What is VLAN?
I. Why VLAN is needed
1.1. What is VLAN?
VLAN (Virtual LAN), translated into Chinese as "虚拟局域网". LAN can be a network of a few household computers or an enterprise network of hundreds of computers. VLAN refers to a network partitioned by a router, that is, a broadcast domain.
Let's review the concept of broadcast domain first. Broadcast domain refers to the range that the broadcast frame (the target MAC address is all 1) can pass to, that is, the range that can communicate directly. Strictly speaking, it is not only broadcast frames, but also multicast frames and unicast frames with unknown targets can travel freely in the same broadcast domain.
Originally, Layer 2 switch can only construct a single broadcast domain, but after using VLAN function, it can divide the network into multiple broadcast domains.
1.2. What will happen when the undivided broadcast domain is used?
Then, why do we need to divide the broadcast domain? That is because if there is only one broadcast domain, it may affect the overall transmission performance of the network. For specific reasons, please refer to the attached drawings for further understanding.
In the figure, it is a network consisting of five Layer 2 switches (switches 1-5) connected with a large number of clients. Suppose that computer A needs to communicate with computer B at this time. In Ethernet-based communication, the target MAC address must be specified in the data frame in order to communicate normally, so computer A must first broadcast "ARP Request" information to try to obtain the MAC address of computer B.
Switch 1 receives the broadcast frame (ARP request) and forwards it to all ports except the receiving port, namely Flooding. Next, switch 2 will also Flooding when it receives a broadcast frame. Switches 3, 4, 5 also have Flooding. Finally, ARP requests are forwarded to all clients in the same network.
Please note that this ARP request was originally sent to obtain the MAC address of computer B. That is to say, as long as computer B can receive everything. But in fact, data frames are transmitted throughout the network, resulting in all computers receiving it. In this way, on the one hand, broadcast information consumes the overall bandwidth of the network, on the other hand, the computer receiving broadcast information also consumes a part of CPU time to process it. It causes a lot of unnecessary consumption of network bandwidth and CPU computing power.
1.3. Are radio messages sent so often?
Read here, you may ask: is radio information really so frequent?
The answer is: Yes! In fact, broadcast frames appear very frequently. When using TCP/IP protocol stack to communicate, besides ARP, there may be many other types of broadcast information such as DHCP, RIP and so on.
ARP broadcasting is issued when it needs to communicate with other hosts. When a client requests a DHCP server to assign an IP address, it must broadcast DHCP. When RIP is used as routing protocol, the router broadcasts routing information to other neighboring routers every 30 seconds. Routing protocols other than RIP use multicast to transmit routing information, which is also forwarded by switches. In addition to TCP/IP, NetBEUI, IPX and Apple Talk protocols often require broadcasting. For example, when you double-click on "Network Computer" under Windows, you will send a broadcast (multicast) message. (Except Windows XP... )
In short, the radio is right beside us. Here are some common broadcasting communications:
ARP request: Establish the mapping relationship between IP address and MAC address.
RIP: A routing protocol.
DHCP： Protocol for automatically setting IP addresses.
NetBEUI： A network protocol used under Windows.
IPX： The network protocol used by Novell Netware.
Apple Talk：The network protocol used by Apple's Macintosh computers.
If there is only one broadcast domain in the whole network, once the broadcast message is sent, it will spread all over the network and bring additional burden to the host in the network. Therefore, when designing LAN, we need to pay attention to how to effectively divide the broadcast domain.
1.4. Partition of Broadcast Domain and Necessity of VLAN
When partitioning broadcast domains, routers are generally required. After using the router, the broadcast domain can be divided by the LAN Interface on the router.
However, in general, there are not too many network interfaces on routers, the number of which is about 1-4. With the popularity of broadband connections, broadband routers (or IP sharers) become more common. However, it should be noted that although they have multiple (generally about four) network interfaces on the LAN side, they are actually built-in switches in routers and can not divide broadcasting domains.
Moreover, when using routers to divide broadcasting domain, the number of divisions depends entirely on the number of network interfaces of routers, which makes it impossible for users to divide broadcasting domain freely according to actual needs.
Compared with routers, Layer 2 switches generally have multiple network interfaces. Therefore, if it can be used to divide the broadcast domain, then undoubtedly the flexibility in application will be greatly improved.
VLAN is the technology used to divide broadcasting domain on Layer 2 switch. By using VLAN, we can freely design the composition of broadcast domain and improve the degree of freedom of network design.
II. Mechanisms to Realize VLAN
2.1. Mechanisms for VLAN Implementation
After understanding why VLAN is needed, let's look at how switches use VLAN to split broadcast domains.
