Concept of virtual LAN

Features of a virtual LAN:

One layer-2 switch (switch 1 ~ 5) connect to a network composed of a large number of clients. Assume that computer A needs to communicate with computer B. In Ethernet-based communication, the target MAC address must be specified in the data frame to communicate normally. Therefore, computer A Must broadcast the "ARP request information" first ", to obtain the MAC address of computer B. After receiving the broadcast frame (ARP request), switch 1 will forward it to all ports except the receiver port, that is, flooding. Then, vswitch 2 will also flooding after receiving the broadcast frame. Vswitches 3, 4, and 5 will also be flooding. Eventually, ARP requests are forwarded to all clients in the same network.

This ARP request was originally sent to obtain the MAC address of computer B. That is to say, as long as computer B can receive it, everything will be fine. But in fact, data frames spread throughout the network, so that all computers receive them. In this way, on the one hand, broadcast information consumes the overall bandwidth of the network, and on the other hand, computers that receive broadcast information consume part of the CPU time to process it. This results in significant unnecessary consumption of network bandwidth and CPU computing power. In fact, broadcast frames appear very frequently. When using the TCP/IP protocol stack for communication, in addition to the preceding ARP, many other types of broadcast information such as DHCP and rip may need to be sent. ARP broadcast is sent when it needs to communicate with other hosts. When the client requests an IP address from the DHCP server, it must broadcast DHCP. When Rip is used as the routing protocol, the router broadcasts route information to other neighboring routers every 30 seconds. Other routing protocols other than rip use multicast to transmit route information, which is also forwarded by the switch (flooding ). In addition to TCP/IP, protocols such as netbeui, IPX, and Apple talk often require broadcast.

If the entire network has only one broadcast domain, once the broadcast information is sent, it will spread throughout the network and bring additional burden to the hosts on the network. Therefore, when designing a LAN, you must be aware of how to effectively split the broadcast domain.

Generally, vrouters are used when the broadcast domain and VLAN need to be separated. After using a vro, you can divide the broadcast domain by the network interface on the vro. However, generally, there are not too many network interfaces on the vro, and the number of interfaces is larger than 1 ~ About 4. With the popularization of broadband connections, broadband routers (or IP sharing devices) become more common, but it should be noted that although they carry multiple (generally about 4) the network interface connecting the LAN side, but it is actually a vswitch built in the router, and cannot be divided into broadcast domains. In addition, if you use a vro to separate the broadcast domains, the number of the segments depends entirely on the number of vro network interfaces, making it impossible for you to split the broadcast domains as needed. Compared with vrouters, L2 switches generally have multiple network interfaces. Therefore, if you can use it to separate broadcast domains, the flexibility of application will undoubtedly be greatly improved.

The technology used to divide broadcast domains on L2 switches is VLAN. With VLAN, We can freely design the composition of broadcast domains to improve the freedom of network design.

VLAN, short for Virtual Local Area Network (VLAN), is an emerging technology that logically divides devices in the LAN, rather than physically, into network segments to implement virtual working groups. VLAN is proposed to solve Ethernet broadcast problems and security. It adds VLAN headers Based on Ethernet frames and divides users into smaller working groups by vlan id, restrict layer-2 mutual access between users in different working groups. Each working group is a virtual LAN. The advantage of a virtual LAN is that it can restrict the broadcast range, form virtual working groups, and dynamically manage networks.

VLAN technology allows network administrators to logically divide a physical LAN into different broadcast domains, I .e. VLANs. Each VLAN contains a group of computer workstations with the same requirements, it has the same attributes as the physical LAN. However, because it is divided logically rather than physically, the workstations in the same VLAN do not need to be placed in the same physical space, that is, these workstations do not necessarily belong to the same physical lan network segment. The broadcast and unicast traffic in one VLAN is not forwarded to other VLANs. Even if the two computers have the same network segment, they do not have the same VLAN number, their respective broadcast streams are not forwarded to each other, which helps control traffic, reduce device investment, simplify network management, and improve network security.

