Virtual Local Area Network

Virtual local Area network (VLAN) is a set of logical devices and users, these devices and users are not limited by the physical location, can be based on functions, departments and applications and other factors to organize them, communication with each other as if they are in the same network segment, hence the name of the virtual local area network. VLAN is a relatively new technology that works on layers 2nd and 3rd of the OSI Reference Model, where a VLAN is a broadcast domain, and communication between VLANs is done through the router on the 3rd layer. Compared with the traditional LAN technology, VLAN technology is more flexible, it has the following advantages: The mobile, add and modify of network equipment management cost is reduced, can control the broadcast activity, can improve the security of the network. in a computer network, a two-layer network can be divided into different broadcast domains, a broadcast domain corresponding to a specific user group, by default, these different broadcast domains are isolated from each other. To communicate between different broadcast domains, you need to pass one or more routers. Such a broadcast domain is called a VLAN. 1VLAN in 1999, IEEE promulgated the draft 802.1Q protocol standard for standardizing VLAN implementations. The advent of VLAN technology enables administrators to VLAN NIC Intel82573 Actual application requirements, the same physical local area network of different users logically divided into different broadcast domains, each VLAN contains a set of computer workstations with the same requirements, and the physical LAN has the same properties. Because it is logically divided, not physically, the workstations within the same VLAN are not confined to the same physical range, i.e. these workstations can be in different physical LAN segments. The VLAN feature shows that both broadcast and unicast traffic within a VLAN are not forwarded to other VLANs, which helps to control traffic, reduce device investment, simplify network management, and improve network security. The development of switching technology also accelerates the application speed of new switching technology (VLAN). By dividing the enterprise network into virtual VLAN network segment, network management and network security can be enhanced to control unnecessary data broadcast. In a shared network, a physical network segment is a broadcast domain. In a switched network, a broadcast domain can be a virtual network segment with a set of arbitrarily selected second-tier network addresses (MAC addresses). In this way, the division of the workgroup in the network can break through the geographical limitation in the shared network, and divide it completely according to the management function. This workflow-based grouping mode greatly improves the management function of network planning and reorganization. Workstations in the same VLAN, regardless of which switch they actually connect to, communicate between them as if they were on a separate switch. Broadcasts in the same VLAN can be heard only by members of the VLAN and not transferred to other VLANs, which gives a good control over unwanted broadcast storms. At the same time, without routing, different VLANs can not communicate with each other, which increases the security between different departments in the enterprise network. Network administrators can fully manage the exchange of information between different snap-in within the enterprise by configuring the route between VLANs. The switch is based on the workstation's MAC address to divide the VLAN. Therefore, the user can freely move the office in the enterprise network, regardless of where he is connected to the switching network, he can communicate with other users in the VLAN freely. VLAN network can be a mix of network types of devices, such as: 10M Ethernet, 100M Ethernet, token network, FDDI, Cddi and so on, can be workstations, servers, hubs, network upstream backbone and so on. In addition to the network can be divided into multiple broadcast domain, so as to effectively control the occurrence of broadcast storms, and make the network topology becomes very flexible advantages, but also can be used to control the network of different departments, different sites between the mutual access. multiple hosts with different physical locations can communicate with each other if the partitions belong to the same VLAN. Multiple hosts with the same physical location cannot communicate directly between the hosts if they belong to different VLANs. VLANs are typically implemented on switches or routers, adding VLAN tags to ethernet frames to classify Ethernet frames, and Ethernet frames with the same VLAN tags in the same broadcast domain. VLAN is a protocol to solve the broadcast problem and security of Ethernet, it adds VLAN header on the basis of Ethernet frame, divides the user into smaller workgroup with VLAN ID, restricts the mutual exchange between different working groups, and each workgroup is a virtual local area network. The benefit of a virtual local area network is that it can limit the broadcast range and be able to form virtual workgroups to dynamically manage the network. Purpose The purpose of VLAN (virtual local area network) is much more. By understanding the nature of the VLAN, you will be able to see where it is useful. first, to know that 192.168.1.2/30 and 192.168.2.6/30 belong to different network segments, all must go through the router to access, usually different network segments to each other, must pass through the router. second, the VLAN essentially refers to a network segment, which is called a virtual LAN because it is a network segment created under the interface of a virtual router. below, give instructions. For example, a router has only one port for the terminal connection (which is unlikely to happen, but simplifies the example), and the port is assigned the 192.168.1.1/24 address. However, since the company has two departments, a sales department, a planning department, each department requires to become a separate subnet, with a separate server. Then of course can be divided into 192.168.1.0--127/25, 192.168.1.128--255/25. But the physical port of the router should only be able to assign an IP address, how to distinguish between different network segments? This allows the creation of two