When it comes to VLANs, perhaps many people find it very mysterious, even including some network administrators. In fact, the technical standard for VLAN IEEE 802.1Q was officially promulgated and implemented by IEEE committee members as early as June 1999, and the earliest VLNA technology was proposed by Cisco in 1996. With the development over the past few years, VLAN technology has been widely supported and has been widely used in enterprise networks of large and small sizes, becoming the most popular Ethernet LAN technology at present. This article will introduce to you one of the most common technical applications of switches - VLAN technology, and briefly introduce the configuration methods to you in an example way for the network configuration of medium and small LAN VLANs.
1. VLAN basics
The Chinese name of VLAN (Virtual Local Area Network) is "Virtual Local Area Network", and note that it is not "VPN" (virtual private network). VLAN is an emerging data exchange technology that divides LAN devices from logically (note, not physically) into network segments, thereby realizing virtual workgroups. This emerging technology is mainly used in switches and routers, but mainstream applications are still in switches. However, not all switches have this function. Only switches above the third layer of the VLAN protocol have this function. You can check the instructions of the corresponding switch to know this.
In 1999, IEEE issued a draft 802.1Q protocol standard for standardizing VLAN implementation solutions. The emergence of VLAN technology has enabled administrators to logically divide different users in the same physical LAN into different broadcast domains according to actual application needs. Each VLAN contains a set of computer workstations with the same needs, which have the same attributes as the physically formed LAN. Since it is divided logically, not physically, the workstations within the same VLAN are not limited to the same physical range, that is, these workstations can be in different physical LAN segments. From the characteristics of VLANs, it can be seen that broadcast and unicast traffic within a VLAN will not be forwarded to other VLANs, which helps to control traffic, reduce equipment investment, simplify network management, and improve network security.
The development of switching technology has also accelerated the application of new switching technology (VLAN). By dividing the enterprise network into virtual network VLAN segments, network management and network security can be strengthened and unnecessary data broadcast can be controlled. In a shared network, a physical network segment is a broadcast domain. In a switching network, the broadcast domain can be a virtual network segment composed of a set of arbitrarily selected second-layer network addresses (MAC addresses). In this way, the division of work groups in the network can break through the geographical location restrictions in the shared network and divide them entirely according to management functions. This workflow-based grouping model greatly improves the management functions of network planning and reorganization. Workstations in the same VLAN, regardless of which switch they are actually connected to, communicate with them as if they are on separate switches. Only members of the VLAN can hear the broadcasts in the same VLAN and will not be transmitted to other VLANs, which can well control the generation of unnecessary broadcast storms. At the same time, if there is no routing, different VLANs cannot communicate with each other, which increases the security between different departments in the enterprise network. Network administrators can fully manage information access between different management units within the enterprise by configuring routing between VLANs. The switch divides VLANs according to the MAC address of the user workstation. Therefore, users can freely work on the corporate network, and no matter where they access the switched network, they can communicate freely with other users in the VLAN.
The VLAN network can be composed of mixed network-type devices, such as: 10M Ethernet, 100M Ethernet, token network, FDDI, CDDI, etc., and can be workstations, servers, hubs, network uplink backbone, etc.
In addition to dividing the network into multiple broadcast domains, VLAN can effectively control the occurrence of broadcast storms and make the topology of the network very flexible, it can also be used to control mutual access between different departments and different sites in the network.
VLAN is a protocol proposed to solve the broadcasting problems and security of Ethernet. It adds VLAN headers on the basis of Ethernet frames, divides users into smaller working groups with VLAN ID, and restricts user access between different working groups. Each working group is a virtual LAN. The advantage of virtual LAN is that it can limit the broadcast range and can form virtual working groups to dynamically manage the network.
2. VLAN division method
The implementation methods of VLANs on switches can be roughly divided into six categories:
1. VLAN based on port division
This is the most commonly used VLAN division method, and it is also the most widely used and most effective. Currently, most switches with VLAN protocol provide this VLAN configuration method. This method of dividing VLANs is divided according to the switching ports of the Ethernet switch. It divides the physical ports on the VLAN switch and the PVC (permanent virtual circuit) ports inside the VLAN switch into several groups, each group forming a virtual network, which is equivalent to an independent VLAN switch.
