Switch VLAN configuration basis and examples

VLAN Basics

VLAN is Virtual Local Area Network, it is not “VPN” (virtual private network). VLAN is a logical division of the LAN device (note, not physically divided) into a network segment, in order to achieve the virtual work group’s emerging data exchange technology. This emerging technology is mainly used in switches and routers, but the mainstream application or in the switch. But not all switches have this feature, only the third layer of the VLAN protocol switches have this function, which can view the corresponding switch manual can be learned.

IEEE in 1999 promulgated a draft standard for 802.1Q protocol for standardized VLAN implementation. VLAN technology, so that the administrator according to the actual application needs, the same physical LAN within the different users logically divided into a different broadcast domain, each VLAN contains a group of computers with the same needs, and have the same attributes like the physical LAN. Because it is logically divided, rather than physically divided, so the same VLAN within the various workstations are not limited to the same physical range, that is, these workstations can be in different physical LAN segment. According to the characteristics, it can be seen that broadcast and unicast traffic inside a VLAN will not be forwarded to other VLANs, which will help to control traffic, reduce equipment investment, simplify network management and improve network security.

The development of switching technology also accelerates the application of new switching technologies (VLANs). By dividing the enterprise network into virtual network VLAN segments, network management and network security can be enhanced to control unnecessary data broadcasting. In a shared network, a physical segment is a broadcast domain. In the switching network, the broadcast domain can have a set of arbitrary selected second layer network address (MAC address) composed of a virtual network segment. In this way, the division of the workgroup in the network can break through the geographical location constraints in the shared network and is completely divided according to the management function. This workflow-based packet model greatly improves the management of network planning and reorganization. Workstations in the same VLAN, regardless of which switch they are actually connected to, are communicating as if they were on a separate switch. Broadcasts in the same VLAN can only be heard by members of the it, but not in other VLANs, which can control the generation of unwanted broadcast storms. At the same time, if there is no routing, different VLANs can not communicate with each other, which increases the security of different departments in the enterprise network. The network administrator can manage the exchange of information between different management units within the enterprise by configuring routes between VLANs. The switch divides the VLAN according to the MAC address of the user’s workstation. Therefore, the user can freely in the enterprise network mobile office, no matter where he accesses the exchange network, he can communicate with other users within the VLAN freely.

VLAN network can be composed of mixed network type equipment, such as 10M Ethernet, 100M Ethernet, Token Network, FDDI, CDDI, etc., can be workstations, servers, hubs, network uplink trunk and so on.

In addition to dividing the network into multiple broadcast domains, VLANs effectively control the occurrence of broadcast storms and make the topology of the network more flexible, and can be used to control the mutual access between different departments and different sites in the network. A VLAN is a protocol for addressing the broadcast problems and security of Ethernet, which adds VLAN headers to Ethernet frames, divides users into smaller workgroups with VLAN IDs, and restricts user visits between different workgroups, and each workgroup is a virtual LAN. The advantage of a virtual LAN is that it can limit the scope of the broadcast and can form a virtual workgroup to dynamically manage the network.

Classification of VLANs

VLAN on the switch implementation method can be roughly divided into six classes.

1. VLAN based on port partition

This is the most commonly used VLAN partitioning method, the application is also the most extensive and most effective, currently, most of the VLAN protocol switches provide this configuration method. This method of dividing the VLAN is based on the switch ports of the Ethernet switches, which divides the physical ports on the VLAN switch and the PVC (permanent virtual circuit) ports inside the VLAN switch into several groups, each consisting of a virtual network, equivalent to a separate VLAN switch.

For different departments need to exchange visits, can be forwarded through the router, and with the MAC address based port filtering. Set the available MAC address set to the appropriate port of the switch, routing switch, or router that is closest to the site on the access path of a site. This prevents illegal intruders from stealing IP addresses from the inside to invade from other access points.

From this partitioning approach itself, we can see that the advantage of this partitioning method is that it is very simple to define a VLAN member, as long as all the ports are defined as the corresponding VLAN group. Suitable for any size network. The downside is that if a user leaves the original port and has a port on a new switch, it must be redefined.

2. VLAN based on MAC address

This method of dividing the VLAN is divided according to the MAC address of each host, that is, for each MAC address of the host are configured which group he belongs to, it is the mechanism that each card corresponds to a unique MAC address, VLAN switch tracking belongs to the address of VLAN MAC. This type allows a network user to automatically retain the membership of the VLAN to which it belongs when it moves from one physical location to another.

From this partitioning mechanism, it can be seen that the biggest advantage of this VLAN division is that when the user moves physically, that is, from one switch to another, the VLAN does not need to be reconfigured because it is based on the user Not a switch-based port. The disadvantage of this method is that all users must be configured, if there are hundreds or even thousands of users, the configuration is very tired, so this division method is usually applied to the small local area network. And this division of the method also led to the efficiency of the switch to reduce the implementation of each switch port may exist in many VLAN group members, save a lot of users MAC address, the query is not easy. In addition, for the use of laptop users, their network card may often be replaced, so VLAN must always be configured.

