Hello everyone!
When a traditional Ethernet switches forwards data, the source MAC address-based learning mode is used, automatically learns the mutual access between hosts connected to each port, maintenance personnel cannot control the forwarding between ports. For example, host B cannot access host A, which cannot be implemented in a traditional Ethernet switch. As a result, the traditional Ethernet has the following disadvantages:
The network security is poor. Ports can directly communicate with each other, increasing the possibility of network attacks.
The network efficiency is low. Users may receive a large number of unnecessary packets, such as unnecessary broadcast packets, which consume network bandwidth resources and CPU resources of the host.
The service expansion capability is poor. Network devices treat packets from all hosts equally and cannot provide differentiated services. For example, Ethernet frames used for network management cannot be preferentially forwarded.
In view of these defects, the VLAN technology is introduced to the Ethernet to solve these problems. Now, let's continue to learn about VLAN technology.
What is VLAN?
VLAN(Virtual Local Area Network) logically divides network resources and network users into multiple small logical networks. These small logical networks form their own broadcast domains or VLANs.
As shown in the preceding figure, a central switch is used, but the left and right sides belong to different VLANs and form their own broadcast domains. Broadcast packets cannot be transmitted across these broadcast domains.
A VLAN logically divides a group of users on different physical network segments into a LAN. The functions and operations of a VLAN are similar to those of a traditional LAN. A VLAN can provide interconnection between terminal systems within a certain range.
Benefits of VLAN
Compared with traditional LAN technology, the VLAN technology has the following advantages:
Broadcast packets are restricted to improve bandwidth utilization
The performance degradation caused by broadcast storms is effectively solved. A VLAN forms a small broadcast domain. The members of a VLAN are in the broadcast domain determined by the VLAN. When a data packet is not routed, the switch sends the data packet to all the other ports of the VLAN instead of all the ports of the switch. In this way, the data packet is restricted to a VLAN. Bandwidth can be saved to some extent.
Reducing the cost of movement and change
That is, when a user moves from one location to another, the network attributes of the user do not need to be reconfigured but are dynamically completed. This dynamic management network brings great benefits to network administrators and users. A user can access the network without any modification wherever he or she goes, the prospects are very good. Of course, not all VLAN definition methods can do this.
Creating a Virtual Workgroup
The ultimate goal of using VLANs is to establish a virtual workgroup model. Users are not restricted by physical devices. VLAN users can be located anywhere on the network, and VLANs do not affect user applications.
Enhances communication security
The data packets of one VLAN are not sent to the other VLAN. In this way, the users of other VLANs cannot receive the data packets of this VLAN. In this way, the information of this VLAN is not intercepted by the users of other VLANs. In this way, the information is kept secret.
Enhances network robustness
When the network scale increases, some network faults may affect the entire network. After VLANs are introduced, some network faults can be restricted within a VLAN. VLANs are used to logically divide a network. The networking scheme is flexible and the configuration management is simple, reducing the management and maintenance costs.
VLAN Tag Management
To control forwarding, the switch adds VLAN tags to Ethernet frames before forwarding them and then determines how to process the frames, including discarding frames, forwarding frames, adding tags, and deleting tags.
Before forwarding a frame, the switch checks the VLAN tag of the data packet and determines whether to allow the tag to pass through the port. As shown in the preceding figure, if the switch adds tag 5 to all frames sent from A, it searches the Layer 2 forwarding table and forwards the frames to the port connected to B based on the destination MAC address. However, this port is configured to allow only VLAN 1 to pass through. Therefore, the frames sent by A are discarded. Therefore, the switch that supports the VLAN needs to forward Ethernet frames not only according to the destination MAC address but also according to the VLAN configuration of the port. In this manner, the switch implements the Layer 2 forwarding control.
VLAN Frame Format
The 4-byte 802.1Q tag header contains 2-byte TPID and 2-byte TCI.
TPID (Tag Protocol Identifier) is a new type defined by the IEEE. It indicates that a frame is added with an 802.1Q tag. The TPID has a fixed value of 0x8100.
The TCI contains the control information about frames. It contains the following elements:
Priority: These 3 bits indicate the frame priority. There are eight priorities, ranging from 0 to 7. The IEEE 802.1Q standard uses the three bits.
Canonical Format Indicator ( CFI ): If the CFI value is 0, the format is standard. If the CFI value is 1, the format is non-standard. It is used in the token ring/source routing FDDI medium access method to indicate the bit sequence information of the address carried in the encapsulation frame.
VLAN Identifier( VLAN ID ): This is a 12-bit field, which indicates the VLAN ID. The value ranges from 0 to 4095. There are 4096 VLAN IDs in total. The actual range is from 1 to 4094. The data packet sent by each switch that supports the 802.1Q protocol contains this field, indicating the VLAN to which the data packet belongs.
On a switching network, Ethernet frames have two formats: the untagged frame and the tagged frame. An untagged frame is a frame that is not marked with the four-byte flag, and a tagged frame is a frame that is marked with the four-byte flag.
VLAN division
All Ethernet frames flow in tagged frames on a switch. That is, the frames received by a port from other ports on the switch must be tagged. The frame received by a port from the peer device may be untagged or untagged. If a tagged frame is received, the forwarding process starts. If the port receives an untagged frame, the port must add a label.
You can add labels to a data frame in one of the following ways:
1. Port-based. The network administrator configures the default VLAN (port VLAN ID, PVID) for each port of the switch. If the received untagged frames, the VLAN ID is the PVID.
2. MAC address-based. The network administrator configures the mapping table between MAC addresses and VLAN IDs. If an untagged frame is received, the network administrator adds the VLAN ID according to the table.
