Different community VLANs

The technical development of Chinese network manufacturers is not limited, but very large. We do not have to follow other people's footsteps. Sometimes we may look down to the needs of Chinese network users, rather than simply "going up" to catch up with the so-called "international trend ". This will often lead to unexpected gains!

Booming Smart Community

In recent years, the IP network technology has been greatly developed, forming a de facto broadband network standard.
At present, China Telecom, China Netcom, and other large operators mainly deploy broadband networks from top to bottom, and allocate their main resources to the construction of broadband backbone networks and broadband MAN networks. Build an expressway ". However, to allow a large number of "cars" to run on this road, broadband access networks are essential. Currently, the most popular and common construction mode of broadband access networks is smart community networks. A group of operators, represented by Great Wall broadband, put their eyes on the End User Group of the family. According to the concentrated living conditions in China, the construction of residential areas tends to be standardized, the entry point of the network is residential households, powered by advanced, reliable, and low-cost Ethernet technology, Alibaba Cloud is committed to solving the "last mile" problem of broadband access by working with real estate manufacturers and operators with broadband backbone network resources, provide Internet access and application services with a bandwidth of more than 10 MB at a lower price.
Prominent problems: Security Management

Because of the characteristics of the community network construction and application, it determines that it puts forward higher requirements on management and security, which is also a prominent problem in the current Smart Community construction.
Network management includes two parts. One part is the management of network devices, that is, monitoring and adjusting the running status of the network. The other part is the management of network users, including the activation, closure, and adjustment of the network service permissions of the user's community, the management of user bandwidth, and traffic restrictions. Network security also includes two parts. First, it defends against attacks from outside the Community network. Computers in the community network are connected to the Internet in real time. In addition to being vulnerable to attacks by malicious attackers, most likely, attackers intrude on Distributed Denial Of Service, D. d. attackers are forced to attack and block other hosts. For an attacker, host-intensive networks like smart community should be a good "attack resource ". In addition, attacks between users in the Community must be strictly prevented.

Smart Community and VLAN settings
Generally speaking, a virtual LAN (VLAN) is a network structure that groups nodes by logic rather than by physical groups. VLAN segments generate security areas where sensitive information cannot be shared. to effectively reduce broadcast traffic, VLAN segments generate their respective broadcast areas in groups, providing higher network efficiency and security. Figure 1 and figure 2 below show the differences between a LAN and a VLAN.
Figure 1 LAN Segmentation
VLAN division is very important in smart community networks. Generally, we divide a residential network into three layers: front-end access layer, building collection layer, and residential core layer. Next, we will describe the VLAN division and functions of these three layers.
A) Front-end access layer
The front-end access layer switch is placed in each building, and the household computer is connected to the front-end access layer switch. We call the user-connected vswitch port a common port, and the port connecting to the upper-level vswitch is called an upstream port. VLAN is divided on the frontend access layer switch. Each VLAN has only two ports: one common port and one uplink port. We need to divide the number of N-1 VLANN into the number of switch ports ). After such VLAN division, tenants cannot communicate with each other, but can communicate with the upper-level switch, that is, the building aggregation layer switch.
B) building collection Layer
The building aggregation layer switch is responsible for connecting several front-end access layer switches. VLAN is divided on the building aggregation layer switch. Each VLAN also has two ports: one common port and one uplink port. We also need to divide the number of N-1 VLANN as the number of switch ports ). After such VLAN division, each front-end switch cannot communicate with each other, but can communicate with the upper-level switch, that is, the Community core layer switch.
Figure 2 VLAN Division
C) Residential core layer
The core layer switch of the residential area is responsible for connecting several building aggregation layer switches. Similarly, VLAN is divided on the core layer switch of the residential area. Each VLAN has only two ports: one common port and one uplink port. We also need to divide the number of N-1 VLANN as the number of switch ports ). After such VLAN division, switches at the collection layer of each building cannot communicate with each other, but can communicate with switches at the upper-level, that is, access layer switches at the Metropolitan Area Network. As you can see, after such VLAN division, the computers of every household cannot access the computers of any other household in the community, but can access the man.
VLAN technology has been available for several years, but it has not been fully utilized. However, people often associate VLAN with layer-3 Switching layer-3 Switching. It is believed that layer-3 switches must be introduced after VLAN division. By setting Access Listing on layer-3 switches or routers, VLANs can communicate with each other. This is necessary in some enterprise campus networks. So do we need layer-3 switching in Smart Community networks? The answer is no, at least not necessary at present. Because we cannot see the necessity of communication between VLANs in the residential network.
In a cell network, this "thorough" VLAN division first eliminates all possible network broadcast traffic. Otherwise, if such a large network is in a broadcast domain, in addition, there is a large amount of data transmitted on the network, which can easily cause a broadcast storm. In addition, this VLAN Division can effectively solve the internal network security problems of the residential network.
The management of network users is generally achieved by setting a proxy server at the exit from the residential network to the Metropolitan Area Network. All users access the man through the proxy server for forwarding. You can set and adjust user permissions on the proxy server as needed.
Security management and cross-port VLAN settings