3. VLAN based on network layer protocol

According to the network layer protocol to divide, VLAN can be divided into IP, IPX, DECnet, AppleTalk, Banyan and other VLAN networks. This kind of VLAN, which consists of network layer protocols, allows broadcast domains to span multiple VLAN switches. This is very attractive for network administrators who want to organize users for specific applications and services. Moreover, the user can move freely within the network, but its VLAN membership remains the same.

The advantage of this approach is that the physical location of the user has changed, there is no need to reconfigure the VLAN to which it belongs, and the VLAN can be divided according to the protocol type, which is important for the network manager, and this method does not require additional Frame tag to identify the VLAN, which can reduce the network traffic. The disadvantage of this method is inefficient because checking the network layer address of each packet is the need to consume processing time (as opposed to the previous two methods), the general switch chip can automatically check the packet on the network Ethernet Head, but let the chip can check the IP header, need a higher technology, but also more time-consuming. Of course, this is related to the implementation of various vendors.

4. VLAN partitioning based on IP multicast

IP multicast is actually a VLAN definition, that is, an IP multicast group is a VLAN. This method of partitioning extends the VLAN to the WAN, so this method has more flexibility, and it is easy to expand through the router, which is mainly suitable for LAN users not in the same geographical area to form a VLAN, not suitable for local area network, mainly efficiency is not high.

5. VLAN by policy

VLANs based on policy can implement multiple allocation methods, including VLAN switch ports, MAC addresses, IP addresses, network layer protocols, and so on. Network management personnel according to their own management model and the needs of the unit to decide which type of VLAN to choose.

6. VLAN based on user defined and non-user authorization

The partitioning of VLANs based on user-defined, non-user authorization means that VLANs are defined and designed to accommodate special VLAN networks and that VLAN users are allowed to access VLANs, but users are required to provide user passwords. A VLAN can be added to a VLAN-managed certification.

The superiority of VLAN

Any new technology to be widely supported and applied, there must be some key advantages, VLAN technology is the same, its advantages are mainly reflected in the following aspects:

1. Increased flexibility in network connectivity

With VLAN technology, you can combine different locations, different networks, and different users to form a virtual network environment, just as convenient, flexible, and effective as using a local LAN. VLANs can reduce the overhead of moving or changing the location of workstations, especially if some companies with frequent changes in business situations use VLANs, and this part of the management costs are significantly reduced.

2. Control the broadcast on the network

VLANs can provide a mechanism for building firewalls to prevent the excessive broadcast of switched networks. Using VLANs, you can assign a switch port or user to a particular VLAN group that can be in one switched network or across multiple switches, and broadcasts in one VLAN will not be sent outside the VLAN. Similarly, adjacent ports do not receive broadcasts from other VLANs. This can reduce the broadcast traffic, the release of bandwidth to the user application, reduce the production of broadcasting.

3. Increase the security of the network

Because a VLAN is a separate broadcast domain, VLANs are isolated from each other, which greatly improves the utilization of the network and ensures the security and security of the network. People often send some confidential, critical data on the LAN. Confidential data should provide security means such as access control. An effective and easy way to do this is to segment the network into several different broadcast groups, which limit the number of users in the VLAN and prohibit unauthorized access to applications in the VLAN. Exchange ports can be grouped based on application type and access privileges, and restricted applications and resources are typically placed in a secure VLAN.

VLAN network configuration examples

In order to give you real configuration examples of learning opportunities, the following to a typical medium-sized LAN VLAN configuration as an example to introduce the most commonly used by the port division VLAN configuration method.

A company has about 100 computers, the main use of the network sector: the Ministry of Production (20), the Ministry of Finance (15), the Ministry of Personnel (8) and the information center (12) four parts.

The basic structure of the network is that the whole network backbone adopts three Catalyst 1900 network management switches (named: Switch1, Switch2, and Switch3 respectively. The switches are connected to several hubs according to their needs. They are mainly used for non-VLAN users, such as administrative documents, Users, etc.), a Cisco 2514 router, the entire network through the router Cisco 2514 with the external Internet connection.

The users are mainly distributed in four parts, namely: production department, finance department, information center and personnel department. The main part of the four users to separate VLAN, to ensure that the corresponding departments of network resources are not stolen or destroyed.

Now for the company’s corresponding part of the network resources security needs, especially for such sensitive departments as Finance department, personnel department, the information on the network do not want to let too many people can casually in and out, so the company adopted a VLAN method to solve the above problems. Through the VLAN division, the company’s main network can be divided into production, finance, personnel and Information Center four main parts, the corresponding VLAN group name: Prod, Fina, Huma, Info, the VLAN groups corresponding to the network segment as shown in the table below.

VLAN Number	VLAN Name	Port
2	Prod	Switch 1 2-21
3	Fina	Switch2 2-16
4	Huma	Switch3 2-9
5	Info	Switch3 10-21

The VLAN configuration process is very simple, with only two steps: (1) naming the VLAN groups, (2) corresponding VLAN to the corresponding switch port.