sub-interfaces---the logical interface implementation under this physical port. For example, the logical interface f0/0.1 assign IP address 192.168.1.1/25 for the sales department, and f0/0.2 assigns IP address 192.168.1.129/25 for the planning department. This is equivalent to using a physical port to achieve the functions of two logical interfaces, so that the original can only be divided into a network segment of the case, to expand to divide 2 or more network segments. These network segments are called Virtual LAN VLANs because they are created under a logical interface. This is the purpose of the VLAN explained at the router level. Thirdly, the purpose of the VLAN will be explained at the level of the switch. in reality, different network segments must be divided for many reasons. For example, only the sales department and the planning Department of two network segments. Then you can simply put all the sales department into a switch, and then access a port on the router, the Planning department all access to a switch, and then access a router port. This situation is LAN. However, as mentioned above, if the router is an interface for the terminal, then the two switches must be connected to the same router interface, this time, if you want to maintain the original network segment, then you must use the router's sub-interface, to create a VLAN. Similarly, for example, two switches, if you want the ports on each switch belong to a different network segment, then you have a few network segments, you can provide a number of router interface, this time, although the router on the physical interface to define which network segment can be connected to the interface, but at the level of the switch, It is not able to distinguish which port belongs to which network segment, then the only implementation can differentiate the method is to divide the VLAN, using the VLAN can distinguish the terminal of a switch port belongs to which network segment. In summary , when there is at least one port in all ports on a switch belonging to different network segments, when a router's physical port to connect 2 or more network segments, when the VLAN is functioning, this is the purpose of the VLAN. Advantages restricting broadcasts on the network, dividing the network into multiple VLANs can reduce the number of devices involved in broadcast storms. LAN segmentation can prevent broadcast storms from spreading across the network. VLANs can provide a mechanism for building firewalls to prevent excessive broadcasts of switched networks. With VLANs, you can assign a switch port or user to a particular VLAN group that can be in a switched network or across multiple switches, and broadcasts in one VLAN will not be sent out of the VLAN. Similarly, adjacent ports do not receive broadcasts generated by other VLANs. This reduces broadcast traffic, frees up bandwidth for user applications, and reduces broadcast generation. Safety enhance the security of the LAN, the user group containing sensitive data can be isolated from the rest of the network, thereby reducing the likelihood of disclosing confidential information. Messages in different VLANs are isolated from each other during transmission, that is, a user within a VLAN cannot communicate directly with users in other VLANs, and if different VLANs are to be communicated, they need to pass through three-tier devices such as routers or layer three switches. Costly network upgrade requirements are reduced, and existing bandwidth and uplink utilization is higher, resulting in cost savings. dividing a second layer of planar networks into multiple logical workgroups (broadcast domains) can reduce unnecessary traffic on the network and improve performance. VLANs are convenient for network management because users with similar network requirements will share the same VLAN. VLANs Aggregate users and network devices together to support business or geographic needs. Through functional division, project management or special application processing has become very convenient, for example, can easily manage the teacher's e-learning development platform. In addition, it is easy to determine the extent of the impact of upgrading network services. Flexibility with VLAN technology, different locations, different networks and different users can be combined to form a virtual network environment, which is as convenient, flexible and effective as using a local LAN. VLANs can reduce the administrative overhead of moving or changing the location of workstations, especially when some companies with frequent changes in business situations use VLANs, which is a significant reduction in administrative costs. 2 Build A VLAN is a logical subnet built on a physical network, so building VLANs requires a corresponding network device that supports VLAN technology. When the network of different VLANs to communicate with each other, need to support the routing, then need to increase the routing device-to implement the routing function, can either use a router, can also use a three-layer switch to complete, but also strictly limit the number of users. 3 Standard VLAN Partitioning by Port Many VLAN vendors use the port of the switch to partition VLAN members. The ports that are set are in the same broadcast domain. For example, the 1,2,3,4,5 port of a switch is defined as a virtual network AAA, and the 6,7,8 port of the same switch makes up the virtual network BBB. This allows for communication between the ports and allows for the upgrade of the shared network. However, this partitioning mode restricts the virtual network to a single switch. The second-generation port VLAN technology allows multiple different ports across multiple switches to divide VLANs, and several ports on different switches can form the same virtual network. The configuration of network members with switch ports is straightforward. So, for now, this way of partitioning VLANs based on ports is still the most common way. divide VLANs by MAC address This method of partitioning VLANs is divided according to the MAC address of each host, that is, the host for each MAC address configures which group it belongs to. The biggest advantage of this method of partitioning the VLAN is that when the user's physical location is moved, that is, when switching from one switch to the other, the VLAN does not have to be reconfigured, so it can be considered