VLAN settings for large enterprise networks

When a large number of subordinate organizations interconnect isolated networks, VLAN division is required for the management, security, and stable operation of the entire network for different functional departments.
At the time of the rise of Enterprise Networks, due to the small scale of Enterprise Networks, limitations in application scope, lack of understanding of Internet access, and poor network security and management, so that the enterprise network is limited to the switching mode. There are two main methods of switching technology: Ethernet-based frame switching and ATM-based cell switching. Each port of the LAN switch is its own independent collision domain, however, for all network devices in one IP or IPX segment, they are in the same broadcast domain. When there are a large number of workstations and a large amount of information, it is easy to form a broadcast storm, and even the network is paralyzed.
In the network mode using the exchange technology, the network structure is only divided by the physical network segment. This network structure is lacking in terms of efficiency and security, and limits the flexibility of the network to a large extent. If you need to separate a broadcast domain, then you need to purchase another switch and re-wiring it manually. Therefore, virtual network VLAN must be configured.
In a large enterprise, its subordinates have multiple level 2 units. When the isolated networks of each unit are interconnected, to manage, secure, and operate the entire network in different functional departments, we divide VLAN.
Step 1 subnet Analysis
The network system consists of three parts: Company, level 2 Unit 1, and level 2 Unit 2. Initially, the three parts are independent of each other and do not form a unified network environment, therefore, the operation of various network systems is based on the exchange technology.
The three main networks all adopt Gigabit Ethernet technology. The high positioning of the starting point brings a high-speed, stable network platform that complies with international standards for enterprise information applications. The company's central switch uses Cisco's Catalyst 6506, with a layer-3 routing engine that enables the enterprise network to have the ability to upgrade in the future, and the center switch of each level-2 unit uses Cisco's Catalyst 4006; the second-and third-level switches use the Cisco Catalyst 3500 series, mainly because of the high performance and stackable capabilities of the Catalyst 3500 series switches.
At present, the three parts are connected to the Internet according to the company's requirements. the interconnection of networks still adopts Gigabit bandwidth. However, because the three networks all adopt the Gigabit Ethernet technology, in order not to form a bottleneck in the trunk, therefore, the interconnection between subnets uses the Trunk technology, that is, the dual Gigabit technology, so that the network bandwidth reaches 4G, which not only increases the bandwidth, but also provides link redundancy, improves the high-speed, stable, and secure operation performance of the entire network.
However, the expansion of the network scale, the increase of information traffic, and the complexity of personnel bring new risks to the security, stability, and efficient operation of the enterprise network. This leads to VLAN division.
According to the company's requirements for VLAN division, the IP addresses of each VLAN are allocated as follows:
Manager's subnet: 192.168.1.0 -- 192.168.2.0/22 Gateway: 192.168.1.1;
Financial subnet: 192.168.3.0 -- 192.168.5.0/22 Gateway: 192.168.3.1;
Supply and Marketing subnet: 192.168.6.0 -- 192.168.8.0/22 Gateway: 192.168.6.1;
Information Center subnet: 192.168.7.0/24 Gateway: 192.168.7.1;
Server subnet: 192.168.100.0/24 Gateway: 192.168.100.1
Other subnets: 192.168.8.0 -- 192.168.9.0/22 Gateway: 192.168.8.1;
Step 2 System Analysis
For Cisco product division, VLAN is mainly based on two standard protocols: ISL and 802.1Q. Here, because Cisco network devices are used, ISL protocol encapsulation is used for interconnection between VLANs, this Protocol optimizes the hardware platform of Cisco network equipment in terms of information stream processing and multimedia application optimization. We will discuss VLAN interconnection between different products later.

