Preparing the environment: an installation GNS3-1.3.10, Wireshark, SecureCRT8.0 computer. And add a route map in GNS 3. (GNS3-1.3.10, Wireshark, SecureCRT8.0 installation and connection:
https://blog.51cto.com/14473285/2426223 ) (connected to the GNS. 3 Add the route map:
https://blog.51cto.com/14473285/2426262 )
A, VLAN principle
In traditional switched Ethernet, all users are in the same broadcast domain, when a large-scale network, the number of broadcast packets to increase dramatically in the broadcast domain, when the total number of broadcast packets take up to 30% the transmission rate of the network will be significantly decreased, so that our network access is delayed, and when a device malfunctions, it will stop sending broadcast to the network, thereby resulting in broadcast storms, so that the entire network environment paralysis. This time we're going to solve this problem by way of separate broadcast domain, so that our network environment has been improved.
The method of dividing the two broadcast domain:
1, physical separation, use can isolate broadcast routing devices to separate broadcast domains, the network is divided into several small networks, and then connected to different networks for communication through the routing, which is physically divided.
2, logical separation of the network logically divided into several small virtual network, this article is that we want the VLAN (virtual local area network).
Physical separation, there are many shortcomings, it would lack flexibility to configure our network, which is carried out by separate routing device connected on the same switching device users can be divided in the same network, can not be divided into more than one network, limited by the physical location of the user, while the equipment required is too high, not suitable for use.
Logical partition, i.e. VLAN, which is working in the OSI reference model data link layer, a VLAN switch setting is a network in which all users are in the same broadcast domain, each connected VLAN routing devices communicate via .
VLAN produced to our increased flexibility to configure the network, when we split the network no longer limited by the physical location of the user, VLAN can be implemented on a switch, the switch can be achieved across its foundation the user's location, role and departments were divided into network, to achieve separate broadcast domain. VLAN broadcast domains separated by using flexibility and scalability characteristics.
VLAN technology advantages:
1, controls the broadcast, by broadcast domain VLAN division, each ALAN is an independent broadcast domain, which reduces the broadcast network bandwidth and improve network transmission efficiency, and a broadcast storm does not affect the other VLAN to VLAN appears .
2, enhance network security, because the only exchange data between ports in the same VLAN, the port can not directly access between different VLAN, so you can restrict access to individual host server resources by dividing VLAN, improve network security .
3, simplifies network management for switched Ethernet, if the user from the new distribution network, we need to adjust the physical structure of the network, or even need to add a network device, this will increase our workload, and we take VLAN technology you can, through a sector function according to the VLAN, the user or group of users into different geographical locations a logical segment, the user can move between the user groups or subnet change in the network without a physical connection using VLAN greatly reducing the workload of our network management and maintenance of the network, but also reduces the cost of network maintenance.
Second, the static VLAN
Static VLAN is also known as port-based VLAN, VLAN is the most common implementation, is the most commonly used form of VLAN. Static VLAN is to clearly specify which belongs to VLAN switch port, which requires us to configure it manually, when the hosts connected to the switch port, is assigned to the corresponding VLAN, that port and VLAN assignment is only valid hosts, and this information can not be shared between switches. as the picture shows:
Third, the static VLAN configuration
1, the VLAN range
Cisco Catalyst 4096 switch device supports up to (0 ~ 4095) VLAN, the following chart shows the assignment of VLAN Catalyst switch:
From the table we can see that we can use the VLAN ID range 1,2-1001 and 1025-4094 are, we set the VLAN ID should be used only within this range, but we normally use VLAN ID in the range 2-1001, this range is generally enough for us to use. All Catalyst switches support VLAN, VLAN number of different models support different switches, to view specific switch models. In the not illustrated here.
2, the basic VLAN configuration
when static VLAN configuration on the switch, the following steps:
1), to create VLAN
2), added to the corresponding switch port VLAN.
3), to verify the configuration of the VLAN
Let's complete the configuration of a static VLAN by GNS 3 in experimental operation.
