Cisco Cisco switch VLAN configuration Tips

Technical standards for VLANs IEEE 802.1Q was formally promulgated by IEEE Commissioners in June 1999, and the earliest Vlna technology was proposed by Cisco (Cisco) companies in 1996. With the development of the past few years, VLAN technology has been widely used in large and small enterprise networks, becoming the most popular Ethernet LAN technology at present. This article is going to introduce one of the most common switch technology application--vlan technology, and for the small LAN VLAN network configuration in an instance of the way to brief you on its configuration method.

First, VLAN base

The Chinese name "virtual LAN" for VLAN (virtual local area network) is not "VPN" (fictitious private network). VLAN is a kind of LAN equipment from the logical division (note, not from the physical division) into a network segment, thus realizing the virtual workgroup of the emerging data exchange technology. This emerging technology is mainly used in switches and routers, but mainstream applications are still in the switch. But not all switches have this feature, only the VLAN protocol above the third layer of the switch to have this feature, you can view the corresponding switch instructions can be learned.

IEEE issued a draft 802.1Q protocol standard to standardize VLAN implementation in 1999. VLAN technology, so that administrators according to the actual application needs, the same physical local area network users logically divided into different broadcast domain, each VLAN contains a set of computer workstations with the same needs, and the physical LAN has the same attributes. Because it is logically divided, not physically, the workstations within the same VLAN are not limited to the same physical scope, that is, the workstations can be in different physical LAN segments. It is known from the VLAN that the broadcast and unicast traffic within a VLAN will not be forwarded to other VLANs, thus helping to control traffic, reduce equipment investment, simplify network management and improve the security of the network.

The development of exchange technology has also accelerated the application speed of new switching technology (VLAN). By dividing enterprise network into VLAN segment of virtual network, it can strengthen network management and network security, and control unnecessary data broadcasting. In a shared network, a physical network segment is a broadcast domain. In a switched network, a broadcast domain can be a virtual network segment consisting of a set of arbitrarily selected second-tier network addresses (MAC addresses). In this way, the division of workgroup in the network can break through the geographical limitation in the shared network, and it is divided completely according to the management function. This grouping mode based on workflow greatly improves the management function of network planning and reorganization. Workstations in the same VLAN, regardless of which switch they actually connect to, communicate as if they were on a separate switch. Broadcasts in the same VLAN can only be heard by members of the VLAN and not transferred to other VLANs, which is a good way to control the generation of unwanted broadcast storms. At the same time, without routing, different VLANs can not communicate with each other, thus increasing the security between different departments in the enterprise network. Network administrators can manage the exchange of information between different management units across the enterprise by configuring the routing between VLANs. The switch divides the VLAN according to the MAC address of the user's workstation. Therefore, users can freely in the corporate network Mobile office, no matter where he is connected to the Exchange network, he can communicate with other users in the VLAN freely.

VLAN network can be a mix of network types of equipment, such as: 10M Ethernet, 100M Ethernet, token network, FDDI, CDDI, etc., can be workstations, servers, hubs, network uplink backbone and so on.

In addition to dividing the network into multiple broadcast domains, VLAN can effectively control the occurrence of the broadcast storm, and make the topology of the network become very flexible, it is also used to control the mutual access between different departments and different sites in the network. VLAN is a protocol to solve the broadcast problem and security of Ethernet, it adds VLAN head on the basis of Ethernet frame, divides user into smaller working group with VLAN ID, restricts the mutual exchange between different workgroup, each workgroup is a virtual local area network. The advantage of the virtual LAN is that it can limit the broadcast scope and can form virtual workgroup and manage the network dynamically.

Two, VLAN partition method

VLAN on the switch implementation method, can be roughly divided into six categories:

1. VLAN based on port division

This is the most commonly used VLAN partitioning method, the application is the most extensive and most effective, most of the current VLAN protocol switches provide this VLAN configuration method. This method of VLAN partitioning is based on the switching port of the Ethernet switch, which divides the physical port on the VLAN switch and the PVC (permanent virtual circuit) port inside the VLAN switch into groups, each constituting a virtual network, which is equivalent to a separate VLAN switch.

For different departments need to exchange visits, can be forwarded through the router, and with the MAC address based on port filtering. Set up a set of available MAC addresses on the access path to a site that is closest to the site's switch, routing switch, or router's corresponding port. This prevents illegal intruders from stealing IP addresses from the inside to invade from other access points.

From this partitioning method itself, we can see that the advantage of this partitioning method is that it is very simple to define VLAN members, as long as all ports are defined as the corresponding VLAN groups. Suitable for any size of the network. Its disadvantage is that if a user leaves the original port, to a new switch, a port must be redefined.

2. Partition VLAN based on MAC address

This method of dividing VLAN is based on the MAC address of each host, that is, the host of each MAC address is configured which group he belongs to, it realizes the mechanism is each card corresponding to a unique MAC address, VLAN switch tracking belongs to the VLAN MAC address. This way the VLAN allows network users to automatically retain the membership of their VLAN when they move from one physical location to another.

This partitioning mechanism shows that the greatest advantage of this VLAN partitioning approach is that when a user's physical location is moved, that is, switching from one switch to another, the VLAN is not reconfigured because it is based on the user rather than on the switch port. The disadvantage of this approach is that when initialized, all users must be configured, if there are hundreds of or even thousands of users, the configuration is very tired, so this partitioning method is usually applicable to small LAN. And this division of the method also led to a reduction in the efficiency of the switch, because in each switch port may exist many VLAN group members, save a lot of user's MAC address, the query is quite difficult. In addition, for users who use laptops, their NIC may often be replaced, so the VLAN must be configured frequently.

3. Divide VLAN based on network layer protocol

VLAN by Network layer protocol to divide, can be divided into IP, IPX, DECnet, AppleTalk, Banyan and other VLAN network. This VLAN, which is made up of network layer protocols, enables broadcast domains to span multiple VLAN switches. This is very appealing to network administrators who want to organize users for specific applications and services. Also, users can move freely within the network, but their VLAN memberships remain unchanged.

The advantage of this approach is that the physical location of the user has changed, there is no need to reconfigure the VLAN to which it belongs, and the VLAN can be partitioned according to the protocol type, which is important to network administrators, and this method does not require additional frame tags to identify the VLAN, which reduces traffic on the network. The disadvantage of this approach is that it is inefficient because checking the network-layer address of each packet consumes processing time (as opposed to the previous two methods), general switch chips can automatically check the network packet Ethernet, but to allow the chip to check the IP frame head, requires a higher technology, but also more time-consuming. Of course, this is related to the implementation methods of each vendor.