VLAN principle and simple application

xiaoxiao2021-03-06 48

1 VLAN overview

VLAN (Virtual Local Area Network) is a virtual LAN, which is an emerging technique for virtual working groups to enable virtual workgroups by logically ratherning a device within a local area. IEEE issued a draft 802.1Q protocol standard for standardizing VLAN implementations in 1999.

VLAN technology allows network managers to logically divide a physical LAN into a different broadcast domain (or called virtual LAN, ie VLAN). Each VLAN contains a computer workstation with the same needs, with physical LANs that are physically formed. The same properties. But because it is logically rather than physically divided, the workstations in the same VLAN do not have to be placed in the same physical space, ie these workstations do not necessarily belong to the same physical LAN network segment. Broadcasting and unicast traffic within a VLAN will not be forwarded to other VLANs, thereby helping to control traffic, reduce equipment investment, simplify network management, and improve network security.

VLAN is an agreement to solve the broadcast problem and security of Ethernet. It adds VLAN heads based on Ethernet frames, divides users into smaller working groups with VLAN IDs, restricts different working groups. User Layers exchange, each working group is a virtual local area network. The advantage of a virtual local area network can limit the range of broadcasts and can form a virtual working group and dynamic management network.

The implementation method of the VLAN on the switch can be roughly divided into 4 categories:

1. Port-based VLAN

This method of dividing the VLAN is divided according to the port of the Ethernet switch, such as the 1-4 port of Quidway S3526 is VLAN 10, 5 ~ 17 for VLAN 20, 18 ~ 24 is VLAN 30, of course, these ports belonging to the same VLAN Can be discontinuous, how to configure, by administrator, if there are multiple switches, for example, can specify 1 to 6 ports of the switch 1 to the same VLAN, that is, the same VLAN can span several Ethernet Switch, based on the port division is the most extensive method of the current definition VLAN, IEEE 802.1Q specifies the international standards of VLANs based on ports of the Ethernet switch.

The advantage of this method of dividing is that it is very simple when defining the VLAN member, as long as all ports are defined, it is possible. Its disadvantage is that if the user of VLAN A leaves the original port, it is necessary to redefine it to a port of a new switch.

2, based on MAC address division VLAN

This method of dividing the VLAN is based on the MAC address of each host, that is, all the hosts of each MAC address are configured which groups. The maximum advantage of this method of dividing the VLAN is that when the user is moved, that is, when the switch is moved from one switch, the VLAN does not need to be reconfigured, so this can be considered that the division method according to the MAC address is based on the user's VLAN. The disadvantage of this method is to initialize, all users must configure, if there are hundreds of or even thousands of users, the configuration is very tired. Moreover, this method also results in a reduction in the efficiency of the switch, because there may be a number of members of the VLAN group in the port of each switch, so that the broadcast package cannot be restricted. In addition, for users who use laptops, their network cards may be replaced frequently, so that VLANs must be configured.

3, based on network layer division VLAN

This method of dividing the VLAN is based on the network layer address or protocol type of each host (if supported multi-protocol), although this division method is based on network addresses, such as IP addresses, but it is not routed, with network layers Routing has no relationships. Although it looks at each packet's IP address, but because it is not routing, there is no RIP, OSPF and other routing protocols, but according to the spanning tree algorithm, the advantage of this method is that the physical location of the user changes, not Reconfigure the locked VLAN, and can be divided according to the protocol type, which is important for network managers, and this method does not require additional frame tags to identify VLANs, which can reduce network traffic.

The disadvantage of this method is that the efficiency is low, because the network layer address of each packet is required to consume time-consuming time (relative to the front two methods), the general switch chip can automatically check the Ethernet of the network on the network. Head, but let the chip check the IP frame header, require higher technology, while more time. Of course, this is related to the implementation of various vendors.

4, divided according to IP multicasting VLAN

The IP multicast is actually a definition of a VLAN, that is, a multicast group is a VLAN, which expands the VLAN to a wide area network, so this method has greater flexibility, and it is also easy to pass the router. Of course, this method is not suitable for local area networks, mainly efficient.

In view of the current trend of current industry VLAN development, considering the advantages and disadvantages of various VLAN division, in order to maximize the user's demand during specific use, the Quidway S series is reduced in the VLAN. The switch is divided into a VLAN according to the port.

VLAN technology

Because the VLAN technology is closely related to the local area network technology, we first understand the relevant knowledge of the LAN before introducing VLAN.

LAN (LAN) is typically defined as a separate broadcast domain, mainly using network devices such as Hub, Bridge, or Switch to connect all nodes in the same network segment. Between the network nodes within a local area network, communication can not communicate through the network router; communication between devices in different local area networks must pass through the network router.

Figure 1 shows a typical local area network environment built using a router.

In the figure, different local area network segments are divided by using the router. Among them, the part within the circular area is one of the independent local area network segments. In order to facilitate this paper, we have numbered different network segments. One thing to note is that the router interfaces connected to each local area are part of the local area network broadcaster.

With the continuous expansion of the network, the access device has gradually increased, and the network structure is increasing, and more routers must be used to divide different users into their respective broadcast domains, providing network interconnections between different LANs.

One of the defects that do this is that with the increase in the number of routers in the network, the network delay gradually increases, resulting in a decline in network data transmission speed. This is mainly because the data must pass the router's routing operation, and the router determines the target address of the packet according to the corresponding information in the packet, and then select the appropriate path to forward.

VLAN, also known as the virtual local area network, is composed of devices located in different physical parties network segments. Although the device connected by the VLAN comes from a different network segment, direct communication can be performed, as if it is in the same network segment, thereby named the virtual local area network. Compare traditional local area network layouts, VLAN technology is more flexible. In order to create a virtual network, it is necessary to adjust the existing network topology.

Also, the same network terminal is connected, and the same network connection is provided by the switched network shown in the figure. Although the network shown in Figure 2 has great improvements and improvements in speed and network delay, there is still some shortcomings in terms of the network. Among them, the most prominent point is that all network nodes are now in the same broadcast domain, greatly increasing data traffic between all devices in the network. With the continuous expansion of the network, it is possible to broadcast the broadcast storm, causing the entire network to enter the VLAN technology.

VLAN is an abbreviation of the English Virtual Local Area Network, that is, a virtual LAN. On the one hand, the VLAN is based on the LAN switch; on the other hand, the VLAN is the soul of the local area exchange network. This is because the broadband network can be easily formed through the VLAN user to move and quickly, without changing any hardware and communication lines. In this way, network administrators can allocate users and network resources from logically without considering physical connection. VLAN fully reflects the importance of modern network technology: high speed, flexible, easy management and easy expansion. Is there a VLAN function to measure an important indicator of a local area network switch. The virtualization of the network is the trend of future network development.

VLANs are not different from principles from principles, but from the perspective of user use and network management, the most basic difference between VLAN and ordinary local area network is reflected in: VLAN is not limited to a network or physical range, VLAN Users can be located in any location in a park, even in different countries.

VLAN has the following advantages:

Controlling network broadcast storm

With VLAN technology, a switched port can be drawn into a VLAN, and a VLAN broadcast storm does not affect the performance of other VLANs.

Ensure network security

The reason why the shared local area network is difficult to guarantee the security of the network because it can access the network as long as the user inserts an active port. The VLAN can limit the access of individual users, control the size and position of the broadcast group, and even lock the MAC address of a device, so the VLAN ensures the security of the network.

Simplify network management

Network administrators can easily manage the entire network with VLAN technology. For example, it is necessary to establish a workgroup network to complete a project, and its members may all over the country or worldwide. At this time, network administrators can set up a few commands to establish the VLAN network of the project in a few minutes. Using the VLAN network, just like a local area network locally. The classification of VLANs has the following:

Port-based VLAN

Port-based VLANs are the simplest way to divide the virtual LAN. This is actually a collection of some exchange ports, and network administrators only need to manage and configure exchange ports, regardless of the switching port.

MAC address-based VLAN

Since only the NIC is assigned a MAC address, the VLAN is actually scored with some workstations and servers in a VLAN. In fact, the VLAN is a collection of some MAC addresses. When the device moves, the VLAN can automatically identify. Network management needs to manage and configure the MAC address of the device, apparently when the network is large, and the equipment will bring difficulty to management.

VLAN based on line 3

The VLAN based on the third layer is a method commonly used in the router: IP subnet and IPX network number, etc. Among them, the LAN switch allows a subnet to extend to multiple LAN exchange ports, and even allow one port to correspond to multiple subnets.

Strategy-based VLAN

Policy-based VLANs are a relatively flexible VLAN division method. What kind of strategy is the core of this method? Currently, common strategies have (related to the support of vendor equipment):

Press MAC address

Press IP address

Press Ethernet Protocol

According to the application, etc.

How to configure VLAN on the switch

We know that traditional local area network Ethernet uses a carrier surplus multiplex (CSMA / CD) method with conflict detection. In the CSMA / CD network, nodes can use the network at any time they have data to be sent. Before the node transmits data, it "monitors" to understand whether the network is busy. If not, the node starts transmitting data. If the network is being used, the node is waiting. If two nodes are listening, they have not heard anything, and the line will appear at the same time. When sending data, it uses a broadcast address, then all PCs on this segment will receive a packet, so that if the network segment PC is numerous, it is easy to cause broadcast storms. Conflicts and broadcast storms are an important factor affecting network performance. In order to solve this problem, the virtual LAN (VLAN concept. The virtual network is a virtual working group established through the network switching device throughout the network. The virtual network is logically equal to the second layer of the second layer of the OSI model, and specific The physical network and geographic location. Virtual Workgroups can include sectors and working groups in different locations, do not have to be physically reconfigured any ports, truly realize network users with their physical location. Virtual network technology puts traditional broadcast fields Split into a separate sub-broadcast domain as needed, and the broadcast restrictions in the virtual work group, due to the reduction in the broadcast domain, the proportion of broadcast pack consumption in the network is greatly reduced, and the performance of the network is significantly improved. We combine below The picture shows. Figure 1 shows the department of the same properties in the two floors to a VLAN, so that accounting data will not broadcast, nor and the machines of the market. A data conflict occurs. So VLAN is effectively divided into conflict domains and broadcast domains.

We can define a VLAN on a port of the switch, all terminals connected to this particular port are part of the virtual network, and the entire network can support multiple VLANs. VLANs reduce unnecessary data traffic to minimal, isolating the transmission and possible problems between the various VLANs, and reduce network latency. In a virtual network environment, communication between users in the same physical network segment can be controlled by dividing different virtual networks. This effectively implements the confidentiality of the data, and it is not bother that the network administrator can logically reconfigure the network, quickly, simple, effectively balance the load flow, and easily increase, delete and modify the user. You don't have to adjust the network configuration from a physically. Since VLAN has so many advantages, why don't we understand it to apply VLAN technology to our real-world network management? Ok let us look at how to configure the VLAN on the switch through the actual example of the example of configuring static VLANs on the Catalyst 1900 switch.

Figure 1 Two VLANs on Catalyst 1900

Set up a super terminal, after connecting to the 1900 switch (you can refer to the "1900 Series Ethernet Switch Quick Start Guide" or other Cisco references), the following main configuration interface appears:

-------------------------------------------------

1 User (s) Now Active On Management Console.

User Interface Menu

[M] Menus

[K] Command Line

[I] IP Configuration

ENTER Selection:

We briefly introduce that there are three options, [M] Menus is the main menu, mainly the initial configuration of the switch and the health of the switch. [K] Command line is the command line, and it is very similar to the command to configure and monitor the router with a command, mainly by command. [I] IP Configuration is an option to configure IP addresses, subnet masks, and default network management. This is the first time that the switch is displayed. If you have configured IP Configuration, this option will be not available next time. Because the configuration is conclude, it is clear, so we can achieve the configuration of the VLAN through [K] Command Line. Set up a super terminal, after connecting to the 1900 switch (you can refer to the "1900 Series Ethernet Switch Quick Start Guide" or other Cisco references), the following main configuration interface appears:

-------------------------------------------------

1 User (s) Now Active On Management Console.

User Interface Menu

[M] Menus

[K] Command Line

[I] IP Configuration

ENTER Selection:

We choose [K] Command Line to enter the command line configuration

Enter Selection: K Enter

CLI session with the switch is open.

To End The CLI Session, Enter [exit].

Now we have entered the ordinary user mode of the switch, just like the router, this mode can only view the current configuration, cannot change the configuration, and the commands that can be used are limited. We enter enable, enter the privileged model:

> eNable

#Config T

Enter Configuration Commands, One Per Line.end with CNTL / Z

(config) #

For security and convenience, we give this switch to the name and set the login password.

