VLAN solution for large and medium-sized enterprises using layer-3 switches

The expansion of the enterprise scale has resulted in the continuous expansion of the enterprise's network scale. Many enterprises have adopted the method of directly adding computers to the original network to expand the network scale, the network system becomes more and more complex, and network management becomes more and more difficult. The security indexes in the network become lower and lower, and the utilization of network resources is also greatly reduced, how to effectively manage networks and make rational use of network resources has become the biggest challenge for enterprises.

The VLAN-based network division system allows administrators to manage enterprise networks more conveniently. the flexible expansion of VLAN networks also allows enterprises to expand their networks without network confusion, the capability of VLAN networks to control broadcast storms greatly improves the performance of enterprise network resources. Moreover, VLAN networks have the features of simple management and high security. Therefore, the use of VLAN in the initial design of the network can bring great benefits to the future expansion of the network.

VLAN partitioning by routers is a cost-effective method in small and medium-sized enterprises. However, VLAN partitioning by routers seriously affects the network performance of enterprises, therefore, layer-3 switches with routing functions are widely used in VLAN networks of large and medium-sized enterprises. However, we must be clear that a VLAN network using a layer-3 Switch also requires a router. However, a router is only a connection tool between the enterprise network and the Internet. Communication between VLANs is not implemented by a router.

VLAN network structure built by layer-3 switches
　

The biggest feature of VLAN network division is its flexibility. VLAN-based network division mainly includes static VLAN and dynamic VLAN. Static VLAN is actually a port-based VLAN, this division method is complex because the administrator needs to configure the ports of each switch. Dynamic VLAN is divided into three types: Subnet-based VLAN, MAC address-based VLAN, and user-based VLAN. These three methods have their own characteristics. Therefore, we can flexibly combine them when dividing VLAN networks. For example, mobile users may change their external wireless NICs at any time, therefore, we can divide mobile users into user-based VLANs. Some fixed users can adopt subnet-based VLAN, that is, dividing the IP address of a segment into a VLAN. Therefore, VLAN division is flexible.

The first layer of the network shown is still a vro. This is because the vro itself is the only tool used to connect to the Intranet and Internet. Therefore, the vro cannot be missing, only communication routes between VLANs are not implemented in routers. However, we also need to note that large VLAN networks have high requirements on routers because of their large data transmission volumes. Therefore, we cannot simply consider that layer-3 switches do not have high requirements on routers. Therefore, we still need to choose a vro based on the size of the entire network.

The second layer is the layer-3 switch, which is also the key to the entire large VLAN network. A layer-3 Switch provides two functions: routing and switching. The routing function is a key technology for inter-VLAN communication. When the first data stream enters a layer-3 switch, the layer-3 switch routes the data stream. At the same time, the layer-3 Switch generates a MAC ing table between the MAC address and IP address, the advantage of this is that after the same data flow enters the layer-3 switch, the layer-3 switch does not need to route the data flow again, this data stream can communicate with each other through a layer-3 Switch, effectively solving the network bottleneck caused by the router. A layer-3 switch is also the key to VLAN division. The Administrator only needs to configure the layer-3 Switch to complete VLAN division. Therefore, when selecting a layer-3 switch, we must make a reasonable selection based on our actual situation to ensure the normal operation of the entire VLAN network.

On the third layer of the network, we select a L2 Switch. The role of a L2 Switch in a VLAN network is actually to ensure the normal operation of the entire network base layer. If the network size is very large, for this layer, it is best to select a gigabit switch so that the next layer of the network can continue to connect to the switch for expansion. If the network size is not very large, the number of computers connected to a layer-3 switch is at least 200 ), you can directly select a common switch for this layer.

The bottom layer of the network is the basis of the entire network. It is also the Standard for us to determine how to divide VLAN networks. They are composed of computer terminals and servers of enterprises.

400 node Enterprise Network Design Scheme

Next we will design an enterprise VLAN network with 400 nodes. We assume that this enterprise is divided into sales department, after-sales service department, design department, Finance Department, and server area. Among them, the sales department has 20 computers, the after-sales service department has 20 computers, the finance department has 20 computers, the server area has 20 servers, and the design department has 320 computers. We can divide the entire enterprise network into six VLANs. If you feel that the computer volume in the design department is large, you can also perform VLAN partitioning on the computers in this department. Is the VLAN partition structure of the 500 node.

Again, the VLAN network must be configured on a layer-3 switch. It is a VLAN structure diagram after configuration. We can see that in the sales department, after-sales service department, and Finance Department, two-layer switches are selected for each of the three VLANs. These departments have little requirements for network bandwidth and the number of computers is small. Each VLAN has only 20, in fact, we can select a 24-port switch to implement VLAN. You can decide based on your actual situation.

