VLAN is the abbreviation of Virtual Local Area Network in English, also called virtual local area network. It is a technology to realize a virtual working group by logically dividing the devices in the local area network into network segments instead of physically. VLAN is proposed to solve the broadcast problem and security of Ethernet. The broadcast and unicast traffic in one VLAN will not be forwarded to other VLANs. Even if two computers in the same network segment are not in the same VLAN, their respective broadcast streams will not be forwarded to the opposite end.
VLAN division helps to control traffic, reduce equipment investment, simplify network management, and improve network security. There are different opinions on VLAN partition methods, which can be essentially divided into two types: port-based partition and packet content-based partition.
2 VLAN division method
2.1 VLAN division based on port
2.1.1 VLAN division by port
VLAN division by port is the most basic VLAN division method. The administrator configures different PVIDs (Port Default VLAN ID, Port Default VLAN ID) for each port of the switching device, and assigns the ports to different VLANs. The VLAN accessed by the end user is only related to the access port. The advantage of this division method is that it is very simple and convenient to define VLAN members; The disadvantage is that when the physical location of the end user moves, the access port may need to be reconfigured.
2.1.2 Super VLAN
Super VLAN is a method of VLAN division, also known as VLAN Aggregation. Because in Super VLAN, the VLAN accessed by the terminal is only related to the access port, which is also a port-based VLAN in essence. Most switch products of Ruijie Network support Super VLAN technology.
In a common VLAN, a common VLAN corresponds to a subnet segment and uses an IP address as a gateway to realize three-layer communication across VLANs.
The Super VLAN technology configures a common VLAN as a Sub VLAN and aggregates it into a Super VLAN. Only one IP address is assigned to the Super VLAN as a gateway, thus achieving cross-VLAN three-layer communication. This saves addresses and facilitates network management.
2.1.3 Private VLAN
In addition to Super VLAN technology, Private VLAN (PVLAN for short) technology is also a port-based VLAN division in nature because the VLAN accessed by the terminal is only related to the access port. Most switch products of Ruijie Network support private VLAN technology.
Private VLAN divides the two-layer broadcast domain of a VLAN into multiple sub-domains, forming a two-layer VLAN structure. The outer layer is called the primary VLAN (primary VLAN), and the inner layer is called the secondary VLAN (secondary VLAN). The primary VLAN and the secondary VLAN are a one-to-many relationship. This technology is used to increase the number of users that operators can support and reduce the waste of IP addresses.
2.2 VLAN division based on message content
2.2.1 VLAN division based on MAC address
Compared with the method of VLAN division based on ports, the method of packet content division will be more flexible. For example, MAC VLAN technology divides the terminal into corresponding VLANs according to the MAC address of the terminal by identifying the MAC address information carried in the message. Its main advantage is that when the physical location of the user terminal device moves and the access location changes from one device to another, it does not need to reconfigure the VLAN of the user’s port; Different terminals accessed at the same access port can be divided into different VLANs according to different MAC addresses.
With the development of technology, the IP phone is more and more widely used. Because packet loss and delay have a great impact on the call quality, users are more sensitive to the quality of voice than the quality of data or video. Therefore, in the case of limited bandwidth, it is necessary to give priority to the quality of voice data to ensure the call quality. Voice VLAN technology recognizes voice data through the OUI field in the source MAC address of the message (the source MAC address of the voice message contains the OUI information of the voice device manufacturer) and limits the data flow and voice flow to the data VLAN and voice VLAN respectively, to ensure that voice calls and business messages do not affect each other and improve the call quality.
2.2.2 VLAN division based on message protocol type
In addition to VLAN division by MAC address information in the message, VLAN division can also be carried out by message protocol type. For example, Protocol VLAN technology is a VLAN classification technology based on message protocol type. When the device receives the message without VLAN ID from the port, it can automatically distribute the message that matches the rule to the corresponding VLAN for transmission according to the rules set by the user.
Protocol VLAN technology is divided into two categories: subnet VLAN and protocol VLAN.
The technology of VLAN classification is based on the source IP address and subnet mask of the message referred to as subnet VLAN.
The advantage of subnet VLAN is that when the physical location of the user changes, the VLAN does not need to be reconfigured. For example, in a shared office area, the user’s IP address is fixed, but the access port is not fixed. To control users’ access to network resources, users can be divided into different VLANs according to their IP addresses.
The technology of VLAN classification is based on message type and Ethernet type referred to as protocol VLAN.
The advantage of protocol VLAN is that the service classes provided in the network are bound with VLAN, which is convenient for management and maintenance.
3 How to select the VLAN partition method
3.1 Based on network size
When initializing VLAN based on MAC address, MAC address information of all end users needs to be configured, which is usually only applicable to small LANs. Other VLAN division methods apply to any size of the network.
3.2 Based on network rate
The method of VLAN division based on message content needs to check and verify the MAC address, Ethernet frame header, IP frame header, and other information in the message, resulting in a reduction in the efficiency of data transmission and exchange. In large networks with high-speed requirements, this type of VLAN division method is not recommended.
3.3 Based on application scenario requirements
The method of dividing VLANs based on ports may need to be reconfigured when changing access ports when moving the terminal equipment. It is usually applicable to networks with fixed locations. For networks with frequently moving locations, it is recommended to use the method of dividing VLAN based on message content. The method of dividing VLAN based on MAC address is only applicable to the use scenario of frequently moving locations but not frequently changing network cards.
Subnet VLAN is divided into VLANs based on the source IP address and subnet mask of the message. Because the specified subnet is divided into the specified VLAN, users are regularly distributed. Multiple users are in the same network segment, and the security is low when suffering from network attacks.
3.3.3 Protocol complexity
With the development of the Internet, the protocols running in the network are becoming more and more complex. To facilitate the management and maintenance of messages of different service types in the network, the protocol VLAN based on message type and Ethernet type can be used to divide the messages of different service types in the network into different VLANs for transmission.
Various VLAN division methods have their advantages and disadvantages. They need to be selected according to the actual network requirements, or they can be mixed. Through the appropriate VLAN division method, a larger broadcast domain is logically divided into several different and smaller broadcast domains, which can effectively improve the security of the network, reduce garbage traffic and save network resources.