(config) #hostname 1900Switch

1900Switch (config) # ENABLE Password Level 15 Goodwork

1900Switch (Config) #

Note: The password must be 4-8 characters. The setting of the switch password and the router are slightly different, the switch is determined by the LEVEL level to determine the authority of the password. Level 1 is the password that enters the command line interface, that is, after setting the password of Level 1, you will connect to the switch next time, and enter K, you will enter your password, this password is the password set by Level 1. Level 15 is the privileged mode password you entered after you enter the enable command. The router is in this distinguishing between Enable Password and Enable Screet. Help, we have set up the name and password, which is safe, let us set up VLAN. VLAN settings below 2 steps:

1. Set up VLAN name

2. Apply to the port

Let's set the name of the VLAN. Use the VLAN VLAN NAME VLAN name. Configuration in privileged configuration mode:

1900Switch (config) #VLAN 2 Name Accounting

1900Switch (config) #VLAN 3 Name Marketing

We have newly configured 2 VLANs why the VLAN number starts from 2? This is because by default, all ports are placed on the VLAN 1, so they are configured from 2. The 1900 series of switches can be configured by 1024 VLANs, but only 64 simultaneously, of course, this is theoretical, we should plan the number of VLANs according to the actual needs of your own network. After configuring the VLAN name, we have to enter each port to set the VLAN. In the switch, to enter a port, for example, the fourth port, use Interface Ethernet 0/4, good, combined with the figure given above, we will make port 2, 3, 4 and 5 belong to VLAN2, port 17-- -22 belongs to VLAN3. The command is the VLAN-Membership Static / Dynamic VLAN number. Two static or dynamic must choose one, followed by the VLAN number that is just configured. Ok, let's see the results:

1900Switch (config) #interface Ethernet 0/2

1900Switch (config-if) # vlan-membership static 2

1900Switch (config-if) #int E0 / 3

1900Switch (config-if) # vlan-membership static 2

1900Switch (config-if) #int E0 / 4

1900Switch (config-if) # vlan-membership static 2

1900Switch (config-if) #int E0 / 5

1900Switch (config-if) # vlan-membership static 2

1900Switch (Config-IF) #int E0 / 17

1900Switch (config-if) # vlan-membership static 3

. . . . . .

1900Switch (config-if) #int E0 / 22

1900Switch (config-if) # vlan-membership static 3

1900Switch (config-if) #

Ok, we have already defined the VLAN to the port of the switch. Here, we are just static, about dynamics, we will mention it later. Up to now, we have already configured the VLAN of the switch, how, not what you imagine :). To verify our configuration, we use the show vlan command in privileged mode. The output is as follows: 1900Switch (config) #Show VLAN

VLAN Name Status Ports

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

1 Default Enabled 1, 6-16, 22-24, AUI, A, B

2 acconting enabled 2-5

3 Marketing enabled 17-22

1002 FDDI-Default Suspended

1003 token-ring-defau suspended

1004 fddinet-default supended

1005 Trnet-Default Suspended

This is a 24-port switch, with AUI and two 100 mega ports (A, B), which can be seen, our settings have been working properly, what, do you want to save Running Configure? Of course, it is not used, the switch is automatically saved instantly, so don't use our command to save the settings. Of course, you can also use the Show VLAN VLAN number to see a VLAN, such as show VLAN 2, show VLAN 3. You can also use show vlan-membership, the change command is mainly to display each port on the switch static or dynamic Which VLAN belongs to.

The above is the process of configuring static VLANs to the switch, let's take a look at the dynamic VLAN. Dynamic V L A n is very simple, and when it determines which Vl a N is bound by the port, a dynamic V L A n is formed. However, this does not mean that a layer is not changed, it is just a simple mapping, which depends on the database created by the network administrator. After the port assigned to the dynamic VLAN is activated, the switch caches the source MAC address of the initial frame. Subsequently, the switch issues a request to a external server called VMPS (VLAN Management Policy Server), and the VMPS contains a text file, file There is a MAC address that performs VLAN mapping. The switch downloads this file and then verifies the M A C address in the file. If the M a C address is found in the file list, the switch assigns the port to Vl a n in the list. If there is no M a C address in the list, the switch assigns the port to the default V L A n (assuming that the default Vl a n) is defined. If there is no M a C address in the list, and the default V L A n is defined, the port will not be activated. This is a very good way to maintain a network security. From the surface, the advantages of dynamic V L a n are large, but it also has a fatal disadvantage that creates a database is a very hard and very cumbersome work. If there are thousands of workstations on the network, there are a lot of input work to do. Even if someone can compete for this job, there will be many problems related to dynamic V L A n. In addition, maintaining the database is the latest job that is also a very time time. So don't use it, here we don't do a detailed explanation, you can refer to the relevant Cisco documentation.

So, it is so complicated without what you imagine. We have already configured the VLAN, then another part of the VLAN can't ignore the work, which is the preliminary plan for the network. That is to say, which machines are in a VLAN, how to assign each IP address, and the subnet mask, and the issue of communication between VLANs. Only the planning plan is good to easily save things during the configuration and future use maintenance process. How does the company's internal network for VLAN division

Many friends ask, how do the company's internal network is divided by VLAN? How can we ensure that the company's network is working properly and efficiently? Before you truly implement the company's internal network, we will first learn about some related VLAN technology.

Definition of VLAN

What is VLAN? VLAN (Virtual Local Area Network), is a virtual LAN, is an emerging technique for virtual working groups to realize virtual working groups by logically ratherning a device within a local area. IEEE issued a draft 802.1Q protocol standard for standardizing VLAN implementations in 1999.

VLAN technology allows network managers to logically divide a physical LAN into a different broadcast domain (or called virtual LAN, ie VLAN). Each VLAN contains a computer workstation with the same needs, with physical LANs that are physically formed. The same properties. But because it is logically rather than physically divided, the workstations in the same VLAN do not have to be placed in the same physical space, ie these workstations do not necessarily belong to the same physical LAN network segment. The broadcast and unicast traffic within a VLAN will not be forwarded to other VLANs, even two computers have the same network segment, but they have no identical VLAN numbers, and their respective broadcast flows will not be forwarded each other. Helps control traffic, reduce equipment investment, simplify network management, and improve network security.

The VLAN is proposed to solve the broadcast problem and security of Ethernet. It adds VLAN heads based on Ethernet frames. Use VLAN ID to divide users into smaller working groups, limit users in different working groups. Layer exchanges, each working group is a virtual local area network. The advantage of a virtual local area network can limit the range of broadcasts and can form a virtual working group and dynamic management network.

Since the VLAN isolates the broadcast storm, it also isolates communication between the different VLANs, so communication between different VLANs needs to be done.

VLAN division

1. Divide VLAN according to port

Many VLAN vendors use the port of the switch to divide VLAN members. The set port is in the same broadcast domain. For example, one, 2, 3, 4, 5 ports of a switch are defined as virtual network AAA, and the 6, 7, 8 ports of the same switch constitute virtual network BBB. Do this allow communication between ports and allows for the upgrade of shared networks. However, this division mode limits the virtual network on a switch.

The second-generation port VLAN technology allows multiple different ports across multiple switches to divide VLANs, and several ports on different switches can form the same virtual network.

The network member is divided by the switch port, and its configuration process is simple. Therefore, from the current perspective, this way to divide the VLAN according to the port is still the most common way.

2. Divide VLAN according to MAC address

This method of dividing the VLAN is based on the MAC address of each host, ie, which groups it belongs to each MAC address. The maximum advantage of this division VLAN method is that when the user is moved, that is, when the switch is moved from one switch, the VLAN does not need to be reconfigured, so that this method according to the MAC address can be considered based on the user's VLAN, The disadvantage of this method is to initialize, all users must configure, if there are hundreds of or even thousands of users, the configuration is very tired. Moreover, this method also results in a reduction in the efficiency of the switch, because there may be a number of members of the VLAN group in the port of each switch, so that the broadcast package cannot be restricted. In addition, for users who use laptops, their network cards may be replaced, so that VLANs must constantly configure. 3. Divide VLAN according to the network layer

The advantage of this method is that the user's physical location changes, and does not need to reconfigure the locked VLAN, and can be divided according to the protocol type, which is important for network managers, and this method does not need to be added. Frame labels to identify VLANs, which can reduce network traffic.

The disadvantage of this method is that the efficiency is low because the network layer address of each packet is required to consume the processing time (relative to the front two methods), and the general switch chip can automatically check the Ethernet frame on the network. Head, but let the chip check the IP frame header, require higher technology, while more time. Of course, this is related to the implementation of various vendors.

4. Divide VLAN according to IP Multicast

VLAN standard

For VLAN standards, we only introduce two more common standards, of course, some companies have their own standards, such as Cisco's ISL standards, although not a public standard, but because of a large number of Cisco Catalyst switches, ISL also Become a standard for standards.

· 802.10VLAN standard

In 1995, Cisco advocated using the IEEE802.10 protocol. Prior to this, IEEE 802.10 has been a global basis for the same specification of VLAN security. Cisco is trying to use the Optimized 802.10 frame format to transfer the VLAN tags in the FramTaging mode on the network. However, members of most 802 committees oppose the promotion of 802.10. Because this protocol is based on FrameTagging mode.

· 802.1q

In March 1996, the IEEE802.1InetNetworking Committee ended the revision of the primary standards of the VLAN. The newly introduced standard further improves the VLAN architecture, unified the label format of different manufacturers in the Fram-etagging mode, and develops VLAN standards in the development direction of the next time, the standard of 802.1Q has been widely available in the industry. Promotion. It became a milestone in the history of VLAN. The emergence of 802.1q broke the virtual network depends on a single manufacturer's deadlock, promoted the rapid development of VLAN from one side. In addition, the pressure from the market enables large network manufacturers to integrate new standards into their respective products.

Corporate Division Instance

For each company, we have its own different needs. Here we give an example of a typical company's VLAN, which can also become the basis for the company's division of VLANs later. A company is now an engineering department, the sales department, and the Finance Department. VLAN division: Engineering VLAN 10, Sales VLAN 20, Finance Department VLAN 30, and departments can also communicate with each other. Existing equipment is as follows: Cisco 3640 router, a Cisco Catalyst 2924 switch, a secondary switch several sets.

Some code in the switch profile is as follows:

......

Interface VLAN10

IP Address 192.168.0.1

Interface VLAN20

IP Address 192.168.1.1

Interface VLAN30

IP Address 192.168.2.1

......

Some code in the router profile is as follows:

......

Interface FasteThernet 1 / 0.1

Encapsulation ISL 10

IP Address 192.168.0.2

Interface FasteThernet 1 / 0.2

Encapsulation ISL 20

IP Address 192.168.1.2

Interface FasteThernet 1 / 0.3

Encapsulation ISL 30

IP Address 192.168.2.2

......

Router rip

NetWork 192.168.0.0

......

Catalyst5500 switch VLAN settings

Example

Equipment selection 1 Catalyst5500 switch, install the WS-X5530-E3 management engine, multiple WS-X5225R and WS-X5302 routing switch modules, WS-X5302 is directly inserted into the switch, connected to the VLAN on the system backplane through two channels, From the user's perspective, it is considered that it is a 1 interface module that supports ISL. There are 3 virtual networks in the switch, named DEFAULT, QBW, RGW, and realize virtual network routes via WS-X5302.

The following increases the lower horizontal portion, such as the set system name 5500c for the command to be set.

Set as follows:

Catalyst 5500 configuration:

Begin

Set Password $ 1 $ FMFQ $ HFZR5DUSZVHIRHRZ4H6V70

Set EnablePass $ 1 $ FMFQ $ HFZR5DUSZVHIRHRZ4H6V70

Set Prompt Console>

Set Length 24 Default

Set logout 20

Set banner motd ^ c ^ c

#System

Set system baud 9600

Set System Modem Disable

Set System Name 5500C

Set System Location

Set System Contact

#ip

SET Interface SC0 1 10.230.4.240 255.255.255.0 10.230.4.255

Set Interface SC0 UP

Set Interface SL0 0.0.0.0 0.0.0.0

Set Interface SL0 UP

SET ARP AGINGTIME 1200

Set ip redirect enable

SET IP Unreachable Enable

Set IP Fragmentation Enable

Set IP Route 0.0.0.0 10.230.4.15 1

Set ip alias default 0.0.0.0

#Command alias

#vtpset vtp Domain HNE

Set VTP Mode Server

SET VTP V2 Disable

Set vtp pruning disable

SET VTP PruneEliGible 2-1000

Clear vtp pruneEligible 1001-1005

Set Vlan 1 Name Default Type Ethernet MTU 1500 Said 100001 State Active

SET VLAN 777 Name RGW Type Ethernet MTU 1500 Said 100777 State Active

Set VLAN 888 Name QBW Type Ethernet MTU 1500 Said 100888 State Active

SET VLAN 1002 Name FDDI-Default Type FDDI MTU 1500 Said 101002 State Active

SET VLAN 1004 Name FDDINET-Default Type FDDINET MTU 1500 SAID 101004 State Active Bridge 0x0 STP IEEE

Set VLAN 1005 Name Trnet-Default Type Trbrf MTU 1500 Said 101005 State Active Bridge 0x0 STP IBM

SET VLAN 1003 Name token-Ring-Default Type Trcrf MTU 1500 Said 101003 State Active Parent 0 Ring 0x0 Mode SRB Aremaxhop 7 STEMAXHOP 7

#set boot command

SET Boot Config-Register 0x102

SET Boot System Flash Bootflash: Cat5000-Sup3.4-3-1a.bin

#Module 1: 2-Port 1000Baselx Supervisor

Set Module Name 1

SET VLAN 1 1 / 1-2

SET port enable 1 / 1-2

#Module 2: EMPTY

#Module 3: 24-Port 10 / 100Basetx Ethernet

Set Module Name 3

Set module enable 3

SET VLAN 1 3 / 1-22

Set VLAN 777 3/23

SET VLAN 888 3/24

Set trunk 3/1 on ISL 1-1005

#Module 4 EMPTY

#Module 5 EMPTY

#Module 6: 1-Port Route Switch

Set Module Name 6

Set Port Level 6/1 Normal Normal

Set port trap 6/1 disable

SET port name 6/1

SET CDP Enable 6/1

SET CDP Interval 6/1 60

Set trunk 6/1 on ISL 1-1005

#Module 7: 24-Port 10 / 100Basetx Ethernet

Set Module Name 7

SET MODULE ENABLE 7

SET VLAN 1 7 / 1-22

SET VLAN 888 7 / 23-24

Set trunk 7/1 on ISL 1-1005

Set trunk 7/2 on ISL 1-1005

#Module 8 EMPTY

#Module 9 EMPTY

#Module 10: 12-Port 100Basefx MM Ethernet

Set Module Name 10

Set module enable 10

SET VLAN 1 10 / 1-12SET Port Channel 10 / 1-4 OFF

Set Port Channel 10 / 5-8 OFF

Set Port Channel 10 / 9-12 OFF

Set Port Channel 10 / 1-2 on

Set Port Channel 10 / 3-4 on

Set Port Channel 10 / 5-6 ON

Set Port Channel 10 / 7-8 ON

Set Port Channel 10 / 9-10 ON

Set Port Channel 10 / 11-12 ON

#Module 11 EMPTY

#Module 12 EMPTY

#Module 13 EMPTY

#Switch Port Analyzer

! set span 1 1/1 Both INPKTS DISABLE

Set span disable

#cam

Set Cam AgingTime 1-2, 777, 888, 1003, 1005 300

end

5500C> (enable)

WS-X5302 Routing Module Setting:

Router # WRI T

Building configuration ...