In terms of bandwidth, flexibility, and performance, virtual LAN (VLAN) has shown great advantages. The use of virtual LAN can easily increase, delete, and move users, improving network management efficiency. He has the following features: 1. The introduction of flexible, soft-defined device group VLAN concepts with boundaries independent from physical media enables switches to undertake network segmentation, instead of using a vro. By using VLANs, a physical LAN can be divided into multiple subnets in a logic sense without considering the specific physical location. Each VLAN can correspond to a logical unit, such as departments, workshops, and project teams. 2. The broadcast traffic is restricted within the soft-defined boundary and improves network security. Because data transmitted between hosts in the same VLAN does not affect hosts on other VLANs, this reduces the possibility of data eavesdropping and greatly enhances network security. 3. Providing Low-latency, line-rate communication between members of the same virtual LAN can divide network segments or micro-network segments in the network to improve the flexibility of network groups. VLAN Technology divides the network into different broadcast domains logically, so that packets transmitted over the network can only be exchanged with ports in the same VLAN. In this way, a LAN can only be connected to another LAN in the same VLAN to avoid wasting bandwidth, this eliminates the inherent defect of traditional bridging/switching networks-packets are often transmitted to a LAN that does not need them. This also improves the flexibility of network configurations, especially in LAN environments that support broadcast/multicast protocols and applications. In the VLAN structure, you can easily REJECT packets from other VLANs, thus greatly reducing network traffic. Editing the classification of Virtual LAN in this section is a soft technology. How to classify it determines whether the technology can play its expected role in the network, the following describes the classification and features of a virtual LAN.

There are three common types of Virtual LAN: Port-based, hardware MAC address-based, and network layer-based.

1. Port-based

Port-based Virtual LAN is a popular and earliest way of partitioning. It is characterized by grouping vswitches by port, and each group is defined as a virtual LAN. These vswitch port groups can also span several vswitches (for example, the final workstation on Ports 1 and 2 of vswitches 1, and ports 4, 5, 6, and 7 of vswitches 2 form a virtual LAN; the final workstation on ports 3, 4, 5, 6, 7, and 8 of vswitch 1, 2, 3, and 8 Form vlan B). Port grouping is currently the most common method for defining virtual LAN members, and the configuration is straightforward. Using port groups to define a virtual LAN does not allow multiple virtual LANs to contain the same actual network segment (or switch port ). It is characteristic that all the terminals on each port of a virtual LAN are in a broadcast domain, they can communicate with each other, and communication between different virtual LAN needs to be routed. The advantage of this virtual LAN partitioning method is that it is simple and easy to implement. broadcasts from one port are directly sent to other ports in the virtual LAN, which is also easy to monitor directly. However, the main limitation of using ports to define a virtual LAN is that the use is not flexible enough. When a user moves from one port to another, the network administrator must reconfigure the virtual LAN members. However, this can be compensated by flexible network management software.

2. hardware-based MAC address Layer

Virtual LAN Based on hardware MAC address layer address has different advantages and disadvantages. Because the IP address at the hardware address layer is hard connected to the network interface (NIC) of the workstation, therefore, the virtual LAN Based on the hardware address layer enables the network manager to move the workstation on the network to a different actual location, and the workstation can automatically maintain its original Virtual LAN membership. In this way, the virtual LAN defined by the hardware address layer address can be considered based on the user's Virtual LAN. In this way, the vswitch tracks the MAC address and switch port of the terminal, when a new terminal accesses the network, it is allocated to a virtual LAN according to the defined virtual LAN-Mac table, regardless of how the terminal moves in the network, because the MAC address remains unchanged, you do not need to reconfigure the virtual LAN. This division reduces the daily maintenance workload of the network administrator. The disadvantage is that all terminals must be explicitly allocated to a specific Virtual LAN, adding terminals or replacing NICs at any time, the Virtual LAN database must be adjusted to achieve dynamic tracking of the terminal. One of the disadvantages of the hardware address layer-based Virtual LAN solution is that all users must be initially configured in at least one virtual LAN. After the initial manual configuration, the user's automatic tracking is possible, and depends on the specific supplier solution. However, this method had to be manually configured with a virtual LAN at the beginning, and its disadvantage became obvious in a very large network: thousands of users must be allocated to their respective Virtual LAN one by one. Some vendors have reduced the workload of manually configuring hardware address-based Virtual LAN. They use tools to generate Virtual LAN Based on the current status of the network, that is to say, a hardware address-based Virtual LAN is generated for each subnet.

3. Based on the network layer

Network-layer-based Virtual LAN Division is also called policy-based division, which is the most advanced and complex division method. Network-layer-based Virtual LAN uses protocols (if there are multiple protocols in the Network) or network-layer addresses (such as subnet segment addresses in TCP/IP) to determine Network members. Using the network layer to define a virtual network has the following advantages. First, you can divide the network segments by transmission protocol. Second, users can move freely within the network without re-configuring their workstation. Third, this type of virtual network can reduce network latency caused by protocol conversion. This method seems to be the most ideal method, but before using this division, we need to clarify two things: first, IP theft, and second, high requirements on devices, not all devices support this method.

4. VLAN division based on IP Multicast

IP multicast is actually a VLAN definition, that is, a multicast group is a VLAN. This division expands the VLAN to the WAN, so this method has more flexibility, it is also easy to expand through the router. Of course, this method is not suitable for LAN, mainly because of low efficiency.