Routers can isolate broadcasts, so what is the use of VLANs? Is it redundant to configure VLANs and divide them into different network segments?
The subject means no VLAN, is it possible?
sure. It is possible, but each host can receive all broadcast packets under the same interface (layer 3/routing) of the router.
Since the router isolates the broadcast, why can the host receive all the broadcast packets under the same interface (layer 3/routing) of the router?
Obviously, because a router isolates broadcast packets, a layer-3 interface is the smallest unit. In other words, the broadcast packets on interface 1 will not be diffused to interface 2, and the broadcast packets on interface 2 will not be diffused to interface 1 either.
However, the router cannot control the broadcast diffusion behavior of the broadcast packets on interface 1 before they reach interface 1 of the router. In other words, since there is no logical isolation of VLANs, the sphere of influence extended by interface 1 is actually a broadcast domain, and broadcast messages will spread freely in this broadcast domain. The existence of router interface 1 is to prevent broadcast packets in this broadcast domain from being diffused to other Layer 3 interfaces/broadcast domains, such as interface 2, nothing more.
The biggest benefit of broadcast messages is that DHCP, ARP, and NetBios can facilitate communication between hosts. However, the side effects of broadcast messages occupy network bandwidth resources and consume the CPU processing time of each receiving host, because broadcast messages need to be received forcibly and processed by the CPU whether they like it or not. Once the number of hosts in the broadcast domain is too large, the number of broadcast packets will also increase sharply, thus affecting every host in the broadcast domain.
Without the existence of VLAN, the physical extension of the router interface is a broadcast domain. In order to limit the area of the broadcast domain (the number of hosts in a broadcast domain), when the number of hosts is fixed, it is necessary to increase the router's Layer 3 physical interface. It means that the physical interface of the router will increase proportionally with the number of hosts, which is obviously not a good option.
With the existence of VLAN, the broadcast messages of different broadcast domains/network segments/VLANs can be isolated in advance before the broadcast messages reach the layer-3 interface of the router. With the powerful tool of VLAN for isolating broadcast packets, the remaining work of the router's layer-3 interface is very simple, that is, to route IP packets across network segments, making communication between hosts on different network segments possible.
However, the layer-3 routing physical (PHY) interface of the router is used above. The most unfriendly part of this interface is:
The areas extended by different Layer 3 physical interfaces must be in different VLANs.
For example, interface 1 extends out VLAN 10, 20, 30. Then the VLAN extended from interface 2 cannot be 10, 20, or 30, and you can only choose something else. Is it convenient?
Of course it is inconvenient. Imagine a company with HR employees on the 10th floor connected to vlan 10 of router interface 1. There are still HR employees on the 12th floor, and they also want to use vlan 10, and everyone works in the same broadcast domain/network segment. But the one on the 12th floor is connected to interface 2 of the router, obviously they cannot use the same broadcast domain/network segment as the 10th floor.
solution?
- Layer 3 Switch Based on VLAN Layer 3 Routing Interface
- Router Based on Layer 3 Routing Subinterface of VLAN
- Firewall Based on Layer 3 Routing Sub-interface of VLAN
The above three solutions are all available, and generally those who do not have high security requirements will use solutions 1 and 2. For those with strict network security requirements, plan 3 will be used, that is, the access layer will perform security filtering on incoming traffic. Only when the security policy allows the release, will the IP packet be forwarded through routing and forwarding, otherwise it will be discarded.
The above three solutions all use the powerful isolation capability of VLAN on the second layer, so that all messages between different VLANs/network segments/broadcast domains, including broadcast messages, do not interfere with each other.
Once they need to communicate across network segments, the above three devices need to intervene. This is also not difficult, because the above three devices have their own layer-3 routing interfaces in each VLAN, and can all act as layer-3 gateways. This routing interface is based on software, as many as you want, and the upper limit Limited to 4096 of VLAN IDs.
Although the Layer 3 routing interfaces/sub-interfaces of three types of devices have an upper limit limited to routing and forwarding capabilities, it is usually no problem to support dozens of routing interfaces. This is more than enough for the vast majority of companies. For large organizations, it is more than enough to increase the firewall model and add two redundant devices.
Author|Che Xiaopang talks about the Internet|Public account