On a small number of high-end switches, the functions of the above routers can also be supported. For example, Cisco's Catalyst 6500 series can choose an interface module connected to WAN; there is also an optional module for implementing VPN based on IPSec; and it can also support other network protocols other than TCP/IP.
02 An example of routers and switches cooperating to build a LAN
Let's take a look at an example where a router and a switch are used together to build a LAN.
Use the Layer 2 switches configured on each floor to define VLANs and connect TCP/IP client computers.
The inter-VLAN communication between the floors is realized by using the high-speed routing of the three-layer switch.
If the network environment requires high reliability, redundant configuration of Layer 3 switches can also be considered.
The connection to the WAN is made via a router with various network interfaces. Moreover, network security is realized through functions such as data packet filtering and VPN of the router.
In addition, the use of routers can also support networks other than TCP/IP such as Novell Netware.
Only on the basis of fully mastering Layer 2 and Layer 3 switches and traditional routers can we achieve the best of both worlds and build a network with high efficiency and high cost performance.
10 Using VLAN to design local area network
01Characteristics of using VLAN to design LAN
By using VLAN to build a local area network, users can freely divide broadcast domains without being restricted by physical links.
In addition, through the routing between VLANs provided by the aforementioned routers and Layer 3 switches, it can adapt to flexible and changeable network configurations.
However, since the use of VLANs tends to complicate the network configuration, it also makes it difficult to grasp the composition of the entire network.
It can be said that when using VLAN, in addition to the advantage of "flexible and changeable network configuration", it also has the disadvantage of "complex network configuration".
Next, let us look at specific examples.
02Change of network configuration in LAN without VLAN
Assume that there is a network "built without VLAN" consisting of one router and two switches as shown in the figure.
The router in the picture has 2 LAN interfaces. The network on the left is 192.168.1.0/24 and the network on the right is 192.168.2.0/24.
Now if you want to transfer computer A on the 192.168.1.0/24 network to 192.168.2.0/24, you need to change the physical connection and connect A to the switch on the right.
Moreover, when it is necessary to add a new network with an address of 192.168.3.0/24, another LAN interface must be occupied on the router and a switch must be added.
And because this router only has 2 LAN interfaces, it is necessary to upgrade the router to a product with more than 3 LAN interfaces in order to add a new network.
03Change of network configuration in LAN using VLAN
Next, assume that there is a local area network "using VLAN" composed of 1 router and 2 switches.
Switches and switches, switches and routers are aggregation links; and assume that 192.168.1.0/24 corresponds to the red VLAN, and 192.168.2.0/24 corresponds to the blue VLAN.
When it is necessary to transfer computer A connected to the network segment 192.168.1.0/24 on switch 1 to 192.168.2.0/24, there is no need to change the physical wiring.
Just generate a blue VLAN on the switch, and then add port 1 connected to computer A to the blue VLAN to make it an access link.
Then, set computer A's IP address, default gateway and other information as needed.
If the settings related to the IP address are obtained by DHCP, the client can move between different network segments without any modification of the settings.
After using VLAN, we can freely design the logic of the network without changing any physical wiring. If the working environment needs to change the network layout frequently, the advantage of using VLAN is very obvious.
Moreover, when it is necessary to add a network segment with an address of 192.168.3.0/24, it is only necessary to create a new VLAN corresponding to 192.168.3.0/24 on the switch, and add the required ports to its access link. up.
If an external router needs to be used in the network environment, all operations can be completed by adding a new sub-interface setting on the aggregation port of the router without consuming more physical interfaces (LAN interfaces).
If you want to use the routing module inside the Layer 3 switch, you only need to set up a new VLAN interface.
The growth of the network environment is often unpredictable, and it is likely that there will often be a need to divide the existing network or add a new network. After making full use of VLAN, these problems can be easily solved.
04Complicated network structure caused by the use of VLAN
Although the use of VLAN can flexibly build a network, but at the same time, it also brings the problem of complex network structure.
Especially due to the criss-crossing of data streams, once a fault occurs, it will be difficult to accurately locate and troubleshoot it.
In order to understand the complexity of data flow, assume that there is a network as shown in the figure below. When computer A sends data to computer C, the overall direction of the data flow is as follows:
Computer A→Switch 1→Router→Switch 1→Switch 2→Computer C
First, computer A sends data to switch 1 (①), and then the data is forwarded to router (②) for inter-VLAN routing.
The routed data returns to switch 1 from the aggregation link (③).
Since the communication target computer C is not directly connected to switch 1, it also needs to be forwarded to switch 2 through the aggregation link (④).
On switch 2, the data is finally forwarded to port 2 connected to C, and this completes the whole process (⑤).
In this example, the network consists of only two switches, and its data flow is already so complicated. If a VLAN spanning multiple switches is constructed, the flow direction of each data flow will obviously be more difficult to grasp.
05Logical structure and physical structure of the network
In order to cope with the increasingly complex data flow, the administrator needs to start from the two aspects of "logical structure" and "physical structure" to grasp the current status of the network.
The physical structure refers to the current status of the network observed from the physical layer and the data link layer, indicating the physical wiring form of the network and VLAN settings, etc.
The logical structure refers to the network structure observed from the layer above the network layer. Let's try to analyze the logical structure of an IP network centered on routers.
Still the previous example, the "physical structure" that depicts the wiring configuration and VLAN settings is shown in the figure below.
After analyzing the physical structure and converting it into a router-centered logical structure, the following logical structure diagram will be obtained.
When we need to set routing or data packet filtering, it must be done on the basis of logical structure.
It is very important to grasp the difference between these two network structure diagrams, especially in modern enterprise-class networks where VLANs and Layer 3 switches are prevalent.
Finishing: Lao Yang 丨 10-year senior network engineer, more network workers to improve dry goods, please pay attention to the official account: Network Engineer Club