The Scheme of Establishing Virtual Local Area Network

VLAN Tagging

The number of Bytes between the source address field and the type field in the VLAN (Virtual Local Area Network) tag is 4, and the functions of the first and last 2 Bytes are different, and the representations are also different. The first 2 Byte specifications are IEEE specifications, expressed as 0 × 8 100 in hexadecimal, responsible for the production of virtual LAN protocol identification; the last 2 Bytes indicate 3Bit + 12Bit, both responsible for TAG information control. Among them, 3Bit ranges from 0 to 7, specifically referring to the user priority field, which can be queued and forwarded first when the network is congested, and 12Bit identifies the attribution party of the frame with the VLAN tag. The standard LAN range is 1 to 1 001, and the extended LAN range 1 006 to 4 094, 1 002, 1 003, 1 004, and 1 005 are token ring networks that cannot be deleted, and are used for 802. 1Q protocol starts.

VLAN Division

After clearing the VLAN identification, the virtual local area network must be divided based on the MAC (physical network card) address or based on the switch port, network layer, and IP multicast. Different ways of dividing virtual local area networks have a great impact on the availability of virtual local area networks.

VLAN division based on MAC address. In the division of virtual LAN based on MAC address, the MAC address of each network card and the virtual LAN physical address tracked by the switch correspond one-to-one and are unique. Network card or physical address, configure the MAC address of each PC to the corresponding logical group, allowing users to transfer from one physical location node to another under the premise of retaining their virtual local area network membership.

VLAN division based on switch ports. When dividing virtual local area networks based on switch ports, the ports whose local mode is access mode on one switch or ports whose local mode is access mode on several switches can be divided into a logical group, followed by Network administrators assign switch ports and complete port parameterization regardless of the devices connected to the ports.

VLAN division based on the network layer. When dividing the virtual local area network based on the network layer, several virtual local area network divisions should be carried out according to the third layer network side of the ISO/OSI architecture through protocol differences, that is, virtual LANs are added on the basis of Ethernet frames. The head of the LAN controls the information, divides the host into smaller networks through the hierarchical division of the virtual LAN, and isolates the information interaction of different hosts by restricting the third-layer mutual access rights of the virtual LAN hosts with different IDs. For example, VLAN1-VLAN5 is the computer room network segment, VLAN6 is the server room network segment, and VLAN7 is the management network segment.

VLAN division based on IP multicast. When dividing virtual local area networks based on IP multicast, several virtual local area networks can be divided according to IP address differences within TCP/IP. For example, when a small enterprise virtual local area network is established, it is required that there is no information exchange between the existing two departments, but each department can exchange information. At this time, the IP address of one of the departments in VLAN10 can be assigned as 192. 168. 10. 0 ~ 192. 168. 10. 235, and the IP address of another department in VLAN20 can be allocated as 192. 168. 20. 0 ~ 192. 168. 20. 248.

Switch VLAN Configuration

In a VLAN, switches include core, aggregation, and access layer switches. Among them, the core switch is responsible for meeting the high-speed data and secure forwarding requirements of the backbone network. It does not need policy configuration. It only needs to perform simple configurations such as device name modification, entry port routing mode setting, entry port selection, and interface IP address selection; the aggregation switch is responsible for aggregating data. It is necessary to select a switch with embedded security policies to meet the requirements of hardware access restrictions, network attack prevention and control, and network scanning restrictions; the access layer switch is responsible for accessing devices, and it needs to start with the connection port of the aggregation layer switch, and set the F0 /24 Change to Trunk mode. Then create corresponding virtual LANs according to planning requirements, and finally assign different virtual LANs to different ports, such as assigning VLAN20 to port 2.