vlan for network comprehensive training

vlan for network comprehensive training


CSDN

1: Introduction to the switch

1) Introduction to collision domain, broadcast domain and mac address

Collision domain: Collision domain refers to the set of all nodes connected to the same shared medium. All nodes in the collision domain compete for the same bandwidth. A message sent by a node (whether it is unicast, multicast, or broadcast) can be received by other nodes. The reason for deploying multiple switches is to divide the collision domain, and the interface of one switch is one collision domain.

Broadcast domain: The entire access range that broadcast packets can reach is called a Layer 2 broadcast domain, or broadcast domain for short, and hosts in the same broadcast domain can receive broadcast packets.

The MAC (Media Access Control) address uniquely identifies a network card in the network, and each network card needs and has a unique MAC address.

Ethernet data frame format:

Ethernet II format:

DMAC  6B
SMAC  6B
Type   2B
 User data 46-1500B
FCS     4B            //Minimum 64byte

IEEE 802.3 format

DMAC   6BYTE
SMAC   6B
Length  2B
LIC     3B
SNAP   5B
 User data 39-1492B
FCS    4B

Half-duplex: only supports sending or receiving

Full duplex: can send and receive at the same time

2: Unicast, Multicast and Broadcast

Unicast: One-to-one: The MAC address refers to the MAC address with the least significant bit of the first byte being 0. That is, after the mac address is converted to binary, the eighth bit is 0

Multicast: one-to-many, or many-to-many, but not all: MAC address refers to the MAC address with the lowest digit of the first byte being 1, that is, the eighth digit of the mac address converted to binary is 1

Broadcast: a pair of all FF-FF-FF-FF-FF-FF, the MAC address refers to the MAC address where each bit is 1

3: Introduction to the working principle of the switch

1): Learning
The process of building the MAC address table
Determined according to the source MAC contained in the received data and the current interface
2): flooding
All ports are forwarded except the accept port
2.1 Received broadcast frame data
2.2 Receive a multicast data frame
2.3 Unknown unicast data frame received
3): Forward
According to the destination MAC address of the data frame, refer to the interface of the MAC address table for forwarding
arp static 10.1.1.3 aabb-cc00-0003 //Manually modify the arp cache
4) The source and destination MAC addresses of the data frame, corresponding to the same interface of the MAC address entry of the switch, are discarded.

2: Principle and configuration of vlan

In order to divide the broadcast domain and save costs, vlan (virtual local area network) is developed in the switch

Features: Without geographical restrictions, only devices within the same vlan can communicate directly at Layer 2.

By default, all interfaces of the switch belong to vlan1. belong to the same broadcast domain.

1) How to divide VLANs

  • vlan division method
    • Based on interface division, such as G0/0/1,G0/0/2
    • Based on MAC address division, divided according to the MAC address of the device
    • Based on IP address division, according to IP address network segment, etc.
    • Based on protocol division, such as ipv4, ipv6, etc.
    • Based on policy division, ip address + MAC address and other types of division

2) vlan tag

To enable the switch to distinguish packets from different VLANs, a field that identifies VLAN information needs to be added to the packets.

The IEEE 802.1Q protocol stipulates that a 4-byte VLAN tag, also known as VLAN Tag, or Tag for short, is added to the Ethernet data frame.

vlan range: 2^12:0-4095 (0,4095 is reserved)

208.1Q data frame format
TPID(label protocol identifier):Identifies the type of data frame, the value is 0 x8100 Time table (802.1Q frame
PRI(priority)ï¹”Identifies the priority of the frame, mainly used for QoS.. 
CFI(standard format indicator):In an Ethernet environment, the value of this field is 0.
VLAN ID (VLAN identifier):Identifies which frame this frame belongs to VLAN. 

vlan 10   #create vlan 10
vlan batch 10 20  #Create vlan10 and vlan20
vlan batch 10 to 20 #Create vlan 10 to vlan 20

3) Introduction to vlan port types

  • data frame received

    • Check whether there is a label, compare it with the interface pvid, if it is the same, it will pass, and if it is not the same, it will be discarded.
    • If the received data frame does not have a tag, add the pvid of the upper interface

  • send data frame

    • If the vlan id of the data frame is the same as the pvid of the interface, the label will be stripped and then forwarded. If it is different, forwarding from the interface will be prohibited.