Due to the large number of computers in the design department, we use a Gigabit Switch and multiple common switches to implement VLAN. on the server, we also select a Gigabit Switch for connection, this is mainly because the server has very high requirements on network bandwidth. The selection of layer-3 switches and routers is also based on the actual situation.

We recommend several products based on the above VLAN structure.

Vro selection is relatively simple. We require that you only need to be able to connect to a computer with 400 nodes. However, we also need to consider common firewall functions, again, we still need to consider the performance of the router. After all, the speed of a network is very important.

Ruijie network STAR-R2620 modular Multi-Service Router

　

STAR-R2620 is a modular router for small and medium-sized enterprises, the router uses ARM 4530 processor, with 32 MB memory and 8 Mb flash memory, the addition of a 10/100 Mbps adaptive LAN port and a WAN port can fully meet the needs of small and medium-sized enterprise users as core routers and can also be used as access routers for large enterprises. The vro provides two scalable slots. You can select different expansion modules based on your needs to meet your needs for multiple businesses. These expansion modules all have their own CPUs. When these expansion modules are inserted on the vro, the computing load on the vrocpu CPU can be reduced. STAR-R2620 supports voice functions, video conferencing, and real-time fax, fully meet the needs of enterprise users for a variety of businesses. The vro also supports the VPN function. With this function, enterprises can remotely access resources within the enterprise, even if its employees are thousands of miles away. This vro has a complete Qos mechanism. When the enterprise intranet suffers from insufficient network resources, this function can allocate sufficient network bandwidth resources to some core services to meet users' needs. In terms of security, the vro supports MAC Address binding, time-based access control, hierarchical command protection, and other functions to defend against attacks from hackers on the Internet.

Because routers only serve as an enterprise network and an Internet connection in large and medium-sized VLAN networks, there is no requirement for VLAN. For enterprise networks, voice, VPN and other functions are more common functions, so we chose the STAR-R2620 router.

A layer-3 switch is a core product in a large and medium-sized VLAN network. Communication between VLANs can only be achieved through a layer-3 Switch. A layer-3 switch must exchange all data, therefore, layer-3 switches have a high load. Therefore, we must be careful when selecting a layer-3 switch.

Ruijie network STAR-S3550-12G Layer 3 Switch

　

Ruijie network STAR-S3550-12G

STAR-S3550-12G is a fully Gigabit layer-3 Switch with 48 Gbit/s of board bandwidth. Its Packet forwarding rate reaches 18 Mpps and can be connected to other switches through 12 Gigabit LAN ports, to expand the network scale. The vswitch has 4 k vlan space and supports multiple VLAN modes. You can configure VLANs on the vswitch to form a VLAN network. The routing function of the vswitch allows different VLANs to be routed here to implement inter-VLAN communication. The STAR-S3550-12G has the redundant power system STAR-RPS, supports VRRP virtual router redundancy protocol and other functions, to ensure the normal and stable operation of the router. This switch can bind the port with the MAC address and IP address to prevent the most common Dos attacks on the Internet. This switch provides encrypted data transmission Secure Shell, this effectively prevents hacker attacks and data theft. The vswitch also supports user authentication and restricts unauthorized user communication, providing a safer environment for enterprise networks. The vswitch can implement traffic control, allocate reasonable bandwidth to users, and effectively use network resources.

STAR-S3550-12G in the above network can meet the needs of enterprise users, 4 k vlan space and support a variety of VLAN, so that the administrator can easily and flexibly design multiple VLANs, implements VLAN division for enterprise networks. Because the vswitch has 12 ports, the network is highly scalable.

The vswitches used by the design department and the server area require strong performance, and the server requires a large network bandwidth. This is because a large number of users access the server, while the design department itself has a large number of computers, therefore, vswitches have high performance requirements. As the layer-3 Switch has already divided the entire VLAN network, and the investment in the layer-3 switch is relatively high, you do not need to buy a layer-3 switch when selecting this layer switch, which can reduce the investment, it can also meet the needs of enterprises. However, when selecting the Gigabit Switch used in the two zones, it is best to bring the traffic control function to allocate bandwidth to the next layer of the network, use network resources effectively.

STAR-S1926G + Gigabit enhanced Network Management Switch

STAR-S1926G + is a Gigabit Switch with 24 10/100 Mbps adaptive ports, which can be connected to a gigabit module through two expansion slots to achieve Gigabit connection. The vswitch has 18 Gbit/s board bandwidth and 6.6Mpps packet forwarding rate, which can fully meet the needs of enterprise users for large-capacity data exchange. This vswitch supports streaming.