that the MAC address partitioning method is based on the user's VLAN, the disadvantage of this method is the initialization of the All users must be configured, if there are hundreds of or even thousands of users, the configuration is very tired. And this partitioning method also leads to a reduction in the efficiency of the switch execution, because there may be many VLAN members on each switch port, so the broadcast packet cannot be restricted. In addition, for users who use laptops, their network cards may be replaced frequently, so that VLANs must be constantly configured. divide by Network layer This method of partitioning VLANs is divided according to the Network Layer address or protocol type of each host (if multi-protocol is supported), although this partitioning method is based on the network address, such as the IP address, but it is not a route, and the network layer of the route has no relationship. The advantage of this approach is that the user's physical location changes, does not need to reconfigure the VLAN, and can be divided according to the protocol type of VLAN, which is important for network managers, and this method does not require additional frame tags to identify the VLAN, which can reduce network traffic. The disadvantage of this approach is inefficient, because checking the network layer address of each packet is required to consume processing time (as opposed to the previous two methods), the general switch chip can automatically check the network packet Ethernet frame head, but to allow the chip to check the IP frame head, the need for higher technology, but also more time-consuming. Of course, this is related to the implementation method of each vendor. by IP Multicast Division IP Multicast is also actually a VLAN definition, that is, a multicast group is a VLAN, this partitioning method extends the VLAN to the WAN, so this method has greater flexibility, but also easy to extend through the router, of course, this method is not suitable for LAN, The main is not high efficiency. rule-based also known as policy-based VLANs. This is the most flexible method of VLAN partitioning, with the ability to automatically configure, to connect the relevant users into one, the logical division is called "Relational network." The network administrator only needs to determine the rules (or attributes) that divide the VLAN in the NMS, so when a site joins the network, it will be "perceived" and automatically included in the correct VLAN. At the same time, the movement and change of the site can be automatically identified and tracked. in this way, the entire network can easily extend the network size through routers. Some products also support hosts on one port belonging to different VLANs, which is especially important in environments where the switch and the shared hub coexist. When the VLAN is automatically configured, the software in the switch automatically checks the IP source address of the broadcast information that enters the switch port, and the software automatically assigns the port to a VLAN mapped by an IP subnet. divided by userVLAN partitioning based on user-defined, non-user authorization means that the VLAN is defined and designed to accommodate a particular VLAN network based on the specific requirements of the particular network user, and that the VLAN can be accessed by a non-VLAN group of users, but the user's password is required. A VLAN can be added after it has been authenticated by VLAN management. in the way of VLAN partitioning, the port-based VLAN port method is built on the physical layer, and the MAC is built on the data link layer, and the network layer and the IP broadcasting method are built on the third layer. on the VLAN standard, we are only introducing two more common criteria, and of course some companies have their own standards, such as the ISL standard of Cisco, although not a popular standard, but due to the heavy use of Cisco Catalyst switches, ISL has also become a non-standard standard. • 802.10 Standard in 1995, Cisco advocated the use of the IEEE802.10 protocol. Prior to this, IEEE802.10 used to be the same specification for VLAN security on a global scale. Cisco has attempted to use the optimized 802.10-frame format to transmit VLAN tags necessary for framtagging mode on the network. However, most members of the 802 committee oppose the promotion of 802.10. Because, the protocol is based on the frametagging approach. 802.1q in March 1996, the Ieee802.1internetworking Committee ended its revision of the initial VLAN standards. New standards to further improve the architecture of the VLAN, unified the frame-tagging mode of the different manufacturers of the label format, and developed a VLAN standard in the future development direction, the formation of 802.1Q standards in the industry has been widely promoted. It has become a milestone in the history of VLANs. The advent of 802.1Q has broken the deadlock that virtual networks rely on a single vendor, driving the rapid development of VLANs from one side. In addition, the pressure from the market enables major network manufacturers to immediately integrate the new standards into their respective products. 802.1Q frame format: now the most widely used VLAN protocol standard is IEEE 802.1Q, and many manufacturers of switch/router products support the IEEE 802.1Q standard. VLAN frame format for IEEE 802.1Q standard the length of the 802.1Q tag is 4 bytes, which is located between the source MAC address and the length/type in the Ethernet frame. A 802.1Q tag contains 4 fields.

• Type: Length is 2 bytes, which represents the frame type, the Type field in the 802.1Q tag frame takes a fixed value of 0x8100, and if a device that does not support 802.1Q receives a 802.1Q frame, it is discarded.
• The Pri:priority field, with a length of 3 bit, indicates the priority of the Ethernet frame, the value range is 0~7, the higher the value, the higher the priority. Priority is given to high-priority data frames when the switch/router transmits congestion.
• cfi:canonical format Indicator, length 1bit, indicates whether the MAC address is in the classic format. The CFI for 0 description is the classic format, and CFI is 1 for non-classic format. This field is used to differentiate between Ethernet frames, FDDI frames, and Token ring frames, and the CFI value is 0 in an Ethernet frame.