    • The data frame coming out of access is not marked

  • receive data frame

    • Enter the label to see if it is in the vlan allow list, accept it if it exists, and discard it if it does not exist

    • If an unlabeled data frame is received, the pvid of the interface is marked, and if it is in the allow list, it is received, otherwise it is discarded.

  • send data frame

    • When sending out, it will check whether the label is consistent with the pvid of the trunk interface, if not, keep the original label. If it is consistent, remove the label and send it again
    • If it is not in the allow list of vlan, it will be discarded directly

  • receive data frame

    • Enter the label to see if it is in the vlan allow list, accept it if it exists, and discard it if it does not exist

    • When an unlabeled data frame is received, the pvid of the interface is marked, and if it is in the allow list, it is received, otherwise it is discarded

  • send data frame

    • Whether the carried data frame is in the vlan's release list, and is not directly discarded
    • in the untagged list, then strip the tag to send
    • In the tagged list, keep the tag sent

4) vlan configuration

a.access simple configuration

[Huawei]sysname S1  #Modify the switch name
[S1]vlan 10  #create vlan
[S1]int g0/0/1[S1-GigabitEthernet0/0/1]port link-type access   #Change the port type to access
[S1-GigabitEthernet0/0/1]port default vlan 10  #add pvid 10
[S1-GigabitEthernet0/0/1]quit   #quit
[S1]display  port vlan active  //View switch port type vlan

LSW2 Similarly

Interface configuration between switches
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
 
 LSW2 Similarly

Data frames between two switches do not carry tag s

Description of the whole process:

  • PC1 sends data frames without tags to the G0/0/1 port of the switch. This interface is configured as an access interface. vlan 10, access receives data frames without tags, and tags the interface with vlan 10 to enter the switch.
  • When LSW1 sends a data frame, it finds that it carries the tag of vlan 10, and the tag of the G0/0/2 interface is vlan 10. The access interface receives the same data frame as the interface tag, strips the tag and sends it
  • The data frame without tag arrives at the G0/0/2 interface of LSW2, and the access receives the data frame without tag, adds the tag of the interface, namely vlan 20, and enters the switch.
  • When LSW2 sends a data frame, it finds that the outgoing interface, that is, the interface tag of G0/0/1, is vlan 20. The access interface receives a data frame with the same tag as itself, strips the tag and sends it, and the data frame arrives at PC2
  • The principle of data frame return is the same as that of data frame sent from PC1 to PC2

Summarize: Implementation principle of access port , the network terminal device can only receive data frames without tag s,
Therefore, the access interface type is mostly used in the case of interconnecting with terminal equipment.

<SW2>save #save document
The current configuration will be written to the device.
Are you sure to continue?[Y/N]y  #Confirm save file
Info: Please input the file name ( *.cfg, *.zip ) [vrpcfg.zip]:  #save filename
Aug 30 2022 13:04:07-08:00 SW2 %%01CFM/4/SAVE(l)[0]:The user chose Y when decidi
ng whether to save the configuration to the device.
Now saving the current configuration to the slot 0.
Save the configuration successfully.

b.trunk simple configuration

LSW1 configure
vlan batch 10 20
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 10 20

LSW2 configure
vlan batch 10 20
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 20
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 10 20 30
  • Implementation principle
    • PC1 sends a data frame to the G0/0/1 interface of LSW1, and the access interface receives the data frame without tag, and adds a label of 10 to reach the interior of LSW1
    • The switch floods the data frame to all interfaces, the G0/0/2 interface receives the data frame with the tag, compares it with its own tag 20, and the access interface discards the data packet with different tags.
    • At the same time, the data frame reaches the G0/0/3 interface, the secondary interface allows vlan 10 to be released, and reaches the G0/0/3 interface of LSW2, this interface accepts vlan 10 and retains the original label
    • LSW1 floods the data frame to all interfaces, and the G0/0/1 interface receives the data frame carrying the tag, which is the same as its own tag, strips the tag, and reaches PC3
    • At the same time, the G0/0/1 interface receives the data frame carrying the tag, and the data frame is inconsistent with the interface's own tag, and the data frame is discarded.
    • The data frame return principle of PC1 is the same

