VLAN-based Layer 2 and Layer 3 (1)

MAC address

The MAC (Media Access Control) address is the hardware identifier of the network device and is unique. MAC addresses are also known as physical addresses or hardware addresses. They are burned into NIC (network interface controller) during production by the network device manufacturer. The MAC address is 48 bits in length and is divided into two parts: block ID and device ID. The first 24 digits are OUI (Organizationally unique identifier, unique identifier of the organization), and the last 24 digits are allocated by the manufacturer. The MAC address is represented in hexadecimal notation, as shown in 1.

MAC address format

MAC addresses are generally divided:

Unicast MAC address: the unicast MAC address uniquely identifies a terminal on the Ethernet. The address is fixed in hardware (such as the NIC.

Multicast MAC address: the MAC address whose last byte is 1 (usually starting with 0x01), marking a group of devices.

Broadcast MAC address: 48-bit MAC address, indicating all devices in this segment.

In the network, messages are transmitted in a large byte order (that is, the high byte is first transmitted), while the low bit is first transmitted in the byte. Therefore, if the first bit to be sent is 0, it is unicast. Otherwise, it is multicast or broadcast.

MAC addresses can also be divided:

Dynamic MAC address: The vswitch learns from the data frame in the network that there is aging time. The relationship between the MAC address and the port will change with the change of the port of the switch connected to the device. The switch will disappear after it is powered off and restarted. You need to learn it again.

Static MAC address: it is generated through configuration and will not be aging. The relationship between the MAC address and the port remains the same, but the switch will disappear after power-off and restart. You need to reconfigure it.

Permanent MAC address: it is generated through configuration and will not be aging. The relationship between MAC address and port remains unchanged, and the switch will not disappear after power-off and restart.

Conflict domain and broadcast domain

Conflicting domain (Physical Layer): a network area in which frames sent by different hosts or devices may conflict with each other. A collection of All workstations on a wire, a collection of all nodes on a physical network segment, or a collection of nodes that compete for the same bandwidth over Ethernet is a conflict domain. When a conflict occurs, the transmitted frames may be damaged or disturbed. hosts that conflict will stop sending subsequent frames within a random period of time according to the CSMA/CD rules of 802.3 Ethernet. The disadvantage is that the available bandwidth of each host is very low. When the number of host devices in the conflict domain increases, network conflicts multiply and Information Transmission security is not guaranteed. The devices connected to the hub are a typical conflict domain, as shown in figure 2.

Conflict domains composed of typical hubs

Broadcast domain (data link layer): a collection of all devices in the network that receive broadcast frames from any device. All nodes that need to receive other broadcasts are divided into the same broadcast domain or logical network segment. All nodes connected to the HUB and the port of the traditional switch form a broadcast domain. When the switch receives a broadcast frame, it forwards the frame to each port except the port on which it receives the frame. Each connected device receives and processes the frame.

As the network scale expands, the number of broadcast packets in the broadcast domain also increases. All these broadcast packets will seriously affect network performance. Improper management may even cause the entire network to crash.

Hubs, switches, routers

* Hub

When an Ethernet HUB receives an Ethernet data frame from any port, it broadcasts the frame to all other ports. The Hub corresponds to the physical layer. When devices connected to different ports transmit data at the same time, a conflict occurs. Therefore, the conflict domain and broadcast domain are all ports and cannot isolate the conflict domain or broadcast domain. Non-exchange hubs cannot divide physical network segments because they do not divide conflicting domains.

* Bridges and switches

The bridge and switch are located at the data link layer and are used for Data Forwarding Based on MAC addresses. Each physical port of the bridge and switch belongs to a conflict domain, and all ports are in a broadcast domain. Both can isolate conflicting domains, but cannot isolate broadcast domains, cannot block broadcast and perform logical segmentation on the network.

Bridges and switches have the following differences:

The bridge has only a few ports, but the switch has hundreds of ports.

The speed of the bridge is slower than that of the switch. The switch uses the hardware ASIC chip for wire speed forwarding and switching, which is faster than that of the bridge.

The bridge uses a storage and forwarding mechanism to forward data after receiving all the data. In addition to the storage mechanism, the switch also has a direct forwarding mechanism, which can be forwarded only after the frame header arrives at the processing, the switch does not have to wait until all data arrives, so the processing speed of the switch is faster than that of the bridge.

In view of the limitations of bridges, bridges are rarely used in modern switched LAN.

* Vro

The vro is located at the network layer, which can isolate conflicting domains and broadcast domains. Each subnet (subnet) belongs to a broadcast domain. Broadcast cannot be sent between different subnets. Therefore, you must use a router (or a layer-3 Switch with routing functions) to control broadcast ). After a vro is used, the network Interface (LAN Interface) on the vro can be used to separate broadcast domains.

Generally, vrouters and vswitches are used to segment the LAN into a large number of smaller conflict domains and broadcast domains. The VLAN segmentation method of a traditional vswitch is shown in step 3.