First, on a Layer 2 switch without any VLAN, any broadcast frame will be forwarded to all other ports except the receiving port (Flooding). For example, when computer A sends broadcast information, it is forwarded to ports 2, 3 and 4.
At this time, if two VLANs are generated on the switch, port 1 and 2 belong to the red VLAN, port 3 and 4 belong to the blue VLAN. If the broadcast frame is sent from A, the switch will only forward it to other ports belonging to the same VLAN - that is, port 2 belonging to the same red VLAN, and not to the ports belonging to the blue VLAN.
Similarly, when C sends broadcast information, it will only be forwarded to other ports belonging to blue VLAN, but not to ports belonging to red VLAN.
In this way, VLAN divides the broadcast domain by limiting the range of broadcast frame forwarding. For illustration purposes, the above figure identifies different VLANs in red and blue. In practice, it is distinguished by "VLAN ID".
2.2. Describe VLAN intuitively
If we want to describe VLAN more intuitively, we can understand it as dividing a switch into several switches logically. Generating red and blue VLANs on one switch can also be regarded as replacing one switch with one red, one blue and two virtual switches.
When a new VLAN is generated outside the red and blue VLANs, it can be imagined that a new switch is added.
However, the logical switches generated by VLAN are not interconnected. Therefore, after setting up VLAN on the switch, if no other processing is done, VLAN can not communicate with each other.
Clearly connected to the same switch, but unable to communicate - this fact may be unacceptable. But it is not only the easy-to-use feature of VLAN, but also the reason why VLAN is difficult to understand.
2.3. What happens when VLAN communication is needed?
So what should we do when we need to communicate between different VLANs?
Please recall once again that VLAN is a broadcast domain. Generally, the two broadcast domains are connected by routers, and the data packets between broadcast domains are relayed by routers. Therefore, communication between VLANs also requires routers to provide relay services, which is called "inter-VLAN routing".
Routing between VLANs can use either ordinary routers or three-tier switches. The specific content will be elaborated when the opportunity arises. Here I hope you will remember that the routing function is needed when different VLANs communicate with each other.
3. Access Links of VLAN
3.1. Ports of switches
Switch ports can be divided into the following two types:
Next let's learn the characteristics of these two different ports in turn. First of all, learn "Access Links".
3.2. Access Links
Access links refer to ports that "belong to only one VLAN and only forward data frames to that VLAN". In most cases, access links connect to clients.
Usually the order of setting VLAN is:
Setting access links (deciding which VLAN each port belongs to)
The method of setting access links can be fixed in advance or dynamically changed according to the computer connected. The former is called "static VLAN" and the latter is naturally "dynamic VLAN".
Static VLAN is also called Port Based VLAN. As the name implies, it specifies which VLAN each port belongs to.
Because of the need to specify ports one by one, when the number of computers in the network exceeds a certain number (for example, hundreds), setting operations will become extremely cumbersome. Moreover, every time a client changes the port it connects, it must change the settings of the VLAN that the port belongs to at the same time -- which is obviously not suitable for networks that need to change the topology frequently.
On the other hand, dynamic VLAN changes the VLAN of the port at any time according to the computer connected to each port. This avoids such operations as changing the settings mentioned above. Dynamic VLAN can be roughly divided into three categories:
VLAN (MAC Based VLAN) Based on MAC Address
Subnet Based VLAN
- User-based VLAN
The main difference between them is that the VLAN to which port belongs is determined according to the information of which layer of OSI reference model.
(1) VLAN based on MAC address determines the port ownership by querying and recording the MAC address of the computer network card connected to the port. Assuming that a MAC address "A" is set to belong to VLAN "10" by the switch, no matter which port the computer with the MAC address "A" is connected to, the port will be divided into VLAN10. When a computer is connected to port 1, port 1 belongs to VLAN10; when a computer is connected to port 2, port 2 belongs to VLAN10.
(2) The VLAN based on subnet determines the VLAN to which the port belongs by the IP address of the connected computer. Unlike VLAN based on MAC address, even if the computer changes its MAC address due to the exchange of network cards or other reasons, as long as its IP address remains unchanged, it can still join the original VLAN.
Therefore, compared with VLAN based on MAC address, it can change the network structure more easily. IP address is the third layer information in OSI reference model, so we can understand that subnet-based VLAN is a method of setting access links in the third layer of OSI.
(3) User-based VLAN decides which VLAN the port belongs to according to the user currently logged in on the computer connected to each port of the switch. The user identification information here is generally the user logged in by the computer operating system, such as the user name used in the Windows domain. These username information belongs to the information above the fourth layer of OSI.
Generally speaking, the higher the level of information used in OSI when deciding which VLAN the port belongs to, the more suitable it is to build a flexible network.