CURRENT Configuration:

Version 11.2

No Service Password-Encryption

No Service UDP-Small-Servers

No Service TCP-Small-Servers

Hostname Router

Enable Secret 5 $ 1 $ W1K $ AJK69FGOD7BQKHKCSNBF6.

IP Subnet-Zero

Interface VLAN1

IP Address 10.230.2.56 255.255.255.0

Interface VLAN777

IP Address 10.230.3.56 255.255.255.0

Interface VLAN888

IP Address 10.230.4.56 255.255.255.0

NO ip classless

Line Con 0

LINE AUX 0

Line Vty 0 4

Password Router

end

Router #

3.1. Example 2:

The switching device still uses a Catalyst5500 switch, installs the WS-X5530-E3 management engine, multi-piece WS-X5225R has 3 virtual networks in the switch, named Default, QBW, RGW, realized virtual network route through the Cisco3640 router . Switch settings and examples.

The router Cisco3640 is equipped with an NM-1FE-TX module that provides ISL with a fast Ethernet interface. The Cisco3640 Quick Ethernet interface is connected to a support ISL port on the switch, such as the third slot of the switch (3/1 port).

Router # WRI T

Building configuration ...

CURRENT Configuration:

Version 11.2

No Service Password-Encryption

No Service UDP-Small-Servers

No Service TCP-Small-Servers

Hostname Router

Enable Secret 5 $ 1 $ W1K $ AJK69FGOD7BQKHKCSNBF6.

IP Subnet-Zero

Interface Fastethernet1 / 0

Interface Fastethernet1 / 0.1

Encapsulation ISL 1

IP Address 10.230.2.56 255.255.255.0!

Interface FasteThernet1 / 0.2

Encapsulation ISL 777

IP Address 10.230.3.56 255.255.255.0

Interface Fastethernet1 / 0.3

Encapsulation ISL 888

IP Address 10.230.4.56 255.255.255.0

NO ip classless

Line Con 0

LINE AUX 0

Line Vty 0 4

Password Router

end

Router #

Cisco Catalyst1900 switch speeds VLAN

I. Features of VLAN

VLAN has the following features:

Segmentation, can be divided into different network segments according to department, function and project;

Flexibility, the user consisting of VLANs does not need to consider the physical location, the same VLAN can also span multiple switches;

Safety, through the separation of the broadcast domain, enabling each logical VLAN like a separate physical bridge, improves the network performance and security, but communication between different VLANs needs to be connected by a router.

Second, the basic VLAN configuration

1, single switch VLAN configuration

When the VTP protocol is not used, the switch should be configured as a VTP Transparent (transparent mode). At this time, the configuration of the switch VLAN mainly includes the following:

· Use global commands to enable VTP TRANSPARENT mode;

· Use global commands to define each VLAN number (must) and the corresponding name (optional);

· Use the interface subcommand to assign each port to the corresponding VLAN.

It is assumed that three VLANs divided as shown in Figure 1, which are configured as follows:

Switch (config) #VTP Transparent Domani Dummy

Switch (config) #VLAN 2 Name VLAN2

Switch (config) #VLAN 3 Name VLAN3

Switch (config) #interface E 0/5

Switch (config-if) # vlan-membership static 2

Switch (config) #interface E 0/6

Switch (config-if) # vlan-membership static 2

Switch (config) #interface E 0/7

Switch (config-if) # vlan-membership static 2

Switch (config) #interface E 0/8

Switch (config-if) # vlan-membership static 2

Switch (config) #interface E 0/9

Switch (config-if) # vlan-membership static3

Switch (config) #interface E 0/10

Switch (config-if) # vlan-membership static3

Switch (config) #interface E 0/11

Switch (config-if) # vlan-membership static3

Switch (config) #interface E 0/12

Switch (config-if) # vlan-membership static3

In the above configuration, let everyone feel strange that there is no configuring VLAN1, which doesn't matter because it is automatically configured, and any ports that do not specify the static VLAN configuration are considered to be in VLAN1, the same switches are also It is considered to be in the broadcast domain of VLAN1.

Once the configuration is complete, you can use the "Show VLAN VLAN" command to display a specific VLAN message to verify the parameters of the VLAN, for example:

Switch # show VLAN 3

2, configuration of multiple switches

To allow VLANs to span multiple switches, this must be configured to connect to these switches. Cisco requires the use of a backbone protocol such as ISL on this backbone, so that the command to enable the trunk protocol is Trunk.

Use the Trunk interface configuration command to set a quick Ethernet interface into a trunk mode, there are two fast Ethernet interfaces FA0 / 26 and FB0 / 27 on the Cisco Catalyst 1900 switch. Enables and define the main protocol type to be static and dynamically when using Dynamic Switch Link Protocol (DISL) for ISL. The syntax of the TRUNK interface configuration command is as follows:

Switch (config) #trunk [on / off / desirable / auto / nonnegotiate]

· ON - Configure ports to permanently ISL backbone mode and negotiate the link into a backbone mode with the connection device negotiation;

· OFF - prohibits the main model of the port and negotiates the way to non-maind mode with the connection equipment negotiation;

• Desirable-trigger port for negotiation, convert the link from non-maind mode into a backbone mode; if the connection device is in the ON, Desirable or AUTO state, this port will negotiate with the trunk, otherwise the port is non-maind port;

· Auto - only changes the port to the main dry by the connection device is on or the Desirable state;

· Nonnegotiate - Configure ports to a permanent trunk mode and is not negotiated with the other party.

In actual work, it can be set to the corresponding mode according to the options for the configuration parameters.

figure 2

Figure 2 is a configuration example with two switches into three VLANs, which are configured as follows:

Switch1 (config) #interface e fa 0/26

Switch1 (config-if) #Trunk on

Switch1 (config-if) # vlan-membership static 1

Switch1 (config-if) # vlan-membership static 2

Switch1 (config-if) # vlan-membership static 3

Switch1 (config) #interface e fb 0/27

Switch1 (config-if) #Trunk on

Switch1 (config-if) # vlan-membership static 1

Switch1 (config-if) # vlan-membership static 2

Switch1 (config-if) # vlan-membership static 3

Note: The two fast Ethernet ports are not only configured as trunk, but 3 VLANs are static to these ports, and through simultaneous configuration of these VLANs, the switch regards the backward port as part of these VLANs, of course, Routers must also be configured to support ISL.

To verify the main configuration and VLAN port allocation, "Show Trunk A / B" and "Show Vlan-Membership" can be used. Where A / B represents rapid Ethernet ports 0/26 and 0/27, respectively.

Third, use VTP configuration VLAN

1, VTP role

The switch is multi-point to transfer public administrative domain messages to the same management domain by VTP timing (every 5 minutes) or real-time (when the parameters of the switch are changed), and synchronize the configured VLANs configured by the same management domain (in the network The large time is obvious), supporting mixed media (FDDI, ATM, etc.), accurately tracking VLANs, minus, renovation, and other real time. VTP is a second-level information protocol, mainly the consistency of maintenance configuration. By default, the switch is in a Non-Management-Domain state, and its VLAN information will not be announced. Adding available bandwidth by setting VTP pruning (default status). 2, VTP three modes: Server (default), Client, Transparent

· Server: Create, change, and delete VLANs and other configuration parameters for the entire VTP domain, these messages are sequentially transmitted to VTP customers in the same domain, VLAN configuration information exists in NVRAM

· Client: VLAN configuration information is not available to NVRAM, when VTP customers can not create, change, and delete VLANs, can only synchronize VLAN information

· Transparent: When the switch does not need or if you do not want to join VTP, it is mainly used as local management, not sharing VLAN information with other switches, but can still transfer VTP notices to other switches.

3, VTP crop

Since the ISL trunk line carries all VLAN traffic, some traffic may not be broadcast to the link that does not need to carry their link, VTP croping uses VLAN notification to determine when the main dry connection does not require flood transmission, default In the case, the backbone connection carries all VLAN traffic in this VTP management domain, and in actual work, some switches do not have to configure the local port to each VLAN so that the VTP configuration is necessary.

4, configure VLAN using VTP

For the Catalyst 1900 switch, the default VTP configuration parameters are as follows:

· VTP domain name: none (none)

· VTP mode: Server (server)

· VTP password: none (none)

· VTP Crop: Disabled (forbidden)

· VTP traps: enabled (enabled)

The VTP domain name can be specified or learned, and it is not set by default. If the default configuration receives a VTP notification with a domain name, it will use this domain name; if the switch has been configured, it is ignored to receive a domain name notice.

The VTP and management domains can set the password, but all the switches in the domain must enter the password, otherwise VTP will not work properly.

Enabling and disabling the VTP crop on the VTP server will propagate into the entire management domain, if VTP is cropped, all VLANs on VLAN1 will be cropped.

Assume that there is a VLAN connection as shown in Figure 3, the specific configuration is as follows:

· Configuration as a VTP server switch 1

Switch1 # Configure Terminal

Switch1 (COFIG) #ip Address 10.5.5.11 255.255.255.0

image 3

Switch1 (cofig) #ip defaul-gateway 10.5.5.3

Switch1 (COFIG) #VTP Server Domain Hartsfield Purning Enable

Switch1 (Cofig) #VLAN 2 Name VLAN2

Switch1 (COFIG) #VLAN 3 Name VLAN3

Switch1 (cofig) #interface E 0/5

Switch1 (Cofig-IF) # Valn-Membership Static 2Switch1 (Cofig) #interface E 0/6

Switch1 (Cofig-IF) # Valn-MemberShip Static 2

......

Switch1 (cofig) #interface e 0/9

Switch1 (COFIG-IF) # Valn-Membership Static 3

Switch1 (config) #interface e fa 0/26

Switch1 (config-if) #Trunk on

Switch1 (config-if) # vlan-membershi static 1

......

Switch1 (config) #interface e fb 0/27

Switch1 (config-if) #Trunk on

Switch1 (config-if) # vlan-membershi static 1

......

· Configuration as VTP Customer Switch 2

Switch2 # Configure Terminal

Switch2 (Cofig) #ip Address 10.5.5.12 255.255.255.0

Switch2 (cofig) #ip defaul-gateway 10.5.5.3

Switch2 (Cofig) #VTP Client

Switch2 (Cofig) #interface E 0/5

Switch2 (Cofig-IF) # Valn-MemberShip Static 3

Switch2 (Cofig) #interface E 0/6

Switch2 (Cofig-IF) # Valn-MemberShip Static 3

Switch2 (Cofig) #interface E 0/7

Switch2 (Cofig-IF) # Valn-MemberShip Static 3

Switch2 (Cofig) #Iinterface E 0/8

Switch2 (Cofig-IF) # Valn-MemberShip Static 3

Switch2 (Cofig) #interface E 0/9

Switch2 (Cofig-IF) # Valn-MemberShip Static 3

......

Switch2 (config) #interface e fa 0/27

Switch2 (config-if) #trunk on

Switch2 (config-if) # vlan-membershi static 1

Switch2 (config-if) # vlan-membershi static 3

Note: There is no domain name in the switch 2 configuration, which may learn through the first notice;

There is no need to define the VLAN in the switch 2 configuration, and it is not defined in VTP client mode.

Cutting in switch 1 is enabled, VTP crops VLAN2 from switch 2, because there is no VLAN 2 port in switch 2.

In order to verify the new configuration or understand the configuration information of the VTP, you can use the command:

Switch1 # show vtp

V. VLAN configuration summary

Due to the limitations of the space, the terms and concepts and other specific situations of the VLAN configuration are not introduced, and the VLAN configuration is summarized below:

1, configuration principle

Maximum VLAN number, preset VLAN, CDP, VTP, and IP addresses are valid for VLAN1

2, configuration steps

Enable vtp (optional) => Enable Trunking => Create Vlans => Assign Vlan To Ports

3, VTP configuration content and principles

· Passwod: Domain Management Password Set the same in all switches in the same domain, otherwise VTP will not work properly;

• Configuring a prUning feature on Server affects the entire VTP domain (the parameters involved in the VTP declaration);

· Trap: The default is open, each new VTP message will generate a SNMP information; · VTP has two versions: V1 only supports Ethernet, V2 also supports Token Ring.

