It refers to the so-called VLAN constituent nodes according to need in different physical locations of different logical subnet, i.e., a VLAN is a logical broadcast domain, it can cover a plurality of network devices. VLAN allows network users in different geographical locations is added to a logical subnet share a broadcast domain. By creating VLAN can be controlled to produce broadcast storms, thereby improving overall performance and security switched network. Same VLAN ports can accept broadcast packets in the VLAN, the VLAN ports other than the receiving.
VLAN (Virtual Local Area Network) is a logical segment of the network layer of the second user is connected to the switch port, the physical location of the user from the network segment network restrictions according to user needs. A VLAN can be implemented in a switch or across switches. The network may VLAN the user's location, role, department or be grouped according to the application and protocols used by network users. We can resolve the conflict domain, broadcast domain, bandwidth issues for the LAN-based virtual local area network switch.
Ethernet and switched Ethernet traditional shared media, all users in the same broadcast domain, it will cause a decline in network performance, wasting valuable bandwidth; and broadcast storm control and network security only in the first to achieve the three-tier router.
VLAN corresponding to the OSI reference model the second layer broadcast domain, broadcast storm can be controlled in an internal VLAN, VLAN after the division, due to the reduction of the broadcast domain, the network bandwidth consumed broadcast packets proportion greatly reduced network performance has been significantly improved. Data transfer between different VLAN routing is achieved third layer (network layer) by, so using VLAN technology, the switching device in conjunction with a data link layer and network layer secure and reliable network can be built. Network administrator to control user access to network resources via the network control switch each port, VLAN, and while switching the third layer a fourth layer is used in combination to provide better Anquancuoshi network. With increasingly sophisticated, more and more VLAN technology applications in switched Ethernet VLAN technology, the method becomes flexible network segmentation and improve network security.
A, VLAN division mode:
VLAN division manner is important in the design and construction of VLAN, VLAN applications to achieve, we must first decide how to divide VLAN, that is, based on what criteria to organize VLAN membership. Here are five common ways of division, different ways of dividing the representative VLAN implementation type.
1, according to the port VLAN division
Certain switch port is defined as a single region, so as to form with a VLAN. The same VLAN computers belong to the same network segment, the need for communication between different VLAN router. The port-based VLAN advantage of the configuration is very convenient, as long as the associated switch is provided it is suitable for the network environment is fixed. The downside is less flexible when a computer needs to move from one port to another new port, and the new and the old port when the port does not belong to the same VLAN, port VLAN settings to be modified, or re-configuration on users' computers network address in order to join the new VLAN. Otherwise, this computer will not be able to network traffic.
Port-based division of way is the simplest and most commonly used. In this manner a physical segment, belonging to different points of a switch port VLAN, the network management software, according to a different port VLAN identifier assigned to the respective packets (VLAN) in. For example, a 1,2,6,7-port switch is defined as a VLAN A, 3,4,5 composed of the same switch port VLAN 8. This division allows communication between the ports, and allow the upgrade of shared networks. Unfortunately, this division model will be limited to the virtual network on a single switch.
The second generation of the VLAN technology allows multiple switches across a plurality of different division VLAN ports, several ports on different switches may be composed of the same VLAN. Each assigned to the same VLAN network all stations are in the same broadcast domain, can communicate directly; VLAN communication between different locations via a router or the switch three.
Switch port to divide VLAN, its configuration is simple. So far, this is still the most common way, but this approach does not allow multiple VLAN share a single physical network segment or switch port. If one user to move from one port VLAN to another VLAN where the port is located, the network administrator needs to be reconfigured, it is inconceivable that the network has a large number of mobile users is.
2, according to the MAC address of VLAN
Each card has a unique hardware physical address, the address is the MAC address, known as the "card number." Available "ipconfig / all" command in Windows to view this address.
MAC address is the physical address of each network card device connected in the network, the control by the IEEE, the world can not find two cards having the same MAC address. MAC address belongs to the data link layer, as a basis for dividing the VLAN, well independently of the applications on the network layer. VLAN is used in this way constitute a collection of MAC addresses, it solves the problem of mobile network processing site. For workstations connected to the switch port, the corresponding switch to check the MAC address in the VLAN management information base when initialization to dynamically match the port corresponding to the VLAN.
Divided by MAC address VLAN allow network users to move from one physical location to another physical location, and automatically retain its membership in the VLAN network segment. Meanwhile, in such a manner independent of the network layer protocols (e.g., TCP / IP, IP and IPX). In a sense, it defines MAC address based VLAN can be seen as a means of dividing the user's network.