When different departments need to visit each other, they can forward it through the router and cooperate with port filtering based on MAC address. Set the MAC address set that can be passed on on the corresponding port of the switch, routing switch or router on the access path to a site. This prevents the possibility of illegal intruders from using IP addresses from within and intruding from other accessible points.
From this division method itself, we can see that the advantage of this division method is that it is very simple when defining VLAN members, as long as all ports are defined as corresponding VLAN groups. Suitable for any size network. Its disadvantage is that if a user leaves the original port and reaches a port of a new switch, it must be redefined.
2. Dividing VLANs based on MAC address
This method of dividing VLANs is divided according to the MAC address of each host, that is, the host of each MAC address is configured which group it belongs to. The mechanism it implements is that each network card corresponds to a unique MAC address, and the VLAN switch tracks the addresses belonging to VLAN MACs. This way of VLAN allows network users to automatically retain membership of the VLAN to which they belong when moving from one physical location to another.
From this division mechanism, we can see that the biggest advantage of this VLAN division method is that when the user moves physically, that is, when switching from one switch to another, the VLAN does not need to be reconfigured because it is based on the user, not the switch-based port. The disadvantage of this method is that when initializing, all users must configure it. If there are hundreds or even thousands of users, the configuration is very tiring, so this division method is usually applicable to small local area networks. Moreover, this division method also leads to a reduction in the execution efficiency of the switch, because there may be many members of VLAN groups on the port of each switch, and the MAC addresses of many users are saved, which is quite difficult to query. In addition, for users who use laptops, their network cards may be replaced frequently, so that VLANs must be configured frequently.
3. Dividing VLANs based on network layer protocol
VLANs are divided according to network layer protocols and can be divided into VLAN networks such as IP, IPX, DECnet, AppleTalk, Banyan, etc. This VLAN, which is composed of network layer protocols, allows the broadcast domain to span multiple VLAN switches. This is very attractive for network administrators who want to organize users for specific applications and services. Moreover, users can move freely within the network, but their VLAN membership remains unchanged.
The advantage of this method is that the user's physical location has changed, and the VLAN is not required to be reconfigured, and the VLAN can be divided according to the protocol type, which is very important for network managers. In addition, this method does not require additional frame tags to identify the VLAN, which can reduce the network's traffic. The disadvantage of this method is its inefficiency, because checking the network layer address of each data packet requires processing time (relative to the previous two methods). Generally, switch chips can automatically check the Ethernet frame headers of data packets on the network, but making the chip able to check the IP frame headers requires higher technology and time-consuming. Of course, this is related to the implementation methods of each manufacturer.
4. Dividing VLANs according to IP multicast
IP multicast is actually a VLAN definition, that is, an IP multicast group is a VLAN. This division method expands VLANs to wide area networks, so this method has greater flexibility and is easy to expand through routers. It is mainly suitable for local area network users not in the same geographical range to form a VLAN, but is not suitable for local area networks, and is mainly inefficient.
5. Divide VLANs by policy
A VLAN based on policy can implement a variety of allocation methods, including VLAN switch ports, MAC addresses, IP addresses, network layer protocols, etc. Network managers can decide which type of VLAN to choose based on their own management model and the needs of their organization. 6. Divide VLANs by user-defined and non-user authorization
Dividing VLANs based on user definition and non-user authorization means that in order to adapt to a special VLAN network, VLANs are defined and designed according to the specific requirements of specific network users. Moreover, non-VLAN group users can access VLANs, but users need to provide user passwords and only after obtaining the authentication of VLAN management can they join a VLAN.