4, VTP configuration command

· Show VTP: Confirm the latest configuration change

· Trunk ON / Off / Disirable / Auto / Nonegotiate (only in Hundred, Gigabit)

· Show Trunk

· VLAN #: Number range, not name

· Show VLAN ...

· VLAN renamed

· VLAN-MEMBERSHIP Static VLAN # or Dynamic default all ports are VLAN1

· Show Vlan-MemberShip

· SHOW Spantree VLAN # Check if a VLAN has run STP.

Configuring IP Intervlan Routing on the RSM

Step 1 (optional) enable ip routing on the router1.

IP routing

Step 2 (optional) Specify An IP Routing Protocol2.

Router IP_ROUTING_PROTOCOL

Step 3 Specify A VLAN Interface on The RSM.

Interface VLAN-ID

Step 4 assign an ip address to the VLAN.

IP address n.n.n.n mask

Step 5 exit configuration mode.

Ctrl-z

This Example Shows How To Enable IP Routing On The RSM, Create A VLAN Interface, And Assign The Interface AN IP Address:

Router # Configure Terminal

ENTER Configuration Commands, One Per Line. End with CNTL / Z.

Router (config) #ip routing

Router (config) #Router Rip

Router (config-router) #Network 10.0.0.0

Router (config-router) #Iinterface VLAN 100

Router (config-if) #ip address 10.1.1.1 255.0.0.0

ROUTER (config-if) # ^ z

Router #

Configuring IP Intervlan Routing on An External Ro

Step 1 (optional) enable ip routing on the router1.

IP routing

Step 2 (optional) Specify An IP Routing Protocol2.

Router IP_ROUTING_PROTOCOL

Step 3 Create a Subinterface ON A Physical Interface.

Interface interface_type interface_number.subinterface-_number

Step 4 Specify The Encapsulation and Vlan Number To Use on The Subinterface.

Encapsulation encapsulation_type vlan_id

Step 5 assign an ip address to the subsinterface.

IP address n.n.n.n mask

Step 6 Repeat Steps 3-5 for Each VLAN Between Which You Want To Route Traffic Mode. Step 7 EXIXT Configuration Mode.

Ctrl-z

This Example Shows How To Enable IP Routing On The Router, Create Two Subinterface, And Specify The Encapsulation, VLAN Number, And IP Address for Each Subinterface:

Cisco7505 # Configure Terminal

ENTER Configuration Commands, One Per Line. End with CNTL / Z.

Cisco7505 (Config) #ip routing

Cisco7505 (config) #Router RIP

Cisco7505 (Config-router) #Network 10.0.0.0

Cisco7505 (config-router) #Iinterface Fastethernet2 / 0.100

Cisco7505 (config-subif) #ENCAPSULATION ISL 100

Cisco7505 (config-subif) #ip address 10.10.1.1 255.255.0.0

Cisco7505 (config-router) #Iinterface FasteThernet2 / 0.200

Cisco7505 (Config-Subif) #encapsulation ISL 200

Cisco7505 (Config-Subif) #ip address 10.20.1.1 255.255.0.0

Cisco7505 (config-subif) # ^ z

Cisco7505 #

Intervlan Routing Configuration EXAMPLES

[[The no.1 picture.]]]]]

Configuration steps

1. Configure switch a as a vtp server and assign a vtp Domain name.

2. Configure Switch B And Switch C As VTP Clients and Assign The Same VTP Domain Name.

3. Configure isl trunk links Between the switches.

4. Create The VLANS ON SWITCH A (The VLANFORMATION IS PROPAGATED TO SWITCH B AND SWITCH C THROUGH VTP).

5. Assign The Switch Ports on each switch to the appropriate VLAN.

6. ON The RSM, Create One VLAN Interface for Each VLAN Configured on Switch A.

7. Assign IP addresses to the vlan interfaces.

Switch a configuration

This Example Shows How To Configure Switch A:

Switcha> (Enable) Set Trunk 1/1 Desirable

Port (s) 1/1 Trunk Mode Set to Desirable.

Switcha> (enable)% DTP-5-Trunkporton: Port 1/1 HAS Become Isl Trunk

% PAGP-5-PortTostp: Port 1/1 Joined Bridge Port 1/1

% PAGP-5-Portfromstp: Port 1/1 Left Bridge Port 1/1% PAGP-5-Porttostp: Port 1/1 Joined Bridge Port 1/1

Switcha> (Enable) SET VTP DOMAIN CORPORATE

VTP Domain Corporate Modified

Switcha> (Enable) SET VTP MODE SERVER

VTP Domain Corporate Modified

Switcha> (Enable) Set VLAN 2 Name Engineering

VLAN 2 Configuration Successful

Switcha> (enable) Set VLAN 3 Name Marketing

VLAN 3 Configuration Successful

Switcha> (Enable) Set VLAN 4 name Accounting

VLAN 4 Configuration Successful

Switcha> (enable) Set VLAN 2 3/1

VLAN 2 modified.

VLAN 1 modified.

VLAN MOD / PORTS

---- -----------------------

2 3/1

Switcha> (enable) Set VLAN 3 3/2

VLAN 3 modified.

VLAN 1 modified.

VLAN MOD / PORTS

---- -----------------------

3 3/2

Switcha> (enable) Set VLAN 4 3/3

VLAN 4 modified.

VLAN 1 modified.

VLAN MOD / PORTS

---- -----------------------

4 3/3

Switcha> (enable)

Switch B Configuration

This Example Shows How To Configure Switch B:

Switchb> (Enable) Set Trunk 1/2 Desirable

Port (s) 1/2 Trunk Mode Set to Desirable.

Switchb> (Enable)% DTP-5-Trunkporton: Port 1/2 HAS Become Isl Trunk

% PAGP-5-PortTostp: Port 1/2 Joined Bridge Port 1/2

% PAGP-5-Portfromstp: Port 1/2 Left Bridge Port 1/2

% PAGP-5-PortTostp: Port 1/2 Joined Bridge Port 1/2

Switchb> (enable) SET VTP DOMAIN CORPORATE

VTP Domain Corporate Modified

Switchb> (enable) SET VTP MODE Client

VTP Domain Corporate Modified

Switchb> (enable) Set VLAN 2 3/1

VLAN 2 modified.

VLAN 1 modified.

VLAN MOD / PORTS

---- -----------------------

2 3/1

Switchb> (enable) Set VLAN 3 3/2

VLAN 3 Configuration Successful

VLAN 3 modified.

VLAN 1 modified.

VLAN MOD / PORTS

---- -----------------------

3 3/2

Switchb> (Enable) Set VLAN 4 3 / 3VLAN 4 Configuration Successful

VLAN 4 modified.

VLAN 1 modified.

VLAN MOD / PORTS

---- -----------------------

4 3/3

Switchb> (enable)

Switch C Configuration

This Example Shows How To Configure Switch C:

Switchb> (enable) SET VTP DOMAIN CORPORATE

VTP Domain Corporate Modified

Switchb> (enable) SET VTP MODE Client

VTP Domain Corporate Modified

Switchb> (enable) Set VLAN 2 3/1

VLAN 2 modified.

VLAN 1 modified.

VLAN MOD / PORTS

---- -----------------------

2 3/1

Switchb> (enable) Set VLAN 3 3/2

VLAN 3 Configuration Successful

VLAN 3 modified.

VLAN 1 modified.

VLAN MOD / PORTS

---- -----------------------

3 3/2

Switchb> (enable) Set VLAN 4 3/3

VLAN 4 Configuration Successful

VLAN 4 modified.

VLAN 1 modified.

VLAN MOD / PORTS

---- -----------------------

4 3/3

Switchb> (enable)

RSM Configuration

This Example Shows How To Configure The RSM:

Switcha> (enable) Session 5

Trying Router-5 ...

Connected to router-5.

Escape Character is '^]'.

Router> enable

Router # Configure Terminal

ENTER Configuration Commands, One Per Line. End with CNTL / Z.

Router (config) #interface VLAN 2

ROUTER (config-if) #

% LineProto-5-Updown: Line Protocol on Interface VLAN2, Changed State To Down

Router (config-if) #ip address 172.20.52.33 255.255.255.224

Router (config-if) #no shutdown

% LineProto-5-Updown: Line Protocol On Interface VLAN2, Changed State To Up

Router (config-if) #interface VLAN 3

ROUTER (config-if) #

% LineProto-5-Updown: Line Protocol on Interface VLAN3, Changed State To Down

Router (config-if) #ip address 172.20.52.65 255.255.255.224

Router (config-if) #no shutdown

ROUTER (config-if) #

% LineProto-5-Updown: Line Protocol on Interface VLAN3, Changed State To Uprouter (config-if) #

% LINK-3-UPDOWN: Interface VLAN3, Changed State To Up

Router (config-if) #interface VLAN 4

ROUTER (config-if) #

% LineProto-5-Updown: Line Protocol On Interface VLAN4, Changed State To Down

Router (config-if) #ip address 172.20.52.97 255.255.255.224

Router (config-if) #no shutdown

ROUTER (config-if) #

% LineProto-5-Updown: Line Protocol On Interface VLAN4, Changed State To Up

ROUTER (config-if) #

% LINK-3-UPDOWN: Interface VLAN4, Changed State To Up

Router (config-if) #exit

Router (config) # ^ z

Router #

% SYS-5-Config_i: configured from console by vty0 (127.0.0.2)

Router # Copy Running-Config Startup-Config

Building configuration ...

[Ok]

Router #

The actual intention is a habit ...

VLAN is a good thing, :-). The main network is governed. Today, this department / customer will pick it up, build a VLAN for him; tomorrow, the department / customer picks up, add a VLAN. Users are worry-free in their own VLAN, self-satisfaction, if you need to visit other VLANs or want to let other VLAN users to access, give him a routing, write an access control list, which is very convenient.

However, VLANs also increased the complexity of the network, making the troubleshooting more difficult.

Today, a customer calls that he specifies the F0 / 23 port on a 3524 to the VLAN 85, picking up a server 10.85.1.1, but how easy ping does not pass the other VLAN machine.

First, show CDP Nei checks the route, and the management address of the PING switch is no problem. Check the status of Trunk, Interface VLAN 85, no problem.

Sometimes VTP can lead to such a phenomenon, that is, the management address is capable, but the machine below is not available. So make a test: Newly built a Test VLAN on VTP Server to see if it is not passed down ... OK!

what is the root cause?

To the core switch 6509 Routing Module MSFC to ping this server, Timeout, Show ARP | Begin 10.85.1.1:

Internet 10.85.1.1 0 Incomplete ARPA

Explain the MAC address of this server. Since the MSFC port is connected to each VLAN, it is a pure second layer network between the server, and does not interpret the Mac of the server, and the problem is displayed on the second layer.

View the server's network card address, then log in to 6509 switch engine, show CAM XX-XX-XX-XX-XX-XX, no learning. Go to 3524, Show Mac Inter F0 / 23, this address is learned, why didn't you pass it to 6509?

In the 6509 switching engine, the command is hit: Show Spantree 85, unexpectedly discovered that the port connected to 3524 is in the blocking state! Why is the STP of VLAN85 on 3524 Is the STPLED? View the profile, have the following statement:

No spanning-tree vlan 85

No spanning-tree vlan 86

No spanning-tree vlan 87

Try to configure the switch, use the spanning-tree vlan 85 to allow VLAN 85 to generate trees, is it a look at Show Run, or old!

View the documentation, the original 3500 series switches only support 250 VLANs and can only support STP (PVST) on 64 VLANs. Turn off the spanning of the unused VLAN 30 on this switch: No spanning-tree vlan 30, then spanning-tree vlan 85, generated a tree. After tossing, after restarting the switch, it passed.

If the 2924 switch is used in the network, only 64 VLANs are supported. The number of VLANs will transition from the VTP client to the VTP Transparent mode, and then need to be manually established because it cannot store all VLANs defined in the VTP domain.

Therefore, VLAN is more troublesome. If there is no need, control the VLAN is better than 64 (including 5 reserved). If it is ISP, you really need to handle a lot of VLANs, you can consider using new VLAN Tunnel technology to encapsulate the client's multiple VLANs into a VLAN of the ISP. It is difficult to imagine instances of 1000 spanning trees on a switch ... so it is a new: 802.1W (fast span tree) and 802.1s (multi-span) solutions have a relatively good scalability.

These technologies are implemented in the Catalyst 3550 switch and the new version of Catos, and there is a more interesting standard protocol is 802.1x (port-based authentication). These protocols have successfully launched Cisco to abandon ISL and return to industry standards.

Classic configuration VLAN

Catalyst 5000 parameters

Source code:

Experimental order

Clear ip permit

Clear IP Route

Clear VLAN

Clear VTP

Debug ip packet

ping

Set Interface SC0

Set ip permit

Set IP Route

SET VLAN

SET VTP

SHOW CAM

SHOW Config

Show Flash

Show Interface

SHOW IP Permit

Show ip route

SHOW log

SHOW Mac

Show module

SHOW Port

Show system

SHOW User

Show version

SHOW VLAN

Show VTP

Telnet

Configuration instructions

1.r1

2.r2

3.r3

4.r4

5.r5

6.r6

7.cat5k

CURRENT Configuration:

Version 11.2

No Service Password-Encryption

Hostname R1

Enable Password Cisco

Interface Ethernet0

IP Address 130.10.7.1 255.255.255.0

NO ip Directed-Broadcast

NO ip mroute-cache

Interface serial0

IP Address 130.10.1.1 255.255.255.0

ENCAPSULATION FRAME-RELAY

IP OSPF NetWork Point-to-MultiPoint!

