November 22, 2023
ForewordHi, I'm Mr. Lin, basics of VLAN are explained and detailed steps of VLAN separation are easy to understand. Let's take a look at knowledge together! TextVLAN concept
In Chinese, VLAN (virtual local area network) is called "virtual local area network".
A virtual local area network (VLAN) is a group of logical devices and users. These devices and users are not limited by physical location. They can be organized by function, department, and application. They appear to be on same network segment, hence name VLAN.
Because switch port has two types of VLAN attributes, one is VLANID, other is VLANTAG, respectively corresponding to VLAN to set VLAN tag in data packet and data packet VLANTAG (tag) which is allowed to be transmitted. , different VLANID ports can transmit VLANTAG mutual resolution, build VLAN.
1. VLAN Basics
Communication between users in same VLAN is same as in LAN. Broadcast in same VLAN can only be heard by VLAN members and will not be transmitted to other VLANs, thereby controlling unnecessary generation. broadcast storms. At same time, without routing, different VLANs cannot communicate with each other, thereby increasing information security between different workgroups. Network administrators can fully control exchange of information between different workgroups in network by configuring routing between VLANs.
(1) Port separation. Even on same switch, ports in different VLANs cannot communicate. Such a physical switch can be used as multiple logical switches.
(2) Network security. Different VLANs cannot communicate directly, which prevents broadcast information from being insecure.
(3) Flexible control. There is no need to change port and connection to change network to which user belongs, but only to change software configuration.
2, TAG and UNTAG
Port-based VLAN, which is most commonly used VLAN partitioning method, is most widely used and most efficient. Currently, most VLAN protocol switches support this VLAN configuration method. This VLAN separation method is based on switching ports of an Ethernet switch. It divides physical ports on VLAN switch and PVC (Permanent Virtual Circuit) ports inside VLAN switch into several groups. The group forms a virtual network, which is equivalent to an independent VLAN switch.
The IEEE released IEEE Std 802.1Q standard in 1999, which governs implementation of VLANs. The IEEE 802.1Q protocol standard defines VLAN tag field for various LAN network structures. In various network structures, connected devices can identify VLANs by common data characteristics.
For common Ethernet network models, there are two main types of packet encapsulation formats, namely Ethernet type II and 802.2/802.3 type. For encapsulation formats of these two Ethernet packets, IEEE 802.1Q protocol standard defines a VLAN tag after Destination MAC Address (DA) and Source MAC Address (SA) in data frame header to identify information related to the VLAN.
3. Port link type
When different departments need to visit each other, they can go through router and interact with port filtering based on MAC addresses. On corresponding port of switch, routing switch, or router closest to site in path of specific site, set set of MAC addresses that it can traverse. In this way, possibility of IP addresses being stolen by unauthorized intruders from inside and intrusion from other access points can be prevented.
Ethernet port has 3 link types: Access, Trunk, Shared
Access type ports can only belong to 1 VLAN and are typically used to connect computer ports;
Trunking ports can pass multiple VLANs, can receive and send multiple VLAN messages, and are typically used for connections between switches;
General ports can pass through multiple VLANs, can receive and send multiple VLAN packets, and can also be used for connections between switches or for connecting user computers.
The public port and trunk port have same processing principles when receiving data, only difference is in sending data: public port allows you to send multiple untagged VLAN packets, while trunk port allows only default VLAN. packages are not marked when sent.
Default VLAN (PVID):
An access port belongs to only 1 VLAN, so its default VLAN is VLAN it is located in without configuration;
The public port and trunk port belong to multiple VLANs, so you need to set a default VLAN ID. The default for hybrid ports and trunk ports is VLAN 1.
If a default VLAN ID is set for a port, when port receives a message without a VLAN tag, it will send message to port that belongs to default VLAN; when a port sends a message with a VLAN tag, if message's VLAN ID matches port's default VLAN ID, system will remove VLAN tag from packet before sending packet.
Switch interface data processing:
Get access port message: get a message to determine if there is VLAN information: if not, note PVID of port and exchange, if there is, discard it directly (default) Send via access port Message: remove VLAN information from message and send it directly
True Port Received Message: Receive message, evaluate if VLAN information exists: if not, note port PVID and exchange, if present, evaluate if VLAN ID is in range. barrel inside if within reach, otherwise discard
Messageabout sending a trunk port. Compare PVID of port with VLAN information in sent message. If they match, remove VLAN information and submit it. If not, send it directly
Generic Port Received Message: Receive a message, evaluate VLAN information: if not, note port's PVID and exchange. If yes, evaluate if common port allows VLAN data: if so, discard otherwise (untagged configuration on port is currently out of question, and untagged configuration only works when sending packets)
Common port for sending messages:
1) Determine if VLAN is on this port
2) If it is not a tag, remove VLAN information and send it; if it's a tag, send it directly.
Second, how to separate VLANs
Take TP-LINK SL3226 as an example, requirement is a wireless network in a school dormitory, there is an access switch on a certain floor to manage second layer network with 20 panel access points. The network access is required, management address is 192.168.200.110. Management VLAN - 4000, Port VLAN - 110, Main switch cascade VLAN - 204. Controller management VLAN - 1000
Introduction: TP-LINK SL3226 is a 24-port 100M switch, and two 25.26 upstream ports are gigabit ports.
1. Log in to management interface of switch (configure network cable of computer and temporarily connect it to port 24)
Select a VLAN
New VLAN204 port 25-26 TAG export rules
Create a new network VLAN1000, port 1-26, export rule is TAG
New VLAN4000 Port 24-26 Exit Rule 24 - UNTAG, 25-26 - TAG
Configure VLAN as shown below
4. Set up PVID
Change the default VLAN for ports 1-23 to 110
Change the default VLAN on port 24 to 4000
After changing, connect a network cable to port 25 or 26 for configuration, and management IP address will remain unchanged
After changing port 24, log in as shown
5. Change management VLAN number and management IP address
System Configuration>Management IP Address. Change management VLAN to 4000 and change management IP address to 192.168.200.110
Computer loses connection after changing it, changing computer's IP address to 192.168.200.* and connecting a network cable to port 24
6. Save configuration
Enter 192.168.200.110 to enter switch management interface again, select save configuration menu, and select save configuration to configure layer 2 access switch.
If you would like to restore factory configuration, you can do so in System Management > System Tools > Software Reset.
The above refers to VLAN separation method and is for reference only!