3. The superiority of VLAN
If any new technology needs to be widely supported and applied, there must be some key advantages, and the same is true for VLAN technology. Its advantages are mainly reflected in the following aspects:
1. Increased flexibility in network connection
With the help of VLAN technology, different locations, different networks, and different users can be combined together to form a virtual network environment, which is as convenient, flexible and effective as using a local LAN. VLAN can reduce the management costs of mobile or changing the geographic location of workstations. Especially after some companies whose business situations have frequent changes, this part of the management costs are greatly reduced. 2. Control broadcasting on the network VLAN can provide a mechanism to establish a firewall to prevent excessive broadcasting of the switched network. Using VLANs, a switch port or user can be assigned to a specific VLAN group that can be connected to multiple switches in a switch network or across multiple switches, and broadcasts in one VLAN are not sent outside the VLAN. Similarly, adjacent ports do not receive broadcasts generated by other VLANs. This can reduce broadcast traffic, release bandwidth to user applications, and reduce broadcast generation. 3. Increase network security Because a VLAN is a separate broadcast domain, VLANs are isolated from each other, which greatly improves the utilization rate of the network and ensures the security and confidentiality of the network. People often transmit some confidential and critical data on the LAN. Confidential data should provide security means such as access control. An efficient and easy-to-implement method is to segment the network into several different broadcast groups, and the network administrator limits the number of users in the VLAN and prohibits access to applications in the VLAN without permission. Switch ports can be grouped based on application type and access privileges, and restricted applications and resources are generally placed in a secure VLAN.
IV. Configuration example of VLAN network
In order to give you a real opportunity to learn configuration examples, let’s introduce to you the most commonly used configuration method of dividing VLANs by port using typical medium-sized LAN VLAN configurations as an example.
A company has about 100 computers, and the departments that mainly use the network include four parts: production department (20), finance department (15), human resources department (8) and information center (12), as shown in Figure 1.
The basic network structure is: the entire network uses 3 Catalyst 1900 network managed switches (named: Switch1, Switch2 and Switch3 respectively, and each switch is connected to several hubs as needed, mainly for non-VLAN users, such as administrative documents, temporary users, etc.), and a Cisco 2514 router. The entire network is connected to the external Internet through the router Cisco 2514.
The connected users are mainly distributed in four parts, namely: Production Department, Finance Department, Information Center and Human Resources Department. The VLAN is mainly divided into separate VLANs for these four parts of users to ensure that the network resources of the corresponding department are not stolen or destroyed.
Now, in order to ensure the security needs of the corresponding part of the company's network resources, especially for sensitive departments such as the Finance Department and the Human Resources Department, the information on the network does not want too many people to enter and exit at will, so the company adopted the VLAN method to solve the above problems. Through the division of VLANs, the company's main network can be divided into four main parts: production department, finance department, personnel department and information center. The corresponding VLAN groups are named: Prod, Fina, Huma, and Info. The corresponding network segments for each VLAN group are shown in the following table.
[Note] The reason why the switch's VLAN number starts from "2" is that the switch has a default VLAN, that is, "1" VLAN, which includes all users connected to the switch.
The VLAN configuration process is actually very simple, with only two steps: (1) Naming each VLAN group; (2) Corresponding to the corresponding switch port.
The following is the specific configuration process:
Step 1: Set up the hyper terminal, connect to the 1900 switch, and configure the switch's VLAN through the hyper terminal. After the connection is successful, the main configuration interface shown below appears (the switch has completed the configuration of basic information before):
1 user(s) now active on Management Console.
User Interface Menu
[M] Menus
[K] Command Line
[I] IP Configuration
Enter Selection:
[Note] Hyperter terminal is performed using the "Hypertrm" program that comes with Windows system. For details, please refer to the relevant information.
Step 2: Click the "K" button, select the "[K] Command Line" option in the main interface menu, and enter the following command line configuration interface:
CLI session with the switch is open.
To end the CLI session,enter [Exit ].
>
At this time, we entered the switch's normal user mode. Just like a router, this mode can only view the current configuration, cannot change the configuration, and the commands that can be used are very limited. So we have to go into "privileged mode".
Step 3: Enter the privileged mode command "enable" at the previous step ">" prompt to enter the privileged mode, enter the privileged mode, the command format is ">enable". At this time, you enter the privileged mode prompt configured by the switch:
#config t
Enter configuration commands,one per with CNTL/Z
(config)#
Step 4: For security and convenience, we name these three Catalyst 1900 switches and set the login password for privileged mode. The following is only introduced with Switch1 as an example. The configuration code is as follows:
(config)#hostname Switch1
Switch1(config)# enable password level 15 XXXXXX
Switch1(config)#
[Note] The privileged mode password must be 4 to 8 characters. Please note that the password entered here is displayed directly in plain text, so please be sure to keep it confidential. The switch uses the level size to determine the password permissions. Level 1 is the password to enter the command line interface. That is to say, after setting the password of level 1, you will be asked to enter the password next time you connect to the switch and enter K, and this password is the password set by level 1. level 15 is the privileged mode password you enter after entering the "enable" command.