Interface serial1

IP Address 130.10.4.1 255.255.255.0

ClockRate 2000000

Interface bri0

No ip address

NO ip Directed-Broadcast

NO ip mroute-cache

Shutdown

Router OSPF 10

Redistribute Connected Subnets

NetWork 130.10.1.0 0.0.0.255 Area 0

NetWork 130.10.4.0 0.0.0.255 Area 1

NetWork 130.10.7.0 0.0.0.255 Area 2

NO ip classless

Line Con 0

LINE AUX 0

Line Vty 0 4

Password Cisco

end

CURRENT Configuration:

Version 11.2

No Service Password-Encryption

No Service UDP-Small-Servers

No Service TCP-Small-Servers

Hostname R2

Enable Password Cisco

Interface serial0

IP Address 130.10.4.2 255.255.255.0

NO FAIR-Queue

Interface serial1

No ip address

Shutdown

Interface tokenring0

IP Address 130.10.5.2 255.255.255.0

Ring-speted 16

Router OSPF 20

NetWork 130.10.5.0 0.0.0.255 Area 1

NetWork 130.10.4.0 0.0.0.255 Area 1

NO ip classless

Line Con 0

LINE AUX 0

Line Vty 0 4

Password Cisco

end

CURRENT Configuration:

Version 11.2

No Service Password-Encryption

No Service UDP-Small-Servers

No Service TCP-Small-Servers

Hostname R3

Enable Password Cisco

Interface serial0

No ip address

Shutdown

NO FAIR-Queue

Interface serial1

No ip address

Shutdown

Interface tokenring0

IP Address 130.10.5.3 255.255.255.0

Ring-speted 16

Interface tokenring1

IP Address 130.10.6.3 255.255.255.0

Ring-speted 16

Router OSPF 30

Redistribute Connected Subnets

NetWork 130.10.5.0 0.0.0.255 Area 1

NO ip classless

Line Con 0

LINE AUX 0

Line Vty 0 4

Password Cisco

end

CURRENT Configuration:

Version 11.2

No Service Password-Encryption

No Service UDP-Small-Serversno Service TCP-Small-Servers

Hostname R5

Enable Password Cisco

Interface Ethernet0

IP Address 130.10.3.5 255.255.255.0

NO ip Directed-Broadcast

NO ip route-cache

NO ip mroute-cache

No mop enabled

Interface serial0

IP Address 130.10.1.5 255.255.255.0

ENCAPSULATION FRAME-RELAY

IP OSPF NetWork Point-to-MultiPoint

Frame-Relay Map IP 130.10.1.1 100 Broadcast

Frame-Relay Map IP 130.10.1.6 100 Broadcast

Interface serial1

No ip address

Shutdown

Router OSPF 50

Redistribute Connected Subnets

NetWork 130.10.1.0 0.0.0.255 Area 0

NetWork 130.10.3.0 0.0.0.255 Area 2

NO ip classless

Line Con 0

LINE AUX 0

Line Vty 0 4

Password Cisco

end

CURRENT Configuration:

Version 11.2

No Service Password-Encryption

Hostname R6

Enable Password Cisco

Interface serial0

IP Address 130.10.1.6 255.255.255.0

ENCAPSULATION FRAME-RELAY

IP OSPF NetWork Point-to-MultiPoint

Frame-Relay Map IP 130.10.1.1 110 Broadcast

Frame-Relay Map IP 130.10.1.5 110 Broadcast

Interface serial1

No ip address

NO ip mroute-cache

Shutdown

Interface tokenring0

IP Address 130.10.2.6 255.255.255.0

Ring-speted 16

Interface bri0

No ip address

Shutdown

Router OSPF 60

Redistribute Connected Subnets

NetWork 130.10.1.0 0.0.0.255 Area 0

NO ip classless

Line Con 0

LINE AUX 0

Line Vty 0 4

Password Cisco

end

Cat5k

Begin

Set Password $ 1 $ 0O8Z $ GDCVUXU2KN3MGBDKWF00H1

Set EnablePass $ 1 $ 0O8Z $ GDCVUXU2KN3MGBDKWF00H1

Set Prompt Cat5k>

Set Length 24 Default

Set logout 20

Set banner motd ^ c ^ c

#System

Set system baud 9600

Set System Modem Disable

Set System Name

Set System Location

Set System Contact

#SNMPSET SNMP Community Read-Only Public

SET SNMP Community Read-Write Private

SET SNMP Community Read-Write-All Secret

SET SNMP RMON DISABLE

Set SNMP Trap Disable Module

Set SNMP Trap Disable Chassis

Set SNMP TRAP DISABLE BRIDGE

Set SNMP TRAP DISABLE REPEATER

Set SNMP TRAP DISABLE VTP

Set SNMP TRAP DISABLE AUTH

Set SNMP TRAP Disable ippermit

Set SNMP TRAP Disable VMPS

Set SNMP Trap Disable Entity

SET SNMP TRAP DISABLE CONFIG

Set SNMP TRAP Disable Stpx

#ip

SET Interface SC0 2 130.10.7.100 255.255.255.0 130.10.7.255

Set Interface SC0 UP

Set Interface SL0 0.0.0.0 0.0.0.0

Set Interface SL0 UP

SET ARP AGINGTIME 1200

Set ip redirect enable

SET IP Unreachable Enable

Set IP Fragmentation Enable

Set IP Route 0.0.0.0 130.10.7.1 1

Set ip alias default 0.0.0.0

#Command alias

#VMPS

SET VMPS Server Retry 3

Set VMPS Server ReconfirMinterval 60

Set VMPS TFTPServer 0.0.0.0 VMPS-Config-Database.1

Set VMPS State Disable

#dns

SET IP DNS DISABLE

# TACACS

SET TACACS Attempts 3

SET TACACS DirectedRequest Disable

SET TACACS TIMEOUT 5

Set Authentication Login TACACS DISABLE

Set Authentication Login Local ENABLE

Set Authentication Enable Tacs Disable

Set Authentication Enable Local ENABLE

#bridge

Set bridge ipx snaptoether 8023raw

Set bridge ipx 8022toether 8023

Set Bridge IPX 8023 Grawtofddi Snap

#VTP

SET VTP DOMAIN Cisco

Set VTP Mode Server

SET VTP Passwd Cisco

SET VTP V2 Disable

Set vtp pruning disable

SET VTP PruneEliGible 2-1000

Clear vtp pruneEligible 1001-1005

Set Vlan 1 Name Default Type Ethernet MTU 1500 Said 100001 State Active

Set VLAN 2 Name Vlan2 Type Ethernet MTU 1500 SAID 100002 State Active

Set VLAN 3 Name Vlan3 Type Ethernet MTU 1500 Said 100003 State ActiveSet VLAN 1002 Name FDDI-Default Type FDDI MTU 1500 SAID 101002 State Active

SET VLAN 1004 Name FDDINET-Default Type FDDINET MTU 1500 Said 101004 State Active

SET VLAN 1005 Name Trnet-Default Type Trbrf Mtu 1500 Said 101005 State Active

Set VLAN 1003 Name token-Ring-Default Type Trcrf MTU 1500 Said 101003 State Active

#spantree

#uplinkfast groups

Set Spantree UplinkFast Disable

#backbonefast

Set Spantree Backbonefast Disable

#VLAN 1

Set spantree enable 1

Set spantree fwddelay 15 1

Set Spantree Hello 2 1

Set Spantree maxAge 20 1

Set Spantree Priority 32768 1

#VLAN 2

Set spantree enable 2

Set spantree fwddelay 15 2

Set Spantree Hello 2 2

Set Spantree Maxage 20 2

Set Spantree Priority 32768 2

#VLAN 3

Set spantree enable 3

Set spantree fwddelay 15 3

Set Spantree Hello 2 3

Set Spantree maxAge 20 3

Set Spantree Priority 32768 3

#VLAN 1003

Set spantree enable 1003

Set spantree fwddelay 4 1003

Set Spantree Hello 2 1003

Set Spantree maxAge 10 1003

Set Spantree Priority 32768 1003

Set Spantree Portstate 1003 Auto 0

Set Spantree Portcost 1003 62

Set Spantree Portpri 1003 4

Set Spantree Portfast 1003 Disable

#VLAN 1005

Set spantree disable 1005

Set spantree fwddelay 4 1005

Set Spantree Hello 2 1005

Set spantree maxage 10 1005

Set Spantree Priority 32768 1005

Set Spantree Multicast-Address 1005 IEEE

#CGMP

SET CGMP DISABLE

Set CGMP Leave Disable

#slog

Set logging console enable

Set Logging Server Disable

Set logging level CDP 2 Default

Set logging level mcast 2 Default

Set logging level DISL 5 Default

Set logging level DVLAN 2 Default

Set logging level EARL 2 Default

Set logging level fddi 2 Default

Set logging level ip 2 Defaultset Logging Level Pruning 2 Default

Set logging level SNMP 2 Default

Set Logging Level Spantree 2 Default

Set logging level sys 5 Default

Set logging level Tac 2 Default

Set logging level TCP 2 Default

Set logging level telnet 2 Default

Set logging level TFTP 2 Default

Set logging level VTP 2 Default

Set logging level vmps 2 Default

Set logging level kernel 2 Default

Set logging level Filesys 2 Default

Set logging level drip 2 Default

Set logging level PAGP 5 Default

Set logging level mgmt 5 Default

Set logging level mls 5 Default

Set logging level protfilt 2 default

#NTP

Set NTP BroadcastClient Disable

Set NTP BroadcastdeLay 3000

Set NTP Client Disable

Clear Timezone

Set Summertime Disable

#ppermit list

Set ip permit enable

Set IP permit 130.10.1.6 255.255.255.255

Set IP permit 130.10.2.6 255.255.255.255

#drip

Set tokenring reduction enable

Set tokenring distrib-CRF DISABLE

#igmp

SET IGMP DISABLE

#Module 1: 2-Port 100Basetx Supervisor

Set Module Name 1

SET VLAN 1 1 / 1-2

SET port enable 1 / 1-2

Set Port Level 1 / 1-2 Normal

Set Port Duplex 1 / 1-2 HALF

Set Port Trap 1 / 1-2 Disable

Set Port Name 1 / 1-2

Set Port Security 1 / 1-2 Disable

Set port membership 1 / 1-2 static

SET CDP Enable 1 / 1-2

SET CDP Interval 1 / 1-2 60

Set trunk 1/1 on ISL 1-1005

Set trunk 1/2 Auto ISL 1-1005

Set Spantree Portfast 1 / 1-2 Disable

Set Spantree Portcost 1 / 1-2 19

Set Spantree Portpri 1 / 1-2 32

Set spantree portvlanpri 1/1 0

Set spantree portvlanpri 1/2 0

Set spantree portvlancost 1/1 Cost 18

Set spantree portvlancost 1/2 Cost 18

#Module 2: 12-Port 10 / 100Basetx Ethernet

Set Module Name 2

Set module enable 2

SET VLAN 1 2 / 1-4

SET VLAN 2 2 / 5-8

SET VLAN 3 2 / 9-12SET port enable 2 / 1-12

Set Port Level 2 / 1-12 Normal

Set Port Speed 2 / 1-12 Auto

Set Port Trap 2 / 1-12 Disable

Set port name 2 / 1-12

Set Port Security 2 / 1-12 Disable

Set port Broadcast 2 / 1-12 0

Set port membership 2 / 1-12 static

SET CDP Enable 2 / 1-12

SET CDP Interval 2 / 1-12 60

Set trunk 2/1 Auto ISL 1-1005

Set trunk 2/2 Auto ISL 1-1005

Set trunk 2/3 Auto ISL 1-1005

Set trunk 2/4 Auto ISL 1-1005

Set Trunk 2/5 Auto ISL 1-1005

Set trunk 2/6 Auto ISL 1-1005

Set trunk 2/7 Auto ISL 1-1005

Set trunk 2/8 Auto ISL 1-1005

Set trunk 2/9 Auto ISL 1-1005

Set Trunk 2/10 Auto ISL 1-1005

Set trunk 2/11 auto isl 1-1005

Set trunk 2/12 Auto ISL 1-1005

Set Spantree Portfast 2 / 1-12 Disable

Set spantree portcost 2 / 1-12 100

Set Spantree Portpri 2 / 1-12 32

Set spantree portvlanpri 2/1 0

Set spantree portvlanpri 2/2 0

Set Spantree PortvlanPri 2/3 0

Set Spantree PortvlanPri 2/4 0

Set spantree portvlanpri 2/5 0

Set spantree portvlanpri 2/6 0

Set spantree portvlanpri 2/7 0

Set spantree portvlanpri 2/8 0

Set spantree portvlanpri 2/9 0

Set spantree portvlanpri 2/10 0

Set spantree portvlanpri 2/11 0

Set spantree portvlanpri 2/12 0

Set spantree portvlancost 2/1 Cost 99

Set Spantree Portvlancost 2/2 Cost 99

Set Spantree Portvlancost 2/3 Cost 99

Set Spantree Portvlancost 2/4 Cost 99

Set Spantree Portvlancost 2/5 Cost 99

Set Spantree Portvlancost 2/6 Cost 99

Set Spantree Portvlancost 2/7 Cost 99

Set Spantree Portvlancost 2/8 Cost 99

Set spantree portvlancost 2/9 Cost 99

Set Spantree Portvlancost 2/10 Cost 99

Set Spantree Portvlancost 2/11 Cost 99

Set Spantree Portvlancost 2/12 Cost 99

#Module 3 EMPTY

#Module 4 EMPTY

#Module 5 EMPTY

#Switch Port Analyzer

Set span disable

#cam

Set Cam AgingTime 1-3, 1003, 1005 300

end

Configure NetScreen 208 C3550 VLAN Room

Configuration example:

C3550 # show Running-config

Building configuration ...