Network Topology

In this case, the VLAN division expands the number of switches, so the connection between switches must adopt the Trunk method. The manager's office and supply and marketing subnet represent two problems in VLAN division-VLAN division and port VLAN Division:
In the manager's virtual network, when a switch expands multiple VLANs, it is mentioned that the switch and its upper-layer switch must be connected in the Trunk mode, but in the virtual network division of supply and marketing, the supply and marketing of level 2 unit 1 is independent of a LAN switch ipvst3548. Therefore, only a normal exchange connection is required between the supply and marketing VLAN ipvst3548 and the second-level center switch ipvst4006, you only need to divide the ports connected to ipvst3548 on ipvst4006. That is, the Port-based VLAN Division mentioned above.
Step 3 route list

After the VLAN connection is completed, the dual-fiber channel connection is used between the two ipvst4006 and the primary center switch ipvst6506, blocking the generation of line faults between ipvst406 and ipvst6506, therefore, it is necessary to centrally manage the routes of the entire network based on ipvst6506. We have set VLAN routing on the master center switch ipvst6506:
Virtual network run by the Manager: 192.168.1.1/22;
Financial Virtual Network: 192.168.3.1/22;
Supply and Marketing Virtual Network: 192.168.6.1/22;
Information Center Virtual Network: 192.168.7.1/24;
Other virtual networks: 192.168.8.1/22;
Next, set the routing protocol RIP or OSPF on the central switch and specify the network segment 192.168.0.0. Run the following command in global configuration mode:
Router rip
Network 192.168.0.0
Notes

1. note that the VLAN division of the entire company's network system is designed as a whole structure, so in order to maintain the consistency of the VLAN list, for example, when the VLAN of level 2 unit 1 changes, the VLAN list also changes. In this case, the Catalyst 4006 needs to broadcast other parts of the overall network, to achieve the consistency of the VLAN list. Therefore, when you set VTPVLAN Trunk Protocol), you must consider the VTP domain as a whole, that is, the VTP type is Server and Client respectively.
2. some enterprises build networks earlier and use network devices as products of other vendors. Later products cannot be unified with those of earlier stages. In this way, some problems may occur in VLAN division.
For example, VLAN is divided in the hybrid network structure of Cisco products and 3Com products. For the Trunk Encapsulation Protocol of Cisco network devices, 802.1Q must be used for communication with 3Com. Although normal VLAN division and normal application can be established between the two, the coordination and cooperation between the two is poor due to the self-learning capability of the switches. When the connection between the two changes, you must run the clear counter command on the Cisco switch to clear the switch.
Technical materials
VLAN implementation
VLAN is short for Virtual Local Area Network. VLAN allows network users in different geographic locations to join a logical subnet and share a broadcast domain. By creating VLANs, you can control the generation of broadcast storms to improve the overall performance and security of the switched network.
VLAN is completely transparent to network users, and users do not feel any difference between it and the switched network, but it is very different for network administrators, this mainly depends on the advantages of VLAN:
Control the broadcast storm in the network;
To improve the overall security of the network, you can control the user's access permissions and the size of the Logical network segment through VLAN division principles such as route access list and MAC Address allocation;
Network management is simple and intuitive.
VLAN Division has the following four policies:
1. Port-based VLAN
Port-based VLAN Division is the simplest and most effective VLAN division method. In this method, the network administrator only needs to re-allocate the switch ports of network devices and combine them in different logical network segments. You do not need to consider what devices the port is connected.
2. MAC address-based VLAN
The MAC address is actually the identifier of the network card. The MAC address of each network card is unique. VLAN division based on MAC addresses is actually a combination of VLAN Based on workstations and servers. This solution is also a good method when the network size is small, but with the expansion of the network size and the increase of network devices and users, it will greatly increase the difficulty of management.
3. Routing-based VLAN
The routing protocol works on the layer 3 of the layer 7 Protocol: the network layer, that is, IP and IPX-based forwarding. Such devices include routers and router switches. This method allows a VLAN to span multiple switches or a port to be in multiple VLANs.
4. Policy-based VLAN
Policy-based VLAN division is an effective and direct method. This mainly depends on the policies used in VLAN division.
For the moment, VLAN division mainly adopts two models: 1 and 3, and solution 2 is an auxiliary solution. After VLAN division is designed, it involves the last step of VLAN Division: interconnection between VLANs.
In the past, VLAN division was mainly implemented through routers. However, with the expansion of the network scale and the increase in the amount of information, vrouters are already overloaded in terms of both the number of ports and the system performance, therefore, the main cause of network bottlenecks is gradually formed. Now, with the layer-3 Routing Capability Based on the switch, the above two points have been reasonably solved.