These two problems are analyzed together because network devices that can divide VLANs currently support SNMP-based network management. Because the hub works in broadcast mode, even if network management is supported, VLAN cannot be divided. To divide VLANs, only switches can be used. Currently, vswitches with network management capabilities are expensive. Taking the most used front-end switches as an example, the price of each manageable front-end exchange access point is between-RMB/Point, the unmanageable front-end exchange Access Point price is only-RMB/Point. Because the construction cost of the residential network is mainly raised by the operator, the investment amount of the purchased Network Management Switch is large, and the investment payback period is also extended accordingly.
Aiming at the high price of VLAN-based network management switches, Tsinghua Ziguang's technical experts and R & D personnel have comprehensively analyzed the technology and application.

From a technical point of view, the support for network management and the support for VLAN are actually different functions. However, the management of VLAN settings and adjustments must be implemented through the network management function. However, network administrators do not have to support SNMP. From the application perspective, according to the survey, many carriers do not need to monitor the traffic of each port of the front-end switch in detail, but they need to set the port rate. For example, you can set a port speed of 10/100 Mbps to 10 M or 100 M, so that if the building collection layer switch is a M switch, you can avoid the transmission bottleneck from the front-end access layer to the building collection layer, at the same time, it has sufficient flexibility. The most important thing is that the VLAN settings of the front-end switch of the residential network are "extreme" and do not need to be adjusted at all.
After unremitting efforts, Tsinghua Ziguang developed and manufactured a distinctive vswitch MS3241F2. The vswitch has 24 10/100 MbpsRJ-45 ports and can be inserted with a MB Optical Fiber Module. The unique feature of MS3241F2 is that it has two small buttons on the front panel to set the speed of each port. Most importantly, you can press these two buttons to change the MS3241F2 switch to the "Security VLAN" mode. In the security VLAN mode, the switch is divided into 23 VLANs, each VLAN only includes 1 common port and 24 port. If there is an optical fiber module, the optical fiber module is port 24 ), in this way, the building aggregation layer switch is connected through port 24 or the optical fiber module, and Port 1 to port 23 is used to access the user. Residents cannot communicate with each other, but can communicate with switches at the building aggregation layer.
In practical application, MS3241F2 can be used in both the front-end access layer and building collection layer, which can greatly reduce investment. It is best to choose a high-end switch that supports SNMP management for the core layer switch of the residential area. In this way, the network backbone of the residential area can be monitored and managed to meet the actual needs of operators. Of course, if you need to monitor and manage the building collection layer, you can also select a vswitch that supports SNMP management at this layer.
Another problem is that MS3241F2 does not support 802.1Q VLAN standards. So how to divide VLANs across switch ports?
This should begin with the 802.1Q standard. It is a specification for bridging and LAN interconnection. According to the 802.1Q specification, VLANs can be associated with switches, that is, VLAN division across switch ports. 802.1Q requires that frames carrying VLAN tags be sent. The ports connected to the two switches are called "tagged ports", which belong to all VLAN members. The broadcast frames received on a vswitch are forwarded to all VLAN members, including "marking ports ". When a broadcast frame is uploaded to a port between switches, It is marked by a VLAN member. After the other switch receives the packet, it will remove the VLAN tag, observe its association, and then forward the packet to other ports connected by the VLAN member.
This makes it clear that port 24 of MS3241F2 belongs to all VLANs, so it has the "Mark port" function. Broadcast frames are transmitted from MS3241F2 to other vswitches. Although they are not marked, they can be transmitted to another vswitch. In this way, whether or not the other vswitch supports 802.1Q, you can observe the association of this frame and then forward it to other ports connected by the VLAN members. The price of such a switch is almost the same as that of an ordinary unmanageable switch, but it solves a major problem for network operators in the Smart Community.