Traditional LAN Segmentation

Although a vswitch can reduce the number of conflicting domains (each port is a conflicting domain), the hosts connected to all ports of the vswitch are still in a broadcast domain. The forwarding process of a broadcast frame in a broadcast domain is shown in step 4.

Broadcast on traditional vswitches

The figure shows a layer-2 switch (SW1 ~ 5) connects to a network composed of a large number of customer hosts. Assume that host PC1 must communicate with host pc2. In Ethernet communication, the target MAC address must be specified in the data frame for normal communication. Therefore, PC1 must broadcast ARP request information to obtain the MAC address of pc2. After SW1 receives the ARP broadcast frame, it forwards it to all ports except the inbound frame port, so SW2 and SW3 receive the broadcast frame, they also forward frames to all their ports ...... Eventually all hosts (PC2-PC8) connected to the switch in the same network receive the ARP request. It can be seen that ARP requests sent to PC2 spread across the network, which not only consumes the overall bandwidth of the network, but also consumes some CPU time to process the hosts that receive the broadcast frames. When the network scale is large, a large number of broadcast frames will seriously affect the network performance, resulting in a broadcast storm. In addition, because the entire network is in a broadcast domain, all users can directly access and affect all parts of the network without any control, thereby threatening network security.

By default, a vro does not forward broadcast traffic. Therefore, it can be used to separate broadcast domains. Creating a broadcast domain with a vro reduces the broadcast traffic and provides more bandwidth for unicast communication. Each vro port is connected to a separate network, broadcast traffic is limited to the lan cidr block where the broadcast is sent. However, there are usually few vro network interfaces (1 ~ 4 or so), the number of broadcast domains that can be divided is limited, and the vro cost is high relative to the vswitch. L2 switches generally have multiple network interfaces. If they can be used to separate broadcast domains, the flexibility of network design is greatly improved.

VLAN

VLAN (Virtual LAN) is a technology that divides a physical Network into multiple logical LAN. A VLAN is a broadcast domain, that is, a logical subnet. The sites in a VLAN can be located on different physical LANs, however, sites can communicate freely on the same common LAN without the limitation of physical locations. Using VLAN technology, network administrators can divide user logic in the same physical LAN into different broadcast domains on L2 switches based on actual application needs, users with the same requirements or services are in the same broadcast domain, while users with different needs or services are in different broadcast domains.

On a L2 Switch without any Vlan, any broadcast frame is forwarded to all ports except the acceptor port. After a Vlan is configured, when a port belonging to a Vlan receives a broadcast frame, the switch must follow the following principles to ensure that all hosts in the same Vlan receive the broadcast frame:

1) Send it to other ports in the same Vlan of the vswitch;

2) send to all aggregation links of the vswitch that contain the Vlan, so that the ports of the same Vlan on other switches can also send the frame.

Figure 5 shows an example of the broadcast frame forwarded by the host after two VLANs are created on the vswitch. For convenience, different VLANs are identified in red and blue colors (Vlan ID is used in actual use ). Ports 1 and 2 belong to the red Vlan, and ports 3 and 4 belong to the blue Vlan.

Vlan-separated broadcast domain

It can be seen that the broadcast frames sent from PC1 are only forwarded to other ports in the same Vlan, that is, Port 2 belonging to the same red Vlan, but not to the ports belonging to the blue Vlan. In this way, VLANs divide broadcast domains by limiting the range of broadcast Frame Forwarding, thus improving network efficiency and security.

Vlan can be understood as logically dividing a switch into several vswitches, and these vswitches do not communicate with each other. Vlan is a broadcast domain. Generally, two broadcast domains are connected by routers, and data frames between broadcast domains are retransmitted by routers. Therefore, communication between VLANs also requires routers (or layer-3 switches) to provide relay services, that is, "Inter-Vlan routing ". Configure a router between VLANs so that the internal traffic of the Vlan is still carried out through the L2 network of the original Vlan. The communication traffic from one Vlan to another is forwarded through the layer-3 routing, after being forwarded to the destination network, the data frame is finally sent to the destination host through the L2 switching network. Vrouters do not forward Ethernet broadcast frames, so the Routers configured between VLANs do not change the isolated broadcast achieved by Vlan division.

VLAN frame format

* Ethernet V2 MAC frame format

Two Ethernet MAC frame formats are available: DIX (DEC, Intel, Xerox) Ethernet V2 standard (RFC894) and IEEE 802.3 standard. Figure 6 shows the common MAC frame format of Ethernet V2 (standard fact ):

MAC frame format of Ethernet V2

Ethernet frames are transmitted at the link layer. Therefore, the Source and Destination MAC addresses are also called link layer addresses, also known as L2 addresses, L2 addresses, or hardware addresses.

The Type field indicates the protocol used by the upper layer. Common protocol type values are shown in table 1:

Table 1 common protocol type values