A simple and easy-to-understand article on VLAN

Recently, a switch product in the company used VLAN-related things. It was hard to understand the things. I took some time to sort them out and showed them to the people who needed them, saving time.

Let's get down to the truth.

1. VLAN Origin

Traditional Ethernet is a broadcast network,NetworkAll Hosts in are connected through the hub or vswitch and are in the same broadcast domain. As the basic device for network connection, the hub and switch have certain limitations in the forwarding function:

A. The Hub is a physical layer device and has no switching function. The received packets are forwarded to all ports except the acceptor ports;

B. A switch is a data link layer device that can forward packets based on the destination MAC address. However, when receiving a broadcast message or an unknown unicast broadcast packet (the destination MAC address of the packet is not in the MAC address table of the switch) in addition to the receiving port. The above situation may cause the following network problems:

C. There may be a large number of broadcast and unknown single broadcast files in the network, which wastes network resources.

D. The host in the network receives a large number of packets not destined for itself, and the packets cannot be effectively monitored, resulting in serious security risks.

The fundamental solution to the above network problems is to isolate the broadcast domain. The traditional method is to use a router, because the router forwards packets based on the destination IP address and does not forward broadcast packets at the link layer. However, the cost of a router is high and the number of ports is small, so the network cannot be divided in detail. Therefore, the use of a router to isolate broadcast domains has great limitations.

2. What isVLAN

To solve these problems, VLAN technology emerged. The full name of a VLAN is virtual local area network. It is a technology that logically divides devices in a LAN into network segments rather than physically. In 1999, IEEE issued a draft 802.1Q protocol standard for VLAN standardization.

VLAN technology allows network administrators to logically divide a physical LAN into different broadcast domains (or virtual LAN (VLAN ), each VLAN contains a group of computer workstations with the same requirements and has the same properties as the physical LAN. In addition, this logical definition method can be extended to multiple switches. Because it is divided logically rather than physically, the workstations in the same VLAN do not need to be placed in the same physical space, even if these workstations do not necessarily belong to the same physical lan network segment. The broadcast and unicast traffic within a VLAN is not forwarded to other VLANs, which helps control traffic, reduce device investment, simplify network management, and improve network security.

3. Advantages of VLAN

When VLAN is used for LAN deployment, it can effectively avoid the determination of Traditional Ethernet, effectively control the range of broadcast domains, improve network security, and effectively manage network resources.

L control the range of broadcast domains:

By dividing VLANs, the LAN broadcast packets are limited to one VLAN, which saves network bandwidth resources and improves network processing capabilities. This avoids the impact of broadcast storms.

L enhanced LAN security:

Because packets are isolated by VLAN-based broadcast domains on the data link layer, hosts in each VLAN cannot communicate directly. Therefore, layer-3 packets must be forwarded through routers, layer-3 switches, and other network-layer devices. It is convenient for network administrators to define device access and monitor network devices effectively.

L convenient virtual workgroup Creation

You can use VLANs to create virtual workgroup across physical networks. When a user's physical location is moved within the virtual workgroup range, the network can be accessed without changing the network configuration. At the same time, it saves network construction costs.

4. VLAN type

VLAN Based on port Division
VLAN division based on network layer protocols

VLAN division based on IP Multicast

VLAN division based on MAC addresses

5. VLAN principles

To enable the switch to distinguish packets of different VLANs, you need to add VLAN identification fields in the packets. Because the switch works at the data link layer of the OSI model, it can only identify the data link layer encapsulation of packets. Therefore, the recognition field must be added to the data link layer encapsulation. In 1999, IEEE promulgated the IEEE 802.1Q protocol standard for standardized VLAN implementation, which provides unified provisions on the packet structure with VLAN tags.

TraditionalEthernetThe data frame encapsulates the type fields of the upper layer protocol after the destination MAC address and source MAC address. As shown in.

Da indicates the target MAC address, sa indicates the source MAC address, and type indicates the type field of the Upper-layer protocol.

The IEEE 802.1Q Protocol specifies that a four-byte VLAN tag is encapsulated after the destination MAC address and source MAC address to identify VLAN information.

As shown in, VLAN tags contain four fields: tpid (tagprotocol identifier, tag protocol identifier), priority, CFI (canonicalformat indicator, standard format indication bit), and vlan id. Vlanid ranges from 0 ~ 4095. Because 0 and 4095 are not usually used, the vlan id value range is generally 1 ~ 4094.

As shown in the figure below, the access port receives a data frame that does not contain VLAN tags. Once a frame enters the access port, a VLAN label is added to the frame.

When the frame is inside the switch, the VLAN label attached to the access port is attached. When the frame leaves the switch through the destination access port, the VLAN tag is removed. In this way, the transmission device and the receiving device do not know that the received frame has been added with VLAN tags.

Of course, the above is just the most common situation. In complex scenarios such as switch cascade, there are special instructions on how to handle the packet tag.

6. Differences between VLAN types and send and receive data

There are three types of Ethernet ports: Access, hybrid, and trunk. An access port can belong to only one VLAN and is generally used to connect to a computer. A trunk port can belong to multiple VLANs and receive and send packets from multiple VLANs, it is generally used for ports connected between vswitches. A hybrid port can belong to multiple VLANs and can receive and send packets from multiple VLANs. It can be used for connections between vswitches, it can also be used to connect to a user's computer. The difference between the hybrid port and the trunk port is that the hybrid port allows packets of multiple VLANs to be sent without tags, while the trunk port only allows packets of the default VLAN to be sent without tags. Let's look at these three types of things:

The trunk here is not a concept of port trunk, that is, port aggregation or link aggregation, but a concept that allows VLAN passthrough.

Reprinted from: http://blog.csdn.net/xuexingyang/article/details/6736154

For more information about VLANs, see:Introduction to 802.1qvlan principles.