VLAN (Virtual Local Area Network) is the logical segmentation of network users connected to the port of the second-layer switch. It is not limited by the physical location of network users and can be segmented according to user needs. A VLAN can be implemented on a switch or across switches.
VLANs can be grouped according to the location, role, or department of network users, or according to the applications and protocols used by network users. Switch-based virtual local area network can solve conflict domain, broadcast domain and bandwidth problems for local area network.
1. Overview of VLAN Technology
VLAN is a new data exchange technology that logically divides LAN devices (note, not physically) into network segments to realize virtual workgroups. This emerging technology is mainly used in switches and routers, but the mainstream application is still in switches. But not all switches have this function, only switches above the third layer of the VLAN protocol have this function, you can check the manual of the corresponding switch to know.
The emergence of VLAN technology enables administrators to logically divide different users in the same physical LAN into different broadcast domains according to actual application requirements. have the same properties.
The development of switching technology has also accelerated the application speed of new switching technology (VLAN). By dividing the enterprise network into virtual network VLAN segments, network management and network security can be strengthened, and unnecessary data broadcast can be controlled.
In a shared network, a physical network segment is a broadcast domain. In a switched network, a broadcast domain can be a virtual network segment composed of a group of arbitrarily selected second-layer network addresses (MAC addresses). In this way, the division of workgroups in the network can break through the geographic location restrictions in the shared network, and be divided entirely according to management functions. This workflow-based grouping mode greatly improves the management function of network planning and reorganization.
Workstations in the same VLAN, regardless of which switch they are actually connected to, communicate between them as if they were on separate switches. The broadcast in the same VLAN can only be heard by the members of the VLAN, and will not be transmitted to other VLANs so that the generation of unnecessary broadcast storms can be well controlled. At the same time, if there is no routing, different VLANs cannot communicate with each other, which increases the security between different departments in the enterprise network.
Network administrators can fully manage information exchange between different management units within the enterprise by configuring routes between VLANs. The switch divides the VLAN according to the MAC address of the user workstation. Therefore, a user can freely move and work in the enterprise network, and no matter where he accesses the switching network, he can freely communicate with other users in the VLAN.
VLAN network can be composed of mixed network types of equipment, such as 10M Ethernet, 100M Ethernet, Token Ring, FDDI, CDDI, etc., which can be workstations, servers, hubs, network uplink backbones, etc.
2. Category of VLAN
(1). Port-based VLAN
(2). Divide VLAN based on MAC address
(3). Divide VLANs based on network layer protocols
(4). Divide VLANs based on IP multicast
(5). Divide VLANs by policy
(6). Divide VLAN according to user definition and non-user authorization
3. Implementation principle of VLAN
(1). Static VLAN
When the VLAN administrator initially configures the corresponding relationship between the switch Port and the VLAN ID, this corresponding relationship has been fixed, that is, this Port can only correspond to this VLAN ID, and cannot be changed afterward unless the administrator reconfigures it.
When a device is connected to this port, how to judge whether the VLAN ID of the host corresponds to the port? This is determined according to the IP configuration. We know that each VLAN has a subnet number and which ports correspond to it.
If the IP address requested by the device does not match the subnet number of the VLAN corresponding to the port, the connection will fail and the device will not be able to communicate normally. Therefore, in addition to connecting to the correct port, the device must also be assigned an IP address belonging to the VLAN network segment, so that it can be added to the VLAN.
(2). Dynamic VLAN
The switch automatically configures the Port as the VLAN to which the host belongs. There are three classifications here: MAC-based, IP-based, and user-based.
(3). MAC-based VLAN (such as Layer 2 switch)
Add the hardware addresses of all hosts to the management database of VLAN. For example, when a host is connected to a port of a dynamic VLAN of the switch at will, the management database will query the host to join VLAN 2 according to the MAC address of the host, and then The port is automatically set to VLAN 2. The disadvantage is that when the host computer replaces the network card, the management database needs to be reset.
(4). IP-based VLAN (such as a layer 3 switch)
Unlike based on MAC, this method will record the mapping between subnet ID and VLAN ID, regardless of how the host’s network card changes, as long as its IP remains unchanged, the switch can automatically set the corresponding VLAN ID according to the host’s subnet ID.
(5). User-based VLAN
The VLAN is determined according to the logged-in user of the operating system.
(6). Access Interface and Trunk Interface
In the switch, there are two types of interfaces: access port (Access) and trunk port (Trunk). Access interface can only be used to connect user hosts, and can only belong to one VLAN, so this interface only transmits the data of this VLAN.
The above descriptions are all based on the division of VLANs by one switch. When it is necessary to span two or more switches, it cannot be realized based on the Access interface. We need to add a Trunk interface to connect the switch.
4. Advantages of VLAN
(1). Increased the flexibility of network connection
With the help of VLAN technology, different locations, different networks, and different users can be combined to form a virtual network environment, which is as convenient, flexible and effective as using a local LAN. VLAN can reduce the management cost of moving or changing the location of workstations, especially after some companies with frequent changes in business conditions use VLAN, this part of the management cost is greatly reduced.
(2). Control broadcasts on the network
VLAN can provide a mechanism to establish a firewall to prevent excessive broadcasting of the switching network. Using VLAN, a certain switching port or user can be assigned to a specific VLAN group.
This VLAN group can be in a switching network or across multiple switches. The broadcast in a VLAN will not be sent outside the VLAN. Likewise, adjacent ports will not receive broadcasts from other VLANs. This can reduce broadcast traffic, release bandwidth for user applications, and reduce broadcast generation.
(3). Increase network security
Because a VLAN is a separate broadcast domain, VLANs are isolated from each other, which greatly improves the utilization rate of the network and ensures the security and confidentiality of the network. People often transmit some confidential and critical data on LAN. Confidential data should provide security measures such as access control.
An effective and easy-to-implement method is to segment the network into several different broadcast groups. The network administrator limits the number of users in the VLAN and prohibits access to applications in the VLAN without permission. Switch ports can be grouped based on application type and access privileges. Restricted applications and resources are generally placed in security VLANs.