Recently, I have participated in many discussion and evaluation activities on hospital network solutions. Almost all hospital solutions use VLAN technology, however, I found that VLAN design in most solutions has a common and fatal defect, that is, the core of VLAN spanning network. This article will talk about your views on this issue for your reference.
VLAN mutual impact
According to the definition and technical specifications of VLANs, VLANs are not physical subnets or CIDR blocks built by dedicated physical devices and physical links. The essential difference between VLANs and physical subnets is that, the physical devices and links must be shared between VLANs. Therefore, the devices and links shared between VLANs affect each other. How does this impact occur? A VLAN is formed by combining two or more nodes in a physical topology through a logical combination. To realize this logical combination, you must use a switch device that supports VLAN, however, the software inside these devices provides VLAN functions. That is to say, the subnet (broadcast domain) constructed by VLAN is implemented by software, rather than determined by the network topology. The network topology only limits the VLAN created by the software.
Knowing how VLANs work, it is not difficult to explain the impact between VLANs. Different VLANs on the same switch need to share the switch and compete for the CPU and backplane resources of the switch. VLAN-to-vswitch and link sharing can be divided into two types: one is "broadcast sharing", that is, the broadcast domain defined by VLAN runs through the shared device and link (1 ), in other words, broadcast sharing is layer-2 sharing. Another type is "route sharing", or layer-3 sharing. In this type of sharing, packets of different VLANs are routed (layer-3 switching) the packet passed through the vswitch (as shown in the dotted line in 2) basically does not contain a general broadcast packet (except for DHCP and broadcast with special protocols ). VLAN mutual influence in "broadcast sharing" network resources is greater than in "route sharing.
Figure 1 clearly shows the shared network resources (switches and links ). Under normal circumstances, this impact between VLANs is not noticed because the shared switch has sufficient exchange capability and the links are not very crowded, however, when a VLAN encounters an exception (such as virus infection or loop), the situation is different. At this time, a large number of data frames in the infected VLAN (such as VLAN1) will occupy the CPU resources and board bandwidth of all switches in the VLAN and occupy the physical link for a long time. Other VLANs (such as VLAN2) although the device in does not see the data frame in the abnormal VLAN, the network resources it depends on have been exhausted. Therefore, the network area covered by VLAN1 will be abnormal. If the fault point occurs near the core switch, the entire network may be paralyzed. This is especially serious when the performance of vswitches in different network topologies is similar.
Layer-3 sharing
It is determined by the nature of a VLAN. Theoretically, it is impossible to completely eliminate the sharing of links and devices between VLANs. Our efforts can only minimize the scope of mutual impact and reduce the degree of mutual impact. How can we achieve this? In practice, we have summarized the following principles: 1) try to avoid configuring multiple VLANs in the same switch; 2) ports on vswitches at different physical locations should not be allocated to the same VLAN. The former is easy to understand and implement. We will focus on the latter, that is, how VLAN does not span the "layer" of the core switch and topology ". As shown in figure 1, because the range of VLAN1 (VLAN2 is also the case) spans the entire network, if the coverage of all VLANs is limited to the same side of the core switch, will these resources be shared less? In this way, we can change the network shown in figure 1 to the structure shown in figure 2.
Because there is no virtual network that spans core switches in this structure, the broadcast packets of each VLAN will not pass through the core switch, but these broadcast packets can reach the core switch, at the same time, the core switch also has the normal data flow between VLANs allowed by the ACL (as shown in the dotted line in 2. Obviously, the core switch blocks the broadcast packets of each VLAN and forwards normal data streams between VLANs, the shared form is changed from "broadcast" to "routing", and the VLAN is less affected.
Some may say that the core switch is upgraded from Layer 2 to Layer 3, and the performance will decrease. This statement is undoubtedly correct, but the performance reduction is no longer sufficient for the performance provided by the current layer-3 switch. As shown in figure 2, the length and intensity of the shared link remain unchanged, even though the extent and range of a single VLAN decrease.
The three-layer structure is the most effective
Careful readers may also find that the VLAN in Figure 2 does not reflect the original purpose of VLAN technology-computers in different physical locations can access each other as they do in the same physical network. This is the core issue in this article and also a new idea for planning and deploying VLANs: in networks, especially large networks, do not use VLANs to interconnect computers in different physical locations. This may have some problems in the past, but with the development of network technology, the difference between vswitches and vrouters is getting smaller and smaller. Many of the methods originally implemented by Layer 2 can be replaced by Layer 3 technology. The use of layer-3 technology to replace layer-2 features has many advantages: clearer structure, richer control, more flexible expansion, more stable network, and easier implementation.
Continue to analyze the problems in Figure 2. It is not difficult to see that although the core switch is changed in the form of sharing, it is still affected by exceptions in each VLAN. To avoid the impact of the core switch on each VLAN, reduce the scope of impact, and avoid the occurrence of network paralysis, it is easy to think of adding a layer between the core switch and the switch with VLAN, to isolate the core switch and each VLAN. At this time, a more popular three-layer topology network is formed, as shown in figure 3.
In a layer-3 network structure, no VLAN exists in the areas between the aggregation layer and the core layer, and the vlan of the aggregation layer switch is limited to some ports. In this case, the aggregation layer switch becomes a "route shared" switch, in addition, this "route sharing" is weaker than figure 2.
If the performance of the aggregation layer switch is much higher than that of the access layer switch, the whole network paralysis caused by VLAN broadcast (mostly caused by viruses) is basically solved.
Any solution has both a beneficial and a negative side. A three-layer network may also cause some problems: 1) It is difficult to achieve centralized remote management of each VLAN by using general means, the solution to this problem can make full use of the network management software. 2) due to the increase in the number of VLANs, the introduction of routing protocols and other technologies, the network will be more complex than the L2 plane switching network and have higher requirements for network technicians, management and maintenance costs will increase.
These two points are the requirements of large network management. It is impossible for large network management to not use network management tools. The lack of technical personnel is a problem faced by all enterprises, some experts put forward the idea of "IT property". Maybe this is the final solution to this problem in the future.