Current Configuration: 4143 bytes

Version 12.1

No Service Pad

Service TimeStamps Debug Uptime

Service TimeStamps Log Uptime

No Service Password-Encryption

Hostname C3550

IP Subnet-Zero

IP routing

Cluster Enable AAA 0

Spanning-tree extend system-id

Interface FasteThernet0 / 1

Description Uplink FW

No SwitchPort

IP Address 192.168.0.1 255.255.255.0

Interface Fastethernet0 / 2

No ip address

Interface Fastethernet0 / 3

Switchport Trunk Encapsulation Dot1Q

Switchport Mode Trunk

No ip address

Interface Fastethernet0 / 4

No ip address

Interface FasteThernet0 / 5

No ip address

Interface FasteThernet0 / 6

No ip address

Interface FasteThernet0 / 7

No ip address

Interface Fastethernet0 / 8

No ip address

Interface Fastethernet0 / 9

Switchport Access VLAN 9

Switchport Mode Access

No ip address

Interface FasteThernet0 / 10

No ip address

Interface FasteThernet0 / 11

No ip address

Interface FasteThernet0 / 12

No ip address

Interface Fastethernet0 / 13

Description Test Port 13

Switchport Access VLAN 9

No ip address

Interface FasteThernet0 / 14

Description Test Port 14

Switchport Trunk Encapsulation Dot1Q

Switchport Mode Trunk

No ip address

Interface Fastethernet0 / 15

No ip address

Interface FasteThernet0 / 16

No ip address

Interface FasteThernet0 / 17

No ip address

Interface FasteThernet0 / 18

No ip address

Interface Fastethernet0 / 19

No ip address

Interface FasteThernet0 / 20

No ip address

Interface FasteThernet0 / 21

No ip address

Interface Fastethernet0 / 22

No ip address

Interface Fastethernet0 / 23NO IP Address

Interface FasteThernet0 / 24

No ip address

Interface GigabitEthernet0 / 1

No ip address

Interface GigabitEthernet0 / 2

No ip address

Interface VLAN1

IP Address 192.168.1.1 255.255.255.0

NO ip mroute-cache

Interface VLAN2

IP Address 192.168.2.1 255.255.255.0

Interface VLAN3

IP Address 192.168.3.1 255.255.255.0

Interface VLAN4

IP Address 192.168.4.1 255.255.255.0

Interface VLAN5

IP Address 192.168.5.1 255.255.255.0

Interface VLAN6

IP Address 192.168.6.1 255.255.255.0

Interface VLAN7

IP Address 192.168.7.1 255.255.255.0

Interface VLAN8

IP Address 192.168.8.1 255.255.255.0

Interface VLAN9

IP Address 192.168.9.1 255.255.255.0

Interface VLAN10

IP Address 192.168.10.1 255.255.255.0

Interface VLAN11

IP Address 192.168.11.1 255.255.255.0

Interface VLAN12

IP Address 192.168.12.1 255.255.255.0

Interface VLAN13

IP Address 192.168.13.1 255.255.255.0

Interface VLAN14

IP Address 192.168.14.1 255.255.255.0

Interface VLAN15

IP Address 192.168.15.1 255.255.255.0

Interface VLAN16

IP Address 192.168.16.1 255.255.255.0

Interface VLAN17

IP Address 192.168.17.1 255.255.255.0

Interface VLAN18

IP Address 192.168.18.1 255.255.255.0

Interface VLAN19

IP Address 192.168.19.1 255.255.255.0

Interface VLAN20

IP Address 192.168.20.1 255.255.255.0

Interface VLAN21

IP Address 192.168.21.1 255.255.255.0

Interface VLAN22

IP Address 192.168.22.1 255.255.255.0

Interface VLAN23

IP Address 192.168.23.1 255.255.255.0

Interface VLAN24

IP Address 192.168.24.1 255.255.255.0

Router rip

Version 2

NetWork 192.168.0.0

NetWork 192.168.1.0

NetWork 192.168.2.0

NetWork 192.168.3.0

NetWork 192.168.4.0Network 192.168.5.0

NetWork 192.168.6.0

NetWork 192.168.7.0

NetWork 192.168.8.0

NetWork 192.168.9.0

NetWork 192.168.10.0

NetWork 192.168.11.0

NetWork 192.168.12.0

NetWork 192.168.13.0

NetWork 192.168.14.0

NetWork 192.168.15.0

NetWork 192.168.16.0

NetWork 192.168.17.0

NetWork 192.168.18.0

NetWork 192.168.19.0

NetWork 192.168.20.0

NetWork 192.168.21.0

NetWork 192.168.22.0

NetWork 192.168.23.0

NetWork 192.168.24.0

Ip default-Gateway 192.168.1.252

IP classless

IP Route 0.0.0.0 0.0.0.0 192.168.1.252

IP HTTP Server

IP Access-List Extended CMP-NAT-ACL

Dynamic Cluster-HSRP Deny IP Any Any

Dynamic Cluster-Nat Permit IP Any Any

SNMP-Server Engineid Local 800000090300000A8A9A5181

SNMP-Server Community Public Ro

SNMP-Server Community Public @ ES0 RO

end

2900XL VLAN Config

Switch # VLAN DATABASE

Switch (VLAN) # vtp Domain Domain-Name

Switch (VLAN) # vtp Domain Domain-name Password Password-Value

Switch (VLAN) # VTP Server

Switch (VLAN) # show vtp status

If you want disable vtp, you only need to change the VTP mode to Transparent.

Switch (VLAN) # vtp transparent

2. Activate the VTP V2 (the switch is VTP V1).

Switch # VLAN DATABASE

Switch (VLAN) # VTP V2-MODE

Switch # show vtp status

3. Add VLAN. Catalyst 2900XL Series Switches up to 64 activated VLANs,

VLAN ID number from 1-1005.

Switch # VLAN DATABASE

Switch (VLAN) # VLAN VLAN-ID Name VLAN-NAME

Switch # show VLAN Name Vlan-Name

Switch (VLAN) # no vlan vlan-id // Delete VLAN

4. Add the port to the VLAN.

Switch # configure Terminal

Switch (config) # Interface Interface

Switch (config-if) # switchport mode access

Switch (config-if) # switchport access vlan VLAN-ID

Switch (config-if) # show interface interface-id switchport

5. Configure the Trunk port.

Switch # configure Terminal

Switch (config) # Interface Interface

Switch (config-if) # switchport mode trunkswitch (config-if) # Switchport Trunk Encapsulation ISL

Switch (config-if) # end

Switch # Show Interface Interface Switchport

Switch # Copy Running-Config Startup-Config

6. Configure the VLANs allowed on Trunk.

Switch (config) # Interface Interface

Switch (config-if) # switchport mode trunk

Switch (config-if) # switchport trunk allowed vlan remove vlan-id-range

Switch (config-if) # switchport trunk allowed vlan add vlan-id-range

Switch (config-if) # end

Switch # show interface interface interface switchport allowed-VLAN

If you want to cancel the Trunk port, just need

Switch (config-if) # no switchport mode

7. Use STP to implement the load.

There are two ways to achieve load sharing:

1) Use port priority.

Configuration:

Switch_1 (config-if) # Interface fa0 / 1

Switch_1 (config-if) # spanning-tree vlan 8 9 10 port-priority 10

Switch_1 (config) # Interface FA0 / 2

Switch_1 (config-if) # spanning-tree vlan 3 4 5 6 Port-Priority 10

2) Use the path value. E.g:

Switch_1 (config) # Interface FA0 / 1

Switch_1 (config-if) # spanning-tree vlan 2 3 4 COST 30

Switch_1 (config) # Interface FA0 / 2

Switch_1 (config-if) # spanning-tree VLAN 8 9 10 COST 30

VLAN new use

Although VLAN is not the best network technology, this method for network node logic segment is being used for many companies. VLANs are configured in a variety of ways to enterprise networks, including network security authentication, allowing wireless users to route, isolating IP voice flows, and transmit data in networks of different protocols.

When the VLAN is introduced six years ago, most VLANs are based on IEEE 802.1Q and 802.1P standards. 802.1Q Specification is used to load VLAN user information into Ethernet frames, while 802.1p makes the Layer 2 switch to prioritize and implement dynamic multicowns.

When the VLAN is introduced, it is seen as a way to simplify address management, allowing IT staff to physically configure the server and PC at any point of the network, and add PCs to the group.

Most network devices can be used to associate the Media Access Control (MAC) address with the VLAN. When the customer moves from one port to another, it can be automatically connected to the network.

VLAN application

Recently, Houston has established a network and its subnets in the 4 22-storey buildings, including 122 courts, legal services and trial halls, which is ideal for establishing VLAN because 122 private subnets merged to A VLAN has to be much easier than to insert the user into the port group.

VLAN and static IP addresses can also be used for security mechanisms. All customers working here are allocated with a static IP address, connected to the network through Alcatel Omniswitch routers and Omnicore 5052 home network swapping.

This configuration makes judges and lawyers to work in different courts. This setting controls access to license users and limits access to unregistered users, so security can be provided. The only way to access the network is that you must have an IP address, and these PCs are connected to one of the VLANs. VLAN roaming function

Massachusetts Bridgewater State School has configured more than 100 Enterasys' Roamabout 802.11b / a wireless access points, so students can access Web and E-mail throughout the campus.

It will become a nightmare if there is no mobile user who wants wireless traffic into its own VLAN. Place all wireless traffic in a VLAN, ensuring that the user will not drop when the user moves from an access point to another. In fact, this situation is easy to happen when the Enterasys access point in the entire campus is only 150 feet.

In dorms, classrooms and management organizations, the wireless access point is connected to the wireless access point using the stacked exchanger mixed with Cisco and EnteraSYS. After overcoming some of the VLAN configuration issues of crossover, you can now roam at any place in the campus, whether connecting to Cisco or an EnteraSYS switch, can be kept connected to the same VLAN.

VLAN management

VLANs are not only available for security and network management, but also for hybrid networks, it also does not loses a useful tool.

Some people use Enterasys's SmartSwitch stacked exchanger and SmartSwitch Router main network exchanger to establish VLANs throughout the subnet, which is running multiple protocols. The medical database is built on the VAX miniature, which is running over the legacy DECNET protocol. Decnet does use a large number of broadcast traffic, which can be placed on its own VLAN, so the DECNET data stream can only reach a certain network segment.

The case where the NetWare 4.11 server runs on the network is similar. It only creates a separate IPX VLAN for Novell Server and User, which makes most IP and Windows NT / 2000 servers that will not fall into the ocean of IPX and Decnet traffic.

Isolation VoIP traffic Enter VLAN also a standard recommendation for IP phone manufacturers such as 3COM, Cisco, Alcatel, Nortel and Avaya. All of these vendors and IP PBX devices support 802.1q technology, which isolates IP voice stream into their own VLAN.

Manufacturers and users believe that the speech may be very useful in its virtual segment, as a method of isolating speech flow, it can meet the purpose of troubleshooting. If there is a large traffic broadcast or big file download, it can ensure that the voice quality will not fall.

Discussion on the broadcast storm and VLAN of the securities network

1. The causes and harm of broadcast storm

All devices in the same network are located in the same broadcast domain. That is, all broadcast information will broadcast each port of the network, even if the switch, the bridge can prevent broadcast information from propagation. So only one broadcast information can be transmitted in the network at the same time.

For securities networks, use the Novell operating system, all devices will be broadcast in the network to inform other devices their own existence. There are still many other features to use broadcast, such as device boot, message broadcast, video broadcasting, etc.

When the equipment on the network is increasing, the time occupied by the broadcast will also have more and more time to a certain level, and the normal information transfer on the network will affect the network, and the transmission information is delayed. Thereby the network equipment is broken from the network, even cause blockage of the entire network, paralysis, this is the broadcast storm.

Therefore, the number of devices on the network is closely related to the generation of broadcast storms. According to some statistics, the number of equipment on the network is 150 ~ 200, and the network is operating normally, and it can achieve high utilization; when the number of equipment is more than 400 units, network efficiency will drop rapidly, and it is easy to form a broadcast storm. We can determine whether broadcast information has been harmful to network communication by observing the number of radio packets on the port of the switch and the ratio of other packets.

2, VLAN division method and standard

In order to enable all ports on the same switch to be different networks to achieve funding, while preventing communication between networks, there is a good security effect, producing a virtual network on the network device (Virtual Lan Thought (shown in Figure 1).

There are many ways to divide the virtual network, with port based VLANs, with protocol based VLANs, with MAC Based VLANs.

Based on port division, it is possible to access the same VLAN after a fixed connection.

Based on protocol division (Protocal Based VLAN) using the same network protocol device, it will be in the same VLAN, such as a computer with TCP / IP, and you will use IPX, they will be in different networks.

Based on the MAC address division (Mac Based VLAN), no matter which switch port access network is connected to a computer, it will not change the VLAN it.

IEEE802.1q standard specifies the use of port-based VLANs and how the network tag (TAG) is used. By transmitting the transmission of the switch between the switch, the network frame can be transmitted between different switches, or transmitting signals belonging to multiple VLANs in the same line without changing the properties of its VLAN.