3.2.3、Summary of Access Links
In summary, there are two ways to set access links: static VLAN and dynamic VLAN, in which dynamic VLAN can continue to be subdivided into several sub-categories.
Among them, VLAN based on subnet and VLAN based on user may be implemented by network equipment manufacturer using unique protocol, and compatibility problems may arise between devices of different manufacturer; therefore, when choosing switch, we must pay attention to confirming in advance.
IV. Convergence Links of VLAN
4.1. Setting up VLAN spanning multiple switches
When planning enterprise network, it is very likely to encounter the situation that users belonging to the same department are scattered in different floors of the same building. At this time, it may be necessary to consider how to set up VLAN across multiple switches. Suppose there is a network as shown in the figure below, and you need to set A, C, B, D on different floors to the same VLAN.
At this point, the most critical is "how to connect switch 1 and switch 2?"
The simplest way is naturally to set up a dedicated red and blue VLAN interface on switches 1 and 2 and interconnect them.
However, this approach is not good in terms of scalability and management efficiency. For example, when a new VLAN is built on the basis of the existing network, in order to make the VLAN interoperable, it is necessary to connect new network lines between switches. Longitudinal wiring between floors of buildings is more troublesome, and generally can not be carried out at will by grass-roots managers. Moreover, the more VLAN, the more ports are needed for interconnection between floors (strictly speaking, switches). The inefficient use of switch ports is a waste of resources and limits the expansion of the network.
In order to avoid this inefficient connection, people try to concentrate the interconnected network wires between switches on one, which is called Trunk Link.
4.2. What is convergent link?
Trunk Link refers to a port that can forward communications between multiple different VLANs.
The data frames circulating on the sink link are attached with special information for identifying which VLAN they belong to.
It is possible to support the standard "IE802.1Q" protocol or the unique "ISL" (Inter Switch Link) of Cisco products by aggregating additional VLAN identification information at link time. If switches support these specifications, users can efficiently construct VLANs across multiple switches.
In addition, there are many VLANs in the aggregation link, so the natural load is heavy. Therefore, when setting up aggregation links, there is a prerequisite that the transmission speed of more than 100 Mbps must be supported.
In addition, by default, aggregate links forward all VLAN data that exists on the switch. From another point of view, converge links (ports) can be considered to belong to all VLANs on the switch at the same time. Since it is not likely that all VLAN data need to be forwarded in practice, in order to reduce the load of switches and the waste of bandwidth, we can use user-defined restrictions to interconnect VLANs via aggregate links.
V. Convergence Mode of VLAN (IEEE802.1Q and ISL)
5.1. Convergence Mode
On the convergence link of switches, VLAN spanning multiple switches can be constructed by adding VLAN information to data frames.
The most representative methods of adding VLAN information are:
IEEE802.1Q, commonly known as "Dot One Q", is an IEEE-certified protocol for attaching VLAN recognition information to data frames.
Here, please recall the standard format of Ethernet data frames.
The VLAN identification information attached to IEEE802.1Q is located between the "sending source MAC address" and the "Type Field" in the data frame. Specific content is 2 bytes of TPID and 2 bytes of TCI, a total of 4 bytes.
When 4 bytes are added to the data frame, the CRC value will naturally change. At this time, the CRC on the data frame is the value obtained by recalculating the entire data frame including TPID and TCI after inserting them.
When the data frame leaves the sink link, TPID and TCI will be removed, and CRC will be recalculated.
The value of TPID is fixed to 0x8100. The switch uses TPID to determine that the VLAN information based on IEEE802.1Q is added to the data frame. In essence, VLAN ID is 12 bits in TCI. Since there are 12 bits in total, a maximum of 4096 VLANs can be identified.
Additional VLAN information based on IEEE802.1Q is like tags attached when delivering items. Therefore, it is also called "Tagging VLAN".
5.3. ISL(Inter Switch Link)
SL is a protocol similar to IEEE802.1Q supported by Cisco products for attaching VLAN information to aggregate links.
After using ISL, each data frame header will be added 26 bytes of "ISL Header" and the 4 bytes CRC value will be obtained by computing the whole data frame including ISL header on the frame tail band. In other words, a total of 30 bytes of information has been added.
In the ISL environment, when the data frame leaves the sink link, simply remove the ISL header and the new CRC. Since the original data frame and its CRC are completely preserved, there is no need to recalculate the CRC.
ISL is like wrapping the original data frame with ISL header and new CRC, so it is also called "Encapsulated VLAN".
It should be noted that neither the "Tagging VLAN" of IEEE802.1Q nor the "Encapsulated VLAN" of ISL are very strict terms. In different books and reference materials, the above words may be used in a mixed way, so we need to pay more attention to them in learning.
Because ISL is a unique protocol of Cisco, it can only be used for interconnection between Cisco network devices.