3. Protocol-based. The network administrator configures the mapping table between protocol fields and VLAN IDs in Ethernet frames. If an untagged frame is received, the network administrator adds VLAN IDs according to the table.
4. Subnet-based. Determines to add a VLAN ID based on the IP address in the packet.
5. Policy-based. It is highly secure and can be based on MAC address+IP address or MAC address+IP address+interface. After VLANs are created successfully, users are prohibited from changing IP addresses or MAC addresses.
When the device supports multiple VLAN adding modes, the device selects the mode of adding VLANs to data frames according to priorities: policy-based, MAC address-based, subnet-based, protocol-based, and port-based
Port-based VLAN assignment has the lowest priority but is the most common VLAN assignment mode.
The Scalability of VLAN
LAN information can be transmitted across multiple switches to related switches.
All VLAN-3 data in the above figure can be communicated through intermediate transition switches, so as the data of VLAN-5.
Link-type of VLAN
With the emergence of the VLAN technology, there are Ethernet frames with VLANs and Ethernet frames without VLANs in the switching network. Therefore, links are classified into access links and trunk links.
1. Access link. The link connecting the user host to the switch is an access link. The frames transmitted on the access link are untagged Ethernet frames.
2. Trunk links. The link that connects switches to switches is called a trunk link. Generally, the frames transmitted on the trunk link are tagged VLAN frames and untagged Ethernet frames are allowed to pass.
Similarly, Ethernet switch ports are classified into three types based on different VLAN tag processing modes.
1. Access port. An access port is used on a switch to connect to user hosts. It can only connect to access links. At a time, an access port can belong to only one VLAN, that is, frames from only one VLAN can pass through. The access port receives untagged frames. When receiving frames, the access port adds tags to the frames and removes the tags from the frames when sending frames.
2. Trunk port. A trunk port is a port on a switch that is used to connect to other switches. Trunk ports allow frames with tags from multiple VLANs to pass through.
When receiving a frame without a tag, the port is tagged with the default VLAN ID. If the VLAN frame has a tag, the system checks whether the trunk port allows the VLAN frame to enter. If the trunk port does not allow the VLAN frame to enter, the system discards the VLAN frame.
When a frame is transmitted, if the VLAN ID is the same as the default VLAN ID, the VLAN is removed. If the VLAN ID is different from the default VLAN ID, the VLAN ID is directly sent.
3. Hybrid port. A hybrid port is a port on a switch that can connect to both user hosts and other switches. Hybrid ports can connect to both access and trunk links. A hybrid port allows frames from multiple VLANs to pass through.
When receiving a frame without a tag, the frame is tagged with the default VLAN ID of the hybrid port. If the VLAN frame has a tag, the hybrid port determines whether to allow the VLAN frame. If yes, the hybrid port proceeds to the next step. Otherwise, the hybrid port discards the VLAN frame.
When sending frames, the switch checks whether the VLAN attribute on the port is untagged or tagged. If the frame is untagged, remove the VLAN tag from the frame and then send the frame. If the frame is a tag, the frame is directly transmitted.
Default VLAN
1. The access port belongs to only one VLAN. Therefore, the default ID of the access port is the VLAN where the access port belongs.
2. A trunk port allows only multiple VLANs to pass through. You can specify one VLAN as the default VLAN. If a data frame without a VLAN is received, the trunk port adds a default VLAN tag to the data. If the VLAN ID is the same as the default VLAN ID, the label is peeled off.
3. The hybrid port also allows multiple VLANs to pass through and specifies one of the VLANs as the default VLAN. When receiving a data frame without a VLAN, the hybrid port adds a default VLAN tag to the data frame. When sending packets to external systems, the UGW9811 checks the untag/tag mode of the port.
Note: The default port mode is the access port. By default, all ports belong to VLAN 1. VLAN 1 is the default VLAN and cannot be created or deleted.
Access-Link configure
Here is a new term called PVID, the full name called Port VLAN ID, which represents the VLAN of the port. In the Access port, the value of PVID represents the VLAN that the port belongs to, such as PVID = 100, that is, the port is divided into VLAN100.
All ports of 802.1Q based switches belong to VLAN-1, so they call VLAN-1 the default VLAN.
By default, all ports of the switch belong to VLAN-1, that is, PVID is 1.
\\Config link-type
[Switch-Ethernet0/1]port link-type access
[Switch-Ethernet0/2]port link-type access
\\Config Creat VLAN, add interfaces into VLAN
[Switch]vlan 3
[Switch-vlan3]port Ethernet 0/1
[Switch]vlan 5
[Switch-vlan5]port Ethernet 0/2
\\Config Another way to add interface into VLAN
[Switch-Ethernet0/1]port default vlan 3
[Switch-Ethernet0/2]port default vlan 5
Trunk-Link configure
The trunk port is responsible for forwarding multiple VLAN data frames between switches, use the command “port trunk allow-pass vlan [VID]” to allow the data frames with a specific VLAN to pass.
\\Config link-type
[Switch-Ethernet0/3]port link-type trunk
\\Config allow-pass list
[Switch-Ethernet0/3]port trunk allow-pass vlan all
\\Config PVID
[Switch-Ethernet0/3]port trunk pvid vlan 1
Here is a command "port trunk PVID VLAN [VID]" to change the PVID value of the Trunk port, and the meaning of the Trunk port PVID value is different from the Access port PVID. For Access port, it represents a VLAN that belongs to the port, but for a Trunk port, it represents the default VLAN value. config link-type
Thanks for reading!