3. How to handle the VLAN division of the securities network

Since the size of the securities network is getting bigger and bigger, according to the above discussion, we need to divide VLAN within the Ministry of Stock Excusend. Take a network of around 800 points as an example, we can divide it into 4 VLANs, about 200 sets per VLAN, where servers, market transumators, etc. are all VLANs.

As shown in Figure 2, we divide the network into 2 VLANs, two of which belong to VLAN1 in four workstations, and there are two VLAN2, while the server belongs to VLAN1 and VLAN2.

Since the network of the securities business department is a typical star network, a relatively fixed customer base is basically corresponding to a relatively fixed customer base on the trunk switch, so a relatively simple part is to be divided on the trunk switch. VLAN, and all switches on a port are set to VLANs corresponding to the port on the trunk switch to isolate broadcast information. Such a partition requires a network tag.

4, pay attention to the point

About VLAN tagging

As shown in Figure 2, since each desktop switch is connected to a workstation that belongs to VLAN1 and VLAN2, the uplink port is only one, so we need to be set to "Tagged" on the connection port of the switch and switch. The connection port of the server and the workstation is not identified, so the connection port should be set to "Uncast".

Protect important equipment with VLAN

Since devices that do not belong to the same VLAN are not accessible, this method can be used to protect some important devices such as database servers. However, it is because of this feature, it is necessary to be particularly careful when dividing VLANs, so as not to cause the necessary access to be interrupted. Server and work station network card support for 802.1qvlan

The use of this technology requires simultaneous servers and workstation network cards that belong to multiple VLANs to support 802.1qvlan, otherwise we cannot achieve our goal, so you need to confirm the support of the NIC before dividing. If the NIC cannot be supported, it can only be solved by replacing the NIC or the third floor exchange.

Fault check

Since many people are unfamiliar with VLAN, when you have just done the division of virtual net, you can't access the Internet, interoperate, etc., you should first review the work you have made, not check network cable. One of the most extreme disposal methods is to remove all virtual net division, all back.

VLAN and tunnel technology realize "school school"

The rapid development of global economic information has led to the needs of users. Now Internet has become an important part of many people's lives. Based on network management, remote teaching, remote office, video conference, VOD on-demand, WWW browsing and other multimedia applications. Increasingly increasing, young people gradually become the main consumers of the network economy, and the middle school students' desire to learn the network and use the network is the problem of schools in the new century.

"School School" as a business customer project, like "chicken", profit is very thin. According to the actual implementation case, discussing and summarizing several technical means, this paper strives to help the school to achieve "school school" through a most provincial way, not only to the school requirements and do not increase excessive investment.

"School School" project introduction

Now, the education committees and education bureaus have launched the "School School" program. "School School" is actually interconnected in urban schools, sharing network resources, students can learn computer and network knowledge, master programming, send and receive mail, computerization, electronic office, etc., learn from the network game. The implementation of the "School School" plan can make the school organized to arrange students in the school to access the Internet, avoiding students into the social network, and is in an unmanned supervision.

For the "School School" project, the Education Bureau requires internet access between schools in urban schools, and all schools have Internet exports or unified from the Education Bureau Information Center.

Urban area network structure and "school school" access

The new generation of operators constitute the metro network through "IP fiber", and the network topology is shown in Figure 1.

The school can adopt the physical point of the approach to access, access to the operator metropolitan area network, including aggregation machine room, community computer room, corridor. When the school user can use the optical cable, twisted pair on the transmission line, and technology can be used to consider various factors such as cost, distance, tube line, and choose Ethernet technology.

Operator Metropolitan Networks can be divided into core layers, aggregation layers, access layers from the network, and Figure 2 is shown in Fig. 2, each school access metropolitan area network and VPN service frame diagram.

Interconnection technical solution analysis

Access to the operational municipal area network machine room through physical lines is just the first step in completing the "School School" project. In order to realize the interconnection between urban schools, the metro network can use a variety of technologies:

Application Member Network Fiber Dividing Technology;

The school increases the VPN device;

Increase the VPN device in the aggregate end;

VLAN and tunnel technology.

VPN technology adds a dedicated VPN network device in the network layer, and the network can deploy VPN devices in school, or the VPN device can be deployed in the aggregate end to implement "School School". This technique needs to increase new investment. In general, the school is unacceptable, and operators are difficult to accept. Using VLAN and tunnel technology to achieve "school school", metropolitan area network requires aggregation machine room network equipment to support VLAN and tunnel technology, which is divided into all school access ports of access to a metropolitan area network to all schools in a VLAN. Each VLAN's upper connection port is a tunnel interface, and the tunnel is built between each metropolitan area network assembly machinery and the Education Bureau information center.

Through VLAN and tunnel technology (see Figure 3) (see Figure 3), we can see that school users in the same VLAN exchange directly through local network devices, one VLAN user If you need to access another VLAN The resources or users must enter the Education Bureau Information Center through a Upconnect Tunnel Interface. After the routing exchange enters another VLAN.

VLAN and tunnel technology make full use of operational municipal network to aggregate network equipment third-level routing function, no new equipment investment, although tunnel technology uses GRE packaging method to bring a certain overhead to aggregation network equipment, but user data is isolated by tunnel mode No need to encrypt.

VLAN and tunnel technology use the main domain of the operator's domain, which can save the city's main fiber resources, the tariff is cheap, meet the requirements of the school, suitable for the "school school" program of the city.

School intercom with internet export

"School" can realize the resource sharing between schools, complementary advantages. Some school online books are rich in books, and some school mathematics teaching has characteristics, and mathematical courseware is good. All schools put the advantage resources on the Internet, and students can better roam in the ocean of knowledge through the network.

In the "School School" private network, choose the appropriate aggregation point or core point, which is important to provide Internet services for each school user. According to user distribution and actual network line, network management personnel can consider single or distributed multipoints. Figure 4 shows a schematic diagram of the INTERNET Access Point Selection in the "School" private network.

With Internet exports, school teachers and students can understand domestic, international news, search information, send and receive emails through the Internet

Large enterprise network set VLAN

When the enterprise network has just raised, due to the small number of enterprise networks, the limitations of the application range, the level of understanding of Internet access, network security and poor, etc., the enterprise network is limited to the state of switching mode. There are two main ways of switching techniques: Based on Ethernet frame exchange and ATM-based cell exchange, each of the ports of the LAN switch is their own independent collision domain, but at the same time for all IP network segments or IPX network segments. In terms of network equipment, in a broadcast domain, when the number of workstations is large, when the information flow is large, it is easy to form a broadcast storm, and even the network is paralyzed.

In network mode using exchange technology, the division of the network structure is used is only the means of dividing the physical network segment. Such network structures are derived from the perspective of efficiency and security, and to a large extent, the flexibility of the network is largely limited, and if you need to separate a broadcast domain, then you need to purchase a switch and should be manually Reproduction. Thereby, a virtual network (VLAN) setting is required.

In a larger enterprise, there are multiple secondary units, and when interconnected in the isolation network of each unit, we conducted a VLAN for the stability of the management, security and overall network of different functional departments. Division.

First step subnet analysis

The network system consists of three parts: company, secondary unit 1, secondary unit 2, initial three parts, independent, uniform network environment, so the operation of each network system is based on exchange technology .

The three main sanners use the Gigabit Ethernet technology, the high positioning of the starting point provides high-speed, stable, compliance with international standard network platform. The company's central switch uses Cisco's Catalyst 6506 with three-layer routing engines that make the enterprise network will have the ability to upgrade in the future; at the same time, the central switch of each secondary unit is also Cisco's Catalyst 4006; each second, three-level switches The Cisco's Catalyst 3500 series is used, mainly because of the high performance and stacked capabilities of the Catalyst 3500 Series. At the beginning of the company's requirements, the interconnection of the network still uses gigabit bandwidth, but due to the three networks, Gigabit Ethernet technology is used, in order not to form a bottleneck in the trunk, the interconnection of each subnet uses Trunk technology, ie Double Gigabit technology, allows the network bandwidth to 4G, which increases the bandwidth, but also provides redundancy of the link, improves the high speed, stable, safe operation performance of the overall network.

However, due to the magnification of network scale, the information flow increases, the complication of personnel, and has brought new hidden dangers for the safety, stability and efficiency of enterprise networks. This thus triggered the division of the VLAN.

For VLAN division, we should assign the IP address of each VLAN as:

Manager Office: 192.168.1.0--192.168.2.0 / 22 Gateway: 192.168.1.1;

Financial News: 192.168.3.0--192.168.5.0 / 22 Gateway: 192.168.3.1;

Supply net: 192.168.6.0--192.168.8.0 / 22 Gateway: 192.168.6.1;

Information Center subnet: 192.168.7.0/24 Gateway: 192.168.7.1;

Service Subnet: 192.168.100.0/24 Gateway: 192.168.100.1

The rest of the net: 192.168.8.0--192.168.9.0 / 22 Gateway: 192.168.8.1;

Step 2 system analysis

For Cisco's product division, VLAN is primarily based on two standard protocols: ISL and 802.1Q. Here, because the use of Cisco's network devices, an ISL protocol package is used when the interconnection between VLANs is used, which is the optimization of the hardware platform of the Cisco network device. Optimization of multimedia applications A reasonable and effective optimization. We will mention later for VLAN interconnections of different products.

Network topology map

Since the division of VLANs in this case extended each switch, the connections between the switches must use Trunk's way. The Manager Office and the Supply and Market Represents two problems in VLAN division - the division of the extension switch VLAN and the division of port VLAN:

In the virtual net of the manager, when a switch expands multiple VLANs, the switch must be connected to the Trunk mode between the switch and the upper switching, but in the virtual network division of the supply, in the secondary unit 1 On a LAN switch Catalyst3548, here, Catalyst3548 and the secondary center switch Catalyst4006 can only use the normal switched connection, for this partial supply of VLAN division, as long as the Catalyst4006 is divided on the port connected to the Catalyst3548. . That is, the segmentation of the port-based VLANs mentioned earlier.

Third steps routing list

After completing the connection between the VLAN, because the two Catalyst4006 and the main center switch Catalyst6506 use a dual fiber channel-based connection, blocking the generation of the line fault between Catalyst406 and Catalyst6506, so the route to the overall network is based on Catalyst6506. Centralized management. We set a VLAN routing on the main center switch Catalyst6506: Manager Office Densu: 192.168.1.1/22;

Financial virtual net: 192.168.3.1/22;

Supply and marketing virtual net: 192.168.6.1/22;

Information center virtual network: 192.168.7.1/24;

The rest of the virtual net: 192.168.8.1/22;

Next, set the routing protocol RIP or OSPF on the center switch, and specify the network segment 192.168.0.0. Perform the following command in the global configuration mode:

Router rip

NetWork 192.168.0.0

Precautions

1. It is to be noted here that because the division of the VLAN of the entire company's network system is designed as an overall structure, so in order to maintain the consistency of the VLAN list, for example, when the VLAN of the secondary unit 1 changes, The VLAN list will also vary, and this Catalyst 4006 needs to broadcast other parts of the overall network to achieve the consistency of the list of VLANs. So when setting VTP (VLAN TRUNK PROTOCOL), you should use the VTP domain as a whole, ie: The VTP type is Server and Client, respectively.

2. Some enterprises build nets earlier, the selected network equipment is other manufacturers' products, while later products cannot be unified with the previous period, so they will encounter some problems in VLANs.

For example, in the mixed network structure of Cisco products and 3com products, VLANs are divided into VLANs, and 802.1Q must be used for the Cisco network device's Trunk to achieve communication with 3COM. Although the Normal division of VLANs can be established between the two, and normal applications, due to the ability of the switches, the coordination between the two is poor. When the connection between the two changes, the Clear Counter must be cleared on the Cisco switch, and the two re-coordination work can be reached.

Technical Information

VLAN implementation

VLAN is an abbreviation of the English Virtual Local Area Network, that is, a virtual LAN. VLAN allows network users in different geographic locations to join a logical subnet to share a broadcast domain. Through the creation of VLANs, the production of the broadcast storm can be controlled, thereby increasing the overall performance and security of the switched network.

VLAN is completely transparent to network users. The user does not feel any difference in use with the switched network, but it is very different for network managers, because this depends primarily on the VLAN's advantage:

Control of broadcast storm in the network;

Improve the overall security of the network, vlancing the VLAN division of the VLAN through routing list, MAC address assignment, can control the size of the user's access rights and logical network segments;

Simple and intuitive network management.

And the division of VLAN has the following four strategies:

Port-based VLAN

The division of port-based VLANs is the simplest, most effective VLAN division method. This method only needs to reassign a combination in different logical network segments for the network administrator for the switching port of the network device. And not to consider what the device is connected to the port.

2. MAC address-based VLAN

The MAC address actually refers to the identifier of the NIC, and the MAC address of each network card is unique. A MAC address-based VLAN is actually based on a workstation, a combination of VLANs of the server. When the network is small, the program is also a good method, but with the increase of network, network equipment, users increase, will increase management to a large extent. 3. VLAN based on the route

The routing protocol works in the third layer of the seven-layer protocol: the network layer, which is based on IP and IPX protocol forwarding. Such devices include routers and routing switches. This mode allows a VLAN to span multiple switches, or one port is located in multiple VLANs.

4. Policy-based VLAN

Strategy-based VLAN division is a relatively effective way. This mainly depends on the strategy used in the division of the VLAN.

For now, the division of the VLAN mainly uses two modes of 1, 3, and for the solution 2 is auxiliary solution. After the division design of the VLAN, the recovery is the last step of VLAN division: interconnect between VLANs.

