What is VLAN and how to divide VLAN? First, let’s understand the basics of VLAN. The full name of VLAN is virtual local area network, which is a kind of network segment that is logically divided (note that this is not divided in a physical sense) by a local area network device. The emerging data exchange of virtual workgroups can be realized through the VLAN division. This technology is mainly used in switches and routers, but the mainstream application is still in switches. Not all switches have this function. Only switches above the third layer of the VLAN protocol have this function. You can check the manual of the corresponding switch to know this. By dividing the network into virtual network VLAN segments, network management and network security can be strengthened, and unnecessary data broadcasting can be controlled.
In a shared network, a physical network segment is a broadcast domain. In a switched network, a broadcast domain can be a virtual network segment consisting of a set of arbitrarily selected Layer 2 network addresses (MAC addresses). In this way, the division of work groups in the network can break through the geographical restrictions in the shared network, and be completely divided according to the management function. This workflow-based grouping mode greatly improves the management functions of network planning and reorganization.
Workstations in the same VLAN, no matter which switches they are actually connected to, communicate as if they were on separate switches. Broadcasts in the same VLAN can only be heard by members of the VLAN, and will not be transmitted to other VLANs, which can well control the generation of unnecessary broadcast storms. At the same time, if there is no router, different VLANs cannot communicate with each other, which increases the security between different departments in the enterprise network.
How to divide VLAN
1.Port-based divide VLAN
This is the most commonly used VLAN division method, and it is also the most widely used and most effective. At present, most switches of VLAN protocols provide this VLAN configuration method. This method of dividing VLANs is based on the switch port of the Ethernet switch. It divides the physical port on the VLAN switch and the PVC (permanent virtual circuit) port inside the VLAN switch into several groups, and each group constitutes a virtual network, which is equivalent to an independent VLAN switch.
When different departments need to visit each other, they can be forwarded through routers and cooperated with port filtering based on MAC addresses. On the corresponding port of the switch, routing switch, or router that is closest to the site on the access path to a site set up the set of MAC addresses that can be passed. This can prevent unauthorized intruders from stealing IP addresses from the inside to invade other access points.
From this division method itself, we can see that the advantage of this division method is that it is very simple to define VLAN members, as long as all ports are defined as corresponding VLAN groups. This method is suitable for any size network. Its disadvantage is that if a user leaves the original port and arrives at a port of a new switch, it must be redefined.
2.Divide VLAN based on MAC address
This method of dividing VLANs is based on the MAC address of each host. That is, the host with each MAC address is configured to which group he belongs. The mechanism it implements is that each network card corresponds to a unique MAC address, and the VLAN switch tracks The address belonging to the VLAN MAC. VLANs in this way allow network users to automatically retain their membership in the VLAN to which they belong as they move from one physical location to another.
It can be seen from this division mechanism that the biggest advantage of this VLAN division method is that when the physical location of the user moves, that is, when switching from one switch to another switch, the VLAN does not need to be reconfigured, because it is based on users, and Not a switch-based port. The disadvantage of this method is that during initialization, all users must be configured. If there are hundreds or even thousands of users, the configuration is very tiring, so this division method is usually suitable for small local area networks. In addition, this division method also reduces the efficiency of the switch, because there may be many members of VLAN groups on each switch port, and the MAC addresses of many users are stored, which is not easy to query. Also, for users of laptops, their network cards may be changed frequently, so VLANs must be configured frequently.
3.Based on network layer protocols divide VLAN
VLANs are divided according to network layer protocols and can be divided into IP, IPX, DECnet, AppleTalk, Banyan, and other VLAN networks. This VLAN formed according to the network layer protocol enables the broadcast domain to span multiple VLAN switches. This is very attractive to network administrators who want to organize users for specific applications and services. Also, users can move freely within the network, but their VLAN membership remains intact.
The advantage of this method is that the physical location of the user changes, and there is no need to reconfigure the VLAN to which it belongs, and VLANs can be divided according to the protocol type, which is very important for network managers, and this method does not require additional Frame tags are used to identify VLANs, which can reduce network traffic. The disadvantage of this method is low efficiency because checking the network layer address of each data packet requires processing time (compared to the previous two methods), and general switch chips can automatically check the Ethernet frame of the data packet on the network. Header, but for the chip to be able to check the IP frame header, it requires higher technology and is more time-consuming. Of course, this is related to the implementation method of each manufacturer.
4.Divide VLAN based on IP multicast
IP multicast is actually a definition of VLAN, that is, an IP multicast group is considered to be a VLAN. This division method expands VLAN to WAN, so this method has more flexibility, and it is also easy to expand through routers. It is mainly suitable for LAN users who are not in the same geographical range to form a VLAN, not suitable for LAN, mainly is not efficient.
5.Divide VLAN by Policy
Policy-based VLANs can implement multiple allocation methods, including VLAN switch ports, MAC addresses, IP addresses, and network layer protocols. Network managers can decide which type of VLAN to choose according to their own management mode and the needs of the unit.
6.Divide VLAN by user-defined, non-user-authorized
VLANs are divided based on user definition and non-user authorization. In order to adapt to special VLAN networks, VLANs are defined and designed according to the special requirements of specific network users, and users from non-VLAN groups can access VLANs, but user passwords are required. You can join a VLAN only after obtaining the authentication of VLAN management.
Advantages of VLAN
The biggest advantage of VLAN is that it increases the security of the network, because a VLAN is a separate broadcast domain, and VLANs are isolated from each other, which greatly improves the utilization of the network and ensures the security and confidentiality of the network. People often transmit confidential and critical data on the LAN. Confidential data should provide security means such as access control. An effective and easy-to-implement method is to segment the network into several different broadcast groups. The network administrator limits the number of users in the VLAN and prohibits unauthorized access to applications in the VLAN. Switch ports can be grouped based on application type and access privileges, and restricted applications and resources are typically placed in security VLANs.