Summarize: trunk interface implementation principle

LSW1 configure
sysname SW1
#
vlan batch 10 20 30
#
interface GigabitEthernet0/0/1
 port hybrid pvid vlan 10
 port hybrid untagged vlan 10 30
#
interface GigabitEthernet0/0/2
 port hybrid tagged vlan 10 20 30
#
interface GigabitEthernet0/0/3
 port hybrid pvid vlan 20
 port hybrid untagged vlan 20 30

LSW2 configure
vlan batch 10 20 30
#
interface GigabitEthernet0/0/1
 port hybrid pvid vlan 10
 port hybrid untagged vlan 10 30
#
interface GigabitEthernet0/0/2
 port hybrid tagged vlan 10 20 30
#
interface GigabitEthernet0/0/3
 port hybrid pvid vlan 30
 port hybrid untagged vlan 10 20 30
  • description of the whole process
    • For the data frame sent from PC1, when it reaches the G0/0/1 interface of LSW1, it is marked with pvid 10 and enters the switch. The data frame is flooded to all interfaces by the switch.
    • At this time, G0/0/3 receives the data frame from PC1, and checks the local, untag vlan 20 30, and does not strip the tag of vlan 10. The data frame carries the tag, and the terminal cannot accept the data frame with the tag, so the data frame is discarded.
    • The switch is flooded, and the G0/0/2 interface will also receive it. The secondary interface only needs to allow all data frames to pass through with its own tag. If the tag is stripped here, PC3 can communicate with PC2, which does not satisfy the meaning of the question. The same is true for the G0/0/2 interface of LSW2
    • When the data frame reaches LSW2, it will be flooded to all interfaces. The G0/0/1 interface receives the data frame carrying pvid 10 from PC1, and checks its own untag vlan 10, then strips off the pvid 10 label of the data frame and reaches PC2;
    • The data frame will also reach the G0/0/3 interface of LSW2, receive the data frame with pvid 10, check the local untag 10 20 30, strip the tag carried by the data frame, and the data frame will arrive at pc4
    • The principle of data frame returning to PC1 is the same as that of PC1 data frame reaching PC2 and PC4.

Summarize: Implementation principle of hybrid interface

vlan division based on MAC address

The topology diagram is the same as the configuration hybrid simple configuration experiment

On this basis, first output the pvid of the G0/0/1 interface of the previous LSW2

[SW2-GigabitEthernet0/0/1]undo port hybrid pvid vlan

Configure mac-based vlan

[SW2]vlan 10
[SW2-vlan10]mac-vlan mac-address 5489-9872-2bae 24 #24 is the mask
[SW2-GigabitEthernet0/0/1]mac-vlan enable  #Enter the interface and enable mac-vlan

However, at this time, the mac address is changed to another mac address, and it is found that it will go to the default vlan 1 and can communicate with PC1, which is not safe at this time.

After modifying the mac address

Therefore, you need to create another vlan, add this vlan to the interface, and divide other devices into this vlan. The default is to use the created vlan instead of the default vlan1 to ensure security.

create vlan100

[SW2]vlan 100

add to the interface

[SW2-GigabitEthernet0/0/1]port hybrid pvid vlan 100

At this time, PC2 and PC1 cannot communicate with each other

***After adding a mask to the MAC address of MAC vlan MAC address in vlan, the range of MAC address is determined. For example, a 24 bit mask indicates that the first 6 bits cannot be changed, and the last 6 bits can be changed, without affecting the binding of MAC vlan

[SW2-vlan10]mac-vlan mac-address 5489-9872-2bae 24
#That is, the first six digits of the MAC address: 5489-98 cannot be changed, and the latter 72-2bae can be changed without affecting the mac-vlan binding relationship

Tags: network server Network Protocol

Posted by Arsench on Thu, 01 Sep 2022 23:23:45 +0300

Hot Tags

Java Python Javascript Algorithm Front-end Linux C++ data structure Spring Back-end Spring Boot MySQL Database C Android Design Pattern Vue Vue.js Docker leetcode programming language Go Big Data Machine Learning Deep Learning Operation & Maintenance Redis Interview Programming AI Kubernetes html SQL C# css
©2023 Algorithm Zone