(1)、打开GNS 3配置交换机,首先在打开的GNS 3中添加路由设备,并更改路由设备配置,给路由设备添加交换机业务单板,设定交换机磁盘空间(如果没有磁盘空间是无法添加VLAN的,这里我设定的磁盘空间是128MiB,磁盘空间可以自己设置,真实交换机设备中自带磁盘空间),并更改路由图标、名称为交换机图标、名称(方便我们识别)如图:
点击关闭新建项目弹窗,开始使用GNS 3。
点击路由图标,将添加好的路由拖入拓扑操作区域。
右击拓扑区域路由图标,点击Configure,进行磁盘空间、交换机业务单板配置。
设置磁盘空间。
设置交换机业务单板,点击OK确认配置。
右击拓扑区域路由图标,点击Change symbol进入更改路由图标。
选择交换机图标,点击OK确认配更改。
右击拓扑区域路由图标,点击Change hostname进入更改路由名称。
更改路由名称为SW,点击OK,确认更改。
(2)、添加PC机并与交换机相连,这里我们添加三台PC机,方便我们划分VLAN,添加的PC1主机E0接口连接交换机F1/0接口,PC2主机E0接口连接交换机F1/1接口,PC3主机E0接口连接交换机F1/2接口,连接好后点击显示接口图标在拓扑操作区显示图标,如图:
点击设备图标,拖入拓扑操作区三台PC主机。
点击连接线图标,点击PC1主机,选择连接E0接口。
点击交换机图标,选择交换机接口F1/0接口连接。
PC2、PC3以PC1连接交换机方式分别连接交换机F1/1、F1/2接口。
三台PC连接好交换机后点击接口显示图标,显示接口。
(3)、通过GNS 3书写工具、标记划分工具在拓扑操作区标记出三台PC机VLAN区域、IP地址的设定,方便我们区分识别与配置,PC1设定VLAN 10区域,PC2、PC3设定VLAN 20区域,PC1设定IP地址192.168.10.10,PC2设定IP地址192.168.10.20,PC3设定IP地址192.168.10.30,如图:
在拓扑操作区做出标记,方便我们区分识别与配置。
(4)、配置好GNS 3后开启交换机与PC机,然后打开交换机与PC机进入配置交换机与PC机,给交换机配置两个VLAN、在VLAN中添加端口,给PC机配置IP地址,如图:
双击设备图标,打开交换机配置模式。
选择交换机,输入dir查询磁盘空间,会出现磁盘空间容量,如果没有磁盘空间容量就要输入erase flash:清除交换机硬盘。
输入erase flash:(注意冒号要自己输入)清除交换机硬盘,输入后点击两次回车,等待清楚,清除成功,清除成功后在查看磁盘空间,这时候就会显示磁盘空间容量,下面就可以配置VLSN。
清除成功后,收入configure terminal进入全局模式,进行交换机配置,在用户模式只能查看交换机信息,只能在全局模式或者接口模式才能对交换机进行配置,这里我们进入全局模式输入no ip routing关闭路由功能(因为我们是用路由设备该的交换设备,所以我们需要先关闭路由功能)。然后我们给PC端设置IP地址,来验证交换机是否可以正常使用。
配置PC1 IP地址。
配置PC2 IP地址。
配置PC3 IP地址。配置成功后,验证三台PC是否可以互通。
用ping验证PC1与PC2、PC3成功通信。
用ping验证PC2与PC3成功通讯,这样三台PC就正常通信,交换机环境搭建成功,下面我们来配置VLAN。
选择交换机设备,直接在全局模式输入VLAN 10创建VLAN,会直接进入VLAN,然后输入exit退出vlan,回到全局模式,输入do show vlan-switch brief查看vlan,就能看到我们设置的vlan 10,然后继续配置vlan 20 并给这个vlan 20设置一个名字caiwu。
全局模式输入vlan 20配置vlan,输入name caiwu给vlan 20添加caiwu名字,退出,查看vlan,下面就会出现成功配置的vlan。Vlan配置好后我们就要把接口添加进vlan。
输入infigface fastethernet1/0进入接口f1/0接口然后输入switchport mode access命令进入接入链路,继续输入switchport access vlan 10添加VLAN 10,exit退出,do show vlan-switch briet查看vlan,下面我们就能看到f1/0接口成功添加进vlan 10,f1/0接口连接的就是我们的PC1主机,这样我们的PC1主机就成功添加进vlan 10。下面就来把PC2、PC3主机添加进vlan 20。
Input interface range f1 / 1 -2 enters the collective mode (Note here that the f1 / 1 -2 -2 input space before identifying a continuous means, if said input -5 enters f1 / 1, f1 / 2, f1 / 3, f1 / 4, f1 / 5 collective mode), the input switchport mode access command to enter an access link, the input command switch access vlan 20 the interfaces f1 / 1, f1 / 2 add vlan 20, input do show vlan- switch brief (when we do join in front of the command, says the information can be viewed in full mode below, you can only do if you do not enter an input command in user mode and privileged mode, so here I enter and view commands in global mode interface mode front have added do), command to view vlan, we will be able to take a look at the following interfaces f1 / 1, f1 / 2 successfully added to vlan 20, f1 / 1 and f1 / 2 PC2 and PC3 is connected, so that we the success of the PC2 and PC3 join vlan 20. Here we have to verify success. 
Select PC1 equipment, verify PC1 and PC2 ping command, whether PC3 can communicate with us in this time of ping PC2, PC3 when the connection can not be found, and this proves that we successfully PC1 join vlan 10, use the vlan PC1 and PC2, PC3 separates, we have to test whether PC2 can communicate with PC3. 
Select the device PC2, PC3 with the ping command to verify communication with the normal, PC1 can not communicate with, which proves the success we PC2 and PC3 is divided into vlan 20 separates and PC1.
Through this experiment we have come through the division of VLAN configuration, three PC, in the same segment of the same switching equipment to achieve separate broadcast domain, in the same vlan devices can communicate normally, not in the same vlan device can not communicate. To separate broadcast domains by vlan technology, to avoid the consequences of the first broadcast too much bandwidth, also avoid broadcast storms, so that our network environment has been improved, also it reduces our workload, saving manpower and resources.