Step 5: Set the VLAN name. Because the four VLANs belong to different switches, the command named VLAN is "vlan 'vlan number'name 'vlan name', and the code for configuring VLANs 2, 3, 4, and 5 on Switch1, Switch2, Switch3, and switches is:
Switch1 (config)#vlan 2 name Prod
Switch2 (config)#vlan 3 name Fina
Switch3 (config)#vlan 4 name Huma
Switch3 (config)#vlan 5 name Info
[Note] The above configuration is carried out according to the rules of Table 1.
Step 6: In the previous step, we configured VLAN groups for each switch, and now we need to correspond to the switch port numbers specified in Table 1. The command corresponding to the port number is "vlan-membership static/ dynamic' VLAN number'". In this command, you must choose one of the "static" and "dynamic" allocation methods, but usually the "static" method is selected. The VLAN port number application configuration is as follows:
(1). The VLAN port number of the switch named "Switch1" is configured as follows:
Switch1(config)#int e0/2
Switch1(config-if)#vlan-membership static 2
Switch1(config-if)#int e0/3
Switch1(config-if)#vlan-membership static 2
Switch1(config-if)#int e0/4
Switch1(config-if)#vlan-membership static 2
……
Switch1(config-if)#int e0/20
Switch(config-if)#vlan-membership static 3
Switch1(config-if)#int e0/21
Switch1(config-if)#vlan-membership static 3
Switch1(config-if)#
[Note] "int" is the abbreviation of the "nterface" command, which means interface. "e0/3" is the abbreviation of "ethernet 0/2", which represents the switch's module No. 2 port.
(2). The VLAN port number of the switch named "Switch2" is configured as follows:
Switch2(config)#int e0/2(3). The VLAN port number of the switch named "Switch3" is configured as follows (it includes the configuration of two VLAN groups). Let's first look at the configuration code of VLAN 4 (Huma):
Switch2(config-if)#vlan-membership static 3
Switch2(config-if)#int e0/3
Switch2(config-if)#vlan-membership static 3
Switch2(config-if)#int e0/4
Switch2(config-if)#vlan-membership static 3
……
Switch2(config-if)#int e0/15
Switch2(config-if)#vlan-membership static 3
Switch2(config-if)#int e0/16
Switch2(config-if)#vlan-membership static 3
Switch2(config-if)#
Switch3(config)#int e0/2
Switch3(config-if)#vlan-membership static 4
Switch3(config-if)#int e0/3
Switch3(config-if)#vlan-membership static 4
Switch3(config-if)#int e0/4
Switch3(config-if)#vlan-membership static 4
……
Switch3(config-if)#int e0/8
Switch3(config-if)#vlan-membership static 4
Switch3(config-if)#int e0/9
Switch3(config-if)#vlan-membership static 4
Switch3(config-if)#
Below isVLAN5(Info)Configuration code:
Switch3(config)#int e0/10
Switch3(config-if)#vlan-membership static 5
Switch3(config-if)#int e0/11
Switch3(config-if)#vlan-membership static 5
Switch3(config-if)#int e0/12
Switch3(config-if)#vlan-membership static 5
……
Switch3(config-if)#int e0/20
Switch3(config-if)#vlan-membership static 5
Switch3(config-if)#int e0/21
Switch3(config-if)#vlan-membership static 5
Switch3(config-if)#
OK, we have defined all VLANs to the ports of the corresponding switch according to the requirements of Table 1. To verify our configuration, you can use the "show vlan" command in privileged mode to display the configuration you just made and check whether it is correct.
The above is an introduction to the VLAN configuration of Cisco Catalyst 1900 switch. The VLAN configuration methods of other switches are basically similar. Please refer to the relevant switch instructions.
Article entry: csh Editor in charge: csh