Two-layer switch when three-layer switch uses one-arm routing to implement VLAN interoperability on layer Two switches

Many SME internal network structures are simple, with only one switch connecting all employees and servers together and then accessing the Internet through fiber optics. Of course, in order to ensure the security of some hosts and split the internal broadcast packet to improve the network transmission speed, take such as partition VLAN, the allocation of different subnets to achieve. By partitioning VLANs, clients on different ports on the same switch cannot access each other, effectively isolating the network.

While it is possible to solve the frequent occurrence of security and broadcast storms through VLAN partitioning, it is also necessary for companies that want to isolate and want to interoperate with certain clients, while partitioning VLANs to establish mutually accessible channels for different VLANs.

It is well known that the three-layer switch can be used, but in most cases the initial purchase of the enterprise network is only two layers of manageable switches, and if you want to purchase a three-tier switch for VLAN interoperability, the previous two-tier devices will be discarded. This creates a great deal of waste. So is there any way to implement the function of the three layer switch on the basis of still using the two layer device?

The principle of layer one or three switches:

Before we tell you how to solve the problem, we need to first understand how the three-layer switch works. In theory, a three-layer switch can be seen as a two-layer switch + a routing module, and the actual use of each vendor is also through the routing module built into the switch to achieve three-tier functionality. When the packet is transmitted, it is sent to the routing module, which provides the routing path and then forwards the corresponding packet by the switch.

Two, one-arm routing principle:

Now that you are still using the previous two-tier device, we can address the above mentioned enterprise network upgrade problem by adding a router. This router is equivalent to the three-layer switch routing module, but we put it on the outside of the switch. Specific schematic topology

Router Router

Connecting lines (responsible for communication between multiple VLANs)

Switch switches

You can see that between the router router and the switch is connected through an external line, this external line only one, but he is logically separate, the packet that needs to be routed through this line to reach the router, after routing and then back to the switch through this line to forward. So we give this topology a name--one-arm routing. To put it bluntly, one-arm routing is where the packet goes in and out of the mouth, rather than the traditional network topology in which packets go from one interface to the router and away from the other.

So when is a single-arm route used? VLAN is divided in the enterprise internal network, when some hosts between VLANs need to communicate, but the switch does not support three layer switching, this time can use a 802.1Q router to realize the interoperability of VLANs. We only need to establish a sub-interface on the Ethernet port, and assign the IP address as the gateway to the VLAN, and start the 802.1Q protocol .

Tips:

When a physical interface is used as multiple logical interfaces, it is often necessary to enable sub-interfaces on that interface. Through a logical sub-interface to achieve the physical port to a multi-function.

Three, the actual combat single-arm routing:

The author of the company just met the above-mentioned problem, the original use of switches to connect the intranet, divided the VLAN. But now that the VLANs need to be interoperable, I purchased a Huawei 2621 router to implement one-arm routing to solve this problem. The specific topology is shown in Figure 1.

The switch is connected to multiple network segments with 10.91.30.*/24,10.83.224.*/24,10.83.225.*/24,10.83.226.*/24. Each network segment is in a different VLAN. All packets are connected to the core device via fiber optics. Since the fiber interface on the switch is only valid for 10.91.30.*/24, other network segments of the computer will not be able to access the Internet properly without a router. At this point, we need to pass the Huawei 2621 router to specify the address of the next hop routing, complete the transmission of the packet.

(1) configuration on the switch:

The partitioning of VLANs on the switch and the addition of different interfaces and network segments to different VLANs are not explained in detail here. In fact, 10.83.224.* corresponds to vlan302,10.83.225.* corresponding to vlan303,10.83.226.* corresponding to vlan304,10.83.227.* corresponding VLAN305. The next route address is 10.82.6.113, and the corresponding VLAN number is 307.

(2) configuration on the router:

The configuration on the actual router is the key, and the interface that connects the switch device needs to be set to multiple sub-interfaces.

First step: Connect the router with the console line, enter the Ethernet 0 port, and enable the interface.

int Ethernet 0

Undo Shut (2)

Figure 2: Entering the E0 port and enabling

Step two: Do not directly manipulate Ethernet 0 to add multiple sub-interfaces to it.

int Ethernet 0.1

int Ethernet 0.2

INT Ethernet 0.3

int Ethernet 0.4

int Ethernet 0.5

Step three: Set the trunk mode for each sub-interface and add it to the corresponding VLAN. We take ethernet0.1 as an example, and several other sub-interface settings commands are similar.

int ethernet0.1

VLAN dot1q vid 302 (3)

Figure 3: Setting trunk mode for sub-interfaces

Tips:

When setting up trunk mode We need to define the protocol used by the trunk, in general there are ISL and dot1q two kinds of protocols to give us a choice, if your device is Cisco, which can be used, However, if your device has Cisco and other company's products, you must use the 802.1Q protocol, the author of this network environment, because the router is Huawei 2621, so must use the 802.1Q protocol for trunk communication . The author began to blindly set up for ISL result network is always not pass, later only thought of this problem.

Fourth step: Next we need to use the IP address command to set the IP addresses for each sub-interface.

Fifth step: Add a default route for the router, pointing to the IP address of the fibre to the core device.

IP route-static 0.0.0.0 0.0.0.0 10.82.6.114

Sixth step: After saving all settings, use the DIS cur command to view the current configuration list. (4)

Iv. Frequently Asked Questions:

There are several issues to pay special attention to when configuring a single-arm route:

(1) Do not configure the ethernet0, we only need to partition and set its sub-interface.

(2) Do not forget to turn ethernet0 on and use the command undo shut so that all subinterfaces are turned on at the same time.

(3) If there is a list of anti-virus ACLs and so on, do not forget to add to ethernet0 at the end.

(4) because the single-arm routing packets in and out of the same interface is bound to the router's hardware requirements are relatively high, so in actual use do not casually find a low-end router sucks, stable and large memory is a single-arm router equipment required.

(5) When setting the trunk type, choose ISL or 802.1q protocol according to the actual situation.

(6) All configuration commands need to be in a state where the router is not connected to the switch, and the router and switch can be connected using a network cable when all the setup information has been entered and saved. Why? Because a single-arm route consumes the resources of the router, if the router is connected to a single-arm topology during the configuration process, the command will become very slow to display. This is the beginning of the author is the edge of the connection set, found that the router and the same as the crash, the execution of a DIS cur display configuration information command to wait more than 10 minutes, it is also possible that the network has a virus in the sending of a large number of packets caused. In short, it is set up and then connect to network insurance.

Five, the disadvantage of single-arm routing:

The disadvantage of the single-arm routing is also obvious, on the one hand, he very consumes the router CPU and memory resources, to a certain extent, affect the efficiency of network packet transmission, on the other hand, can be completed by the three-layer switch internal work to the additional equipment to complete, the connection line requirements are very high. In addition, through the single-arm routing will be divided into a good VLAN completely broken, the original increase in security and reduce broadcast packets and other measures played a significant reduction in the effect. Of course, no matter what, one-arm routing is still an enterprise network upgrade, a good choice when funding is tight.

Summarize:

The single-arm routing method is only a strategy to upgrade the existing network, the VLAN is divided in the enterprise internal network, when some hosts between VLANs need to communicate, but the switch does not support three-layer switching, then we use this method to solve the actual problem. Because one-arm routing has many of these or other drawbacks, it is not recommended that you use this approach to build topologies in the early stages of network setup.

Two-layer switch when three-layer switch uses one-arm routing to implement VLAN interoperability on layer Two switches