One disadvantage of this method is that all users must be explicitly assigned to a VLAN. After this initial work is completed, the automatic tracking of the user becomes possible. In large networks with a large number of nodes, if the administrator set for each user are all classified into one VLAN, it is too difficult.
3, the network layer based VLAN assignment
May divide the VLAN based on the network layer, there are two options, one by protocol (if multi-protocol network) is divided, the other on a network layer address (the most common is the subnet address of the TCP / IP in ) to divide.
The establishment and management of VLAN routing can use the same strategy. According to IP subnets, IPX network number and other agreements divided VLAN. PCs are assigned the same protocol for a VLAN, Ethernet frame header field switch checks broadcast frame to view its protocol type, VLAN Ruoyi the agreement exists, the source added port, otherwise, create - a new VLAN. VLAN constructed in this manner, not only greatly reduce the workload of manual VLAN configuration, while ensuring the user is free to add, move and modify. Site may be on a different VLAN segments belong to the same VLAN, VLAN different sites may also be in the same physical segment.
VLAN definitions are disadvantages using the network layer. Compared with the form of the MAC address, network layer based VLAN address format you need to analyze a variety of protocols and the corresponding conversion. Thus, the use of network layer information to define the VLAN switch than using the data link layer accounting information disadvantage switch speed.
4, IP-based broadcasting group division
Any computer belonging to the same group of IP broadcast can be divided into the same VLAN. When the IP broadcast packet to the network, it is sent to a set of IP addresses where the trustee. This group is defined in the broadcast group is dynamically generated in operation of the network. Any workstation has the opportunity to become a member of a group of broadcast, as long as it recognizes the broadcast information broadcast group answered in the affirmative. All broadcast stations added to the same group are considered members of the same VLAN, and that their membership may retain a certain period of time based on actual demand. Therefore, the use of IP broadcast domain to divide the VLAN approach gives users great flexibility and scalability. In this way, the entire network through the router can easily expand the network size.
5, rule-based VLAN
Also known as policy-based VLAN. This is the most flexible VLAN classification method, having the ability to auto-configuration can be integrally connected to the associated user, referred to as "networks" logically divided. Network administrators can simply determine the division of VLAN rule (or attributes) in network management software, so when a site joins the network, it will be "aware", and is automatically included into the correct VLAN. Meanwhile, the mobile station may change and automatic identification and tracking.
In this way, the entire network through the router can easily expand the network size. Some products also support a host on the port belong to different VLAN, which is particularly important in the switch and shared Hub coexistence environment. Automatically configure a VLAN, the switch automatically check the software to enter the IP address of the source switch port broadcast information, and the software automatically maps the port assigned to an IP subnet into a VLAN.
Two, VLAN advantages
VLAN's advantage is mainly reflected in the following three aspects:
1, broadcast storm control
Network management must address the problems caused by a large number of broadcast information to bring bandwidth consumption. As a network segment VLAN technology, the broadcast storm may be limited to a VLAN inside, to avoid affecting the other network segments. Compared with the traditional local area network, VLAN can be more efficient use of bandwidth. In the VLAN, the network is logically divided into a broadcast domain, frames or packets of information transmitted by the VLAN membership sent between members of the VLAN, instead of sending all workstations to the Internet. This reduces backbone traffic, improve network speed.
2, to enhance network security
Broadcast on the shared LAN would have a security problem, because all users on the network can monitor the flow through the business, users simply insert either an active port can access the broadcast packets on a network segment. Using VLAN provides security, you can restrict access to specific users, control the size and position of the broadcast group, and even locked MAC address of the network members, so that limits the use of non-licensed users and network security members of the network.
3, enhance network management
Using VLAN technology, the use of VLAN management program centralized management of the entire network can be more easily manage the network. Users can quickly set up and adjust VLAN based on business needs. When the link is congested, the use of management programs to redistribute traffic. Management program also provides detailed reports on the volume of business, the broadcast behavior and the statistical properties of the working group and the like. For network administrators, all of which network configuration and management are transparent. When VLAN changes, users do not need to understand the network cabling conditions and protocols is how to re-set.
VLAN can reduce the overhead due to changes brought about by the network members. When you add, delete, and move members of the network, without re-wiring, without directly to members of the configuration. If using the traditional LAN technology, so when the network reaches a certain size, such costs often become a heavy burden on administrators.
Local area network by using VLAN technology division, in terms of security and stability have been greatly improved, providing a reliable guarantee for the development of various services, in short, the importance of VLAN technology in the company's network management can not be ignored .