The division of the previous to the VLAN is mainly implemented by the router, but as the network scale expands, the amount of information is increased from the number of ports or system performance, so it has gradually formed a network bottleneck The main reason. Now, because there is a three-layer routing based on the switch, two points have been reasonably solved.

"School School" project introduction

Urban area network structure and "school school" access

The new generation of operators constitute the metro network through "IP fiber", and the network topology is shown in Figure 1.

Interconnection technical solution analysis

Application Member Network Fiber Dividing Technology;

The school increases the VPN device;

Increase the VPN device in the aggregate end;

VLAN and tunnel technology.

Using Membership Network Fiber Dimensional Technology to achieve "school school", it is to access each school of the urban network machine room, directly using 2 to the city's main fiber, after several jumping, transfer to the Education Bureau Information Center engine room. This technical method is suitable for use in a city with a small number of schools, and the city's main fiber is enough. This approach can save network equipment investment, but too many urban dominant fiber resources are not conducive to operators to develop more valuable commercial users in the future. VPN technology adds a dedicated VPN network device in the network layer, and the network can deploy VPN devices in school, or the VPN device can be deployed in the aggregate end to implement "School School". This technique needs to increase new investment. In general, the school is unacceptable, and operators are difficult to accept.

Using VLAN and tunnel technology to achieve "school school", metropolitan area network requires aggregation machine room network equipment to support VLAN and tunnel technology, which is divided into all school access ports of access to a metropolitan area network to all schools in a VLAN. Each VLAN's upper connection port is a tunnel interface, and the tunnel is built between each metropolitan area network assembly machinery and the Education Bureau information center.

School intercom with internet export

With Internet exports, school teachers and students can understand domestic, international news, search information, send and receive emails through the Internet

Telecom management network adopts VLAN analysis

In the past, the routers and hubs in the past were often used in the network, and now many networks use switches, how do you face the challenge of routing networks and exchange technologies?

At present, the switch occupies dominant in the network market, which is: First, the exchange price is high, followed by flexible configuration, can be flexible with future applications.

Digits can most explain the problem. In a switch with a 100Mbps uplink, the cost of each 10Mbps controlled switch port is $ 100. Routing technology does not really press to assign a user from each port to the network, each router port is at least three or four times the switch port, so management burden is amazing. Although the network with router segments is only TCP / IP traffic, but due to high cost, there is too much performance, and the workload is large, so it will not pass.

In contrast, the switches and hubs are plug-and-play devices. A route selection device with the "self-study" function is currently appearing, using the supported protocol to automatically configure the port.

By default, the pure switching network is a flat network. If each node has its own exchange port, the network is difficult to play, that is, the income station traffic and the output of the node have resource contention, and vice versa. In contrast, in the traditional shared network segment or ring, the throughput of each node decreases with the increase of nodes, such as the 10BASET network with 25 nodes can only provide 400 kbps bandwidth to each node, and The nodes of the professional exchange port have 10Mbps throughput. Generally being used by nodes to advertise or find current unknown broadcast technologies, which can greatly provide this network throughput, and typical S11 broadcast frames can only broadcast to a destination node and intermediate exchange ports. Since the day of the bridge, we know that we don't want to have thousands of nodes, because the broadcast storm cannot be predicted and difficult to control.

Turn the plane network into a smaller broadcast domain, which is not distant to make the switch network into a colorful palette. It is better to establish a VLAN with a router to define any size of any size.

VLAN management

The VLAN is inseparable from the switched network, but the implementation of the VLAN to redefine the management environment. The logical domain defined by the VLAN involves the possible view in the network, so the network management platform can display an IP image, and sometimes IPX-based images. If you deploy a VLAN, its topology may match the above view. When the VLAN is deployed, you are likely to be interested in monitoring traffic according to the VLAN one by VLAN and generate an alert.

At present, most switches-based VLANs are dedicated. The IEEE 802.1p committee has developed a multicast standard that allows VLAN members to communicate with the case of canceling the VLAN broadcast suppression task. The VLAN configuration will still be required to maintain a single vendor switch environment prior to the above-described criteria in interoperable software and hardware.

Even in a single vendor VLAN, network management is also a challenge, such as checking the statistics for the VLAN dialog requires the management software processing. Unlike the review common LAN or IP subnet dialog: RMON MIB and RMON-2 MIB provide determination LAN and sub- The framework of the network information, and the VLAN configuration must define its own MIB, or configure how to obtain the above information according to other MIBs. In addition, in order to provide a coherent VLAN behavioral characteristic map, management software is to collect and combine data from multiple RMON detectors.

If the above problems are very serious, consider capturing a multi-switch Valn data is limited to an intermediate switch link or a backbone. In large networks, the trunk is almost 100Mbps, and the deployment of the high-speed controller is different from the common VLAN, and the cost is high.

VLAN configuration

If the VLAN is defined according to the switch port, it is usually easy to assign one or more users to a specific VLAN with some kind of drag and drop software. In the non-exchange environment, mobile, add or change the operation is cumbersome, it is possible to change the jumper charge on the wiring board to move to another port. However, change VLAN allocation still depends on manual: In large networks, this is very expensive, so many networked suppliers advocate the VLAN to simplify mobile, add, and change operations.

The VLAN allocation scheme based on MAC addresses can automate some movements, add, and change operations. If the user is assigned to a VLAN or multiple VLANs according to the MAC address, their computer can connect to any port of the switching network, and all traffic can reach the destination correctly. Obviously, administrators should perform VLAN initial allocation, but users move to different physical connections do not require manual intervention in the management console; for example, there are many mobile users, they are not always connected to the same port - perhaps because of the office Temporary, using a MAC address-based VLAN can avoid a lot of trouble.

What is the traditional Layer3 technology? Leaving the VLAN is the most recent IP subnet: Each subnet requires a router port because traffic can only be moved from one subnet from one subnet to another by a router. Since the address space provided by the IP32 bit address is limited, it is difficult to allocate subnet addresses, and you still have to be familiar with binary algorithms. Therefore, it is difficult to perform moving, adding, and changing operations in the IP network, slow speed, easy to make mistakes, and cost is large. In addition, when the company replaces the ISP or adopts a new security policy, it may be necessary to re-numbered the network, which is unimaginable for large networks. In fact, if someone uses the existing subnet routing IP network, and router may be overwhelmed by unnecessary traffic according to the IP address of any VLAN.

If there are VALN members in many subnets, common VLAN broadcasts must reach all members through the router. In addition, poorly wide-area links generate additional broadcast traffic; the number of VLAN members with WAN connection services should usually remain at the lowest level. In fact, the VLAN member value based on the Layer3 address is likely to be useful in enhancing and modifying the distribution of existing subnet, for example, two new nodes can be added to the VLAN through a full subnet, or can be used as a VLAN without having to use two subnets without Reload.

Cabletron's SecureFast Virtual Networking Layer3 swap technology uses a routing server model rather than a traditional routing model. The first packet is sent to the routing server for regular routing, but the switch can remember the path, so subsequent packets can be exchanged in Layer2 without checking the routing table. Since there is a VLAN based on the pure Layer3 address, the IP address can be used as a universal network ID, allowing anyone to connect any data link to obtain all network access, greatly simplifying mobile, adding, and changing tasks.

However, there are other methods to solve management problems caused by IP subnets. DHCP (Dynamic Host Configuration Protocol) The other techniques that have been assigned addresses when they are connected, can be used to solve the above problems.

VLAN test

Traditionally, shared media such as Ethernet conflict network sections or token rings have become a level unit, connection network segment or a protocol analyzer anywhere, can capture all the dialogs you happen. The SNMP agent of the hub captures the entire network segment traffic, error, and broadcast statistics. RMON detector (a network monitor or hand-held troubleshooting device) detects all major events that occur in shared media. These devices provide testing methods, which are basic data capture, intend to manage the network.

The switching network must be equipped with a similar tool. The number of networks or the number of loops is increased, so the necessary devices are correspondingly doubled. For old-fashioned 10Basets, most independent RMON detectors are expensive.

At the same time, the traffic of any network segment may have only one source and a destination, making problems difficult. Even very simple questions, if the broadcast is transmitted to the VLAN member correctly, it is not sent to other nodes, but also connects the protocol analyzer and a three-port repeater to each of the VLANs.

But the situation is not very bad. Commonly used connectors such as NIC, connectors, cables, and ports can be tested for previous methods, they are not affected by the exchange structure. The problem that the server, router, printer, and workstation can be difficult to resolve. How to router use NetBIOS bridge VLANs to diagnose any of the NEs in the VLAN. Other problems such as conflicts should be eliminated because the media is no longer a shared medium, or the sharing is not as high as before.

The switch supplier has done a lot of work for the problem of insufficient switching network test equipment. Many switches can be configured with a monitoring port to connect protocol analyzers or other monitors. In some switches, you can configure the monitoring port to check the traffic between any two ports. In a few on-board-based switches, monitoring ports can be used to capture all traffic transmitted by the switch. These monitoring work can be implemented by magical electronic technology without affecting the performance of the switch. If your switch does not monitor the port, and each port does not have RMON, you can't perform the monitoring job, even if it can be implemented, it is difficult and cost is expensive. . Therefore, the purchase switch must consider whether it has a monitoring port. In addition, many switch suppliers are equipped with RMON agents for each port. If the basic switch hardware is not integrated RMON device, it will not weaken the overall performance of the system.

Conclude

The large vendor is designed to support the establishment of VLANs based on port, MAC address and Layer3 address. There is also a saying that supports the application-based VLAN members to compress video or audio data streaming support. When the VLAN is defined very rich and flexible, other interested management services may be mature. In particular, the administrator does not have to drag an icon to a image in order to establish a VLAN member, and the VLAN can use the policy management dynamic definition.

As the dynamically defined VLAN product and program introduction and implementation, the challenges faced by configuration and management network nodes will also have a fundamental transformation. For administrators trapped in heavy management, VLANs do not seem to change their dilemma because they must forget some router-based networking principles. But in any case, each administrator will face the exchange network, and VLAN is an important tool for realizing business goals.

Third floor exchange construction enterprise VLAN

The appearance of a virtual local area network (VLAN) breaks many of the natural concept of traditional networks, making the network structure flexible, convenient, and wants. The VLAN is the physical location regardless of the user, and the user logically divides the user logically into a separate working group, each user host is connected to a VLAN switch port and belongs to a VLAN. Both members in the same VLAN share broadcasts, and broadcast information between different VLANs is isolated from each other. In this way, the entire network is divided into a plurality of different broadcast domains.

Traditional routers have routing, firewall, isolation broadcast, etc. in the network, and in a network that divides the VLAN, communication between different network segments of logically is still forwarded through the router. Since the amount of communication data between different VLANs is large, this way, if the router is routed to each packet, with the increase in data on the network, the router will be overwhelmed, the router will Become a bottleneck of the entire network.

In this case, there is a third layer of exchange technology, which is popular, and the routing technology and exchange technique are combined with a technology. After the router is routed on the first data stream, a MAC address and an IP address mapping table are generated. When the same data stream is passed again, it will pass directly from the second floor instead of re-route according to this table, thereby eliminating The router is routed to cause the network delay, improve the efficiency of packet forwarding, eliminating the network bottleneck problem that the router can generate.

Configuring VLAN

(1) VLAN's working mode:

Static VLAN: The administrator specifies the VLAN for the switch port.

Dynamic VLAN: By setting the VMPS (VLAN MEMBERSHIP Policy Server), a MAC address and a map of the VLAN number are included. When the data frame reaches the switch, the switch queries VLAN IDs for the corresponding MAC address.

(2) ISL Tags: ISL (Inter-Switch Link) is a protocol between switches, switches and routers and switches to transmit multiple VLAN information and VLAN data streams between the switches, through ports directly connected directly. Configure the ISL package to configure the VLAN allocation and configuration of the entire network across the switches. The international standard of VLAN package is IEEE 802.1q.

(3) VTP (VLAN TRUNKING Protocol): It is a protocol that synchronizes and transmits VLAN configuration information between switches. The configuration on a VTP Server will be passed to all switches in the network, and VTP supports large-scale networks by reducing manual configuration. VTP has three modes:

Server mode: Allow creation, modification, delete VLAN and other configuration parameters for the entire VTP domain, synchronize the latest VLAN information transferred in this VTP domain.

Client mode: In Client mode, a switch cannot be created, deleted, modify the VLAN configuration, or store the VLAN configuration in the NVRAM, but can synchronize the VLAN information passed by other switches in this VTP domain.

TRANSPARENT mode: You can create, modify, delete, or pass the VTP broadcast information sent from this VTP domain, but do not participate in the synchronization and allocation of this VTP domain, and do not pass your own VLAN configuration to this VTP. Other switches in the domain, its VLAN configuration only affects itself.

Switches are Server mode by default.

(4) Creating a VLAN. By default, only VLAN 1 can be increased by commands to increase the required VLAN.

(5) Specify the VLAN to give each port of the switch. By default, all ports of the switch belong to VLAN 1, which can modify the VLAN ID of the switches through the global command, but the switch can only belong to a VLAN each port.

Configure three-layer exchange

Configure the MLSP protocol to exchange information between RP and SE.

Configure management ports, MLSP transmits and receives communication between RP and SE through this port.

Assign different VLAN gateway addresses for different VLANs.

Start the router's routing function.

The access policy of the VLAN virtual network can be defined as needed, and can be implemented by defining the access list.

转载请注明原文地址:https://www.9cbs.com/read-91174.html

9cbs

New Post(0)