【Note】The switch’s VLAN number starts with “2″, because the switch has a default VLAN, which is the “1” VLAN, which includes all the users connected to the switch.

The following is a specific configuration process:

Step 1: Set up the HyperTerminal, connect the 1900 switch, and configure the VLAN of the switch through the HyperTerminal. After the connection is successful, the main configuration interface (the configuration of the basic information has been completed before the switch)

[Note] HyperTerminal is carried out using the “Hypertrm” program that comes with the Windows system, as described in the relevant information.

Step 2: Click the “K” button, select the main interface menu “[K] Command Line” option, enter the following command line configuration interface:

CLI session with the switch is open. To end the CLI session, enter [Exit ].

At this point we entered the switch’s normal user mode, like a router, this model can only view the current configuration, can not change the configuration, and can use the command is very limited. So we have to enter the “privileged mode”.

Step 3: Enter the privileged mode command “enable” at the previous “>” prompt to enter the privileged mode and the command format as “enable”. In this case, enter the privileged mode prompt configured by the switch:

＃c onfig tEnter configuration commands,one per line.End with CNTL/Z(config)#

Step 4: For security and convenience, we give the three Catalyst 1900 switches a name, and set the privilege mode login password. The following is only described as Switch1 example. The configuration code is as follows:

(config)#hostname Switch1Switch1(config)# enable password level 15 XXXXXXSwitch1(config)#

【Note】 privilege mode password must be 4 to 8 characters, it is important to note that the password entered here is displayed in clear text, pay attention to confidentiality. The switch uses the level level to determine the password’s permissions. Level 1 is the password to enter the command line interface, that is, set the password level 1, the next time you connect to the switch, and enter K, will let you enter the password, this password is level 1 set the password. And level 15 is the privilege mode password that you entered after you entered the “enable” command.

Step 5: Set the VLAN name. The parameters of VLANs 2, 3, 4 and 5 are configured on Switch 1, Switch 2, Switch 3, and the switch.

Switch1 (config)#vlan 2 name Prod
Switch2 (config)#vlan 3 name Fina
Switch3 (config)#vlan 4 name Huma
Switch3 (config)#vlan 5 name Info

Step 6: The last step we have configured the VLAN group for each switch, and now these VLANs should correspond to the switch port number specified in Table 1. The command for the corresponding port number is “vlan- membership static / dynamic VLAN number”. In this command, “static” and “dynamic” (dynamic) allocation of the two must choose one, but usually are selected “static” (static) way. VLAN port number The application configuration is as follows:

(1) The VLAN port of “Switch1” is configured as follows:

Switch1(config)#int e0/2
Switch1(config-if)#vlan-membership static 2
Switch1(config-if)#int e0/3
Switch1(config-if)#vlan-membership static 2
Switch1(config-if)#int e0/4
Switch1(config-if)#vlan-membership static 2
……
Switch1(config-if)#int e0/20
Switch(config-if)#vlan-membership static 2
Switch1(config-if)#int e0/21
Switch1(config-if)#vlan-membership static 2
Switch1(config-if)#

[Note] “int” is the “interface” command abbreviation, which is the meaning of the interface. “e0 / 3” is the abbreviation of “ethernet 0/2”, which represents port 0 of module # 2 of the switch.

(2) The VLAN port of “Switch2” is as follows:

Switch2(config)#int e0/2
Switch2(config-if)#vlan-membership static 3
Switch2(config-if)#int e0/3
Switch2(config-if)#vlan-membership static 3
Switch2(config-if)#int e0/4
Switch2(config-if)#vlan-membership static 3
……
Switch2(config-if)#int e0/15
Switch2(config-if)#vlan-membership static 3
Switch2(config-if)#int e0/16
Switch2(config-if)#vlan-membership static 3
Switch2(config-if)#

(3). The VLAN port of “Switch3” is configured as follows (it includes the configuration of two VLAN groups). Look at VLAN 4 (Huma) configuration code:

Switch3(config)#int e0/2
Switch3(config-if)#vlan-membership static 4
Switch3(config-if)#int e0/3
Switch3(config-if)#vlan-membership static 4
Switch3(config-if)#int e0/4
Switch3(config-if)#vlan-membership static 4
……
Switch3(config-if)#int e0/8
Switch3(config-if)#vlan-membership static 4
Switch3(config-if)#int e0/9
Switch3(config-if)#vlan-membership static 4
Switch3(config-if)#

The following is the VLAN5 (Info) configuration code:

Switch3(config)#int e0/10
Switch3(config-if)#vlan-membership static 5
Switch3(config-if)#int e0/11
Switch3(config-if)#vlan-membership static 5
Switch3(config-if)#int e0/12
Switch3(config-if)#vlan-membership static 5
……
Switch3(config-if)#int e0/20
Switch3(config-if)#vlan-membership static 5
Switch3(config-if)#int e0/21
Switch3(config-if)#vlan-membership static 5
Switch3(config-if)#