• The Vid:vlan ID, which is a length of two bits, is 0~4095, where 0 and 4095 are reserved values that cannot be used by the user.

· Cisco ISL Tags ISL (Inter-Switch Link) is a proprietary package for Cisco and is therefore only supported on Cisco devices. ISL is a protocol that transmits multiple VLAN information and VLAN traffic between switches, between switches and routers, and between switches and servers, by configuring an ISL package on a direct port of the switch, which allows VLAN allocation and configuration across the network over the switch. Partitioning Strategy from a technical point of view, the VLAN division can be based on different principles, there are generally the following three ways to divide: Port-basedThis partitioning is the simplest and most efficient way to divide several ports on one or more switches into a logical group. This method requires only the network administrator to reassign the switch port of the network device, regardless of the device to which the port is connected. based on MAC addressThe MAC address is actually the identifier of the network card, the MAC address of each NIC is unique and cured on the NIC. The MAC address is represented by a 6-byte 16 binary (48-bit), the first 3 bytes (24 bits) of the NIC's Vendor identity (OUI), and the last 3 bytes (24 bits) as the network card identifier (NIC). Network administrators can divide some sites into a logical subnet by their MAC address. based on routingThe routing protocol works on the network layer, and the corresponding working devices have routers and routing switches (i.e., layer three switches). For the partition of VLAN mainly take the above 1th, 3 ways, the 2nd way is the auxiliary scheme. 4 Technology The development of the local area network is the basis of VLAN generation, so before we introduce the VLAN, we should understand the knowledge of LAN. a local area network (LAN) is typically a separate broadcast domain that is formed primarily by network devices such as hubs, bridges, or switches that connect to all nodes within the same network segment. Network nodes within the same LAN can communicate directly, while communication between devices in different LAN segments must pass through the router to communicate. Figure 1 shows a typical LAN environment built using routers. with the continuous expansion of the network, access devices gradually increased, the network structure is increasingly complex, it is necessary to use more routers to separate different users into their own broadcast domain, to provide network interconnection between different LANs. But there are two drawbacks to doing so: first, with the increase of the number of routers in the network, the network delay gradually increases, which leads to the decrease of network data transmission speed. This is mainly because the data must be routed through the router when it passes from one LAN to another: the router determines the destination address of the packet based on the corresponding information in the packet, and then chooses the appropriate path to forward it. second, users are naturally divided into different groups of users (broadcast domains) according to their physical connection. This partitioning method is not based on the common needs and bandwidth requirements of all users in the workgroup. As a result, although different workgroup or departmental requirements for bandwidth vary widely, they are mechanically partitioned into the same broadcast domain to compete for the same bandwidth. 5 Classification There are many ways to define VLAN members, which are then divided into several different types of VLANs. Port-based VLAN Port-based VLAN partitioning is the simplest and most efficient method of VLAN partitioning, which defines VLAN members according to the LAN switch port. VLAN divides the port of the LAN switch logically, thus divides the terminal system into different parts, each part is relatively independent, and simulates the traditional local area network in function. Port-based VLANs are also divided into single-switch ports and multi-switch ports that define VLANs in two scenarios: multi-switch port definition VLANAs shown in 3, switch 1 of 1, 2, 3 ports and switch 2 of 4, 5, 6 ports comprise VLAN1, switch 1 of 4, 5, 6, 7, 8 ports and switch 2 1, 2, 3, 7, 8 ports constitute VLAN2. single switch port definition VLAN As shown in 2, the 1, 2, 6, 7, 8 ports of the switch comprise the vlan1,3, 4, and 5 ports that comprise the VLAN2. This VLAN only supports one switch. Port-based VLAN partitioning is simple and efficient, but the disadvantage is that when a user moves from one port to another, the network administrator must reconfigure the VLAN members. MAC address-based VLAN the VLAN based on the MAC address is the VLAN defined with the MAC address of the terminal system. The MAC address is actually the identifier of the network card, and the MAC address of each NIC is unique. This approach allows workstations to move to other physical segments of the network, while automatically maintaining the original VLAN membership. When the network is small, the scheme can be said to be a good method, but with the expansion of network scale, the increase of network equipment and users will greatly increase the difficulty of management. Route-based VLANThe routing protocol Works on layer 3rd of Layer 7 protocol-the network layer, such as the IP-and IPX-based routing protocols, which include routers and routing switches. In VLANs by IP, routing is easily implemented, and the switching function and routing capabilities are converged on the VLAN switch. This approach achieves the most basic purpose of controlling broadcast storms as a VLAN, without the need for an external router. However, the communication speed between VLAN members is not ideal in this way. policy-based VLANThe partition of policy-based VLAN is a more effective and direct way, which depends on the strategy adopted in the partition of VLAN.

Virtual Local Area Network