Switches and routers implement the division of different network segments, communication between different vlans, and designated combinations of vlans for network communication.
I recommend a very easy-to-use free online tool for drawing: https://www.processon.com/i/5f58a647e658155997003a46
1. Examples of network requirements
1. Assume that there are three PCs A, B, and C, which need to be on different network segments, so that A and B can communicate, A and C can communicate, and B and C cannot communicate;
-switch:
Switch>enable Switch#configure terminal Switch(config)#hostname sw1 sw1(config)#vlan 10 sw1(config-vlan)#vlan 20 sw1(config-vlan)#exit sw1(config)#interface range fastEthernet 0/1,f0/4 sw1(config-if-range)#switchport mode access sw1(config-if-range)#switchport access vlan 10 sw1(config-if-range)#exit sw1(config)#interface range fastEthernet 0/2,f0/3 sw1(config-if-range)#switchport mode access sw1(config-if-range)#switchport access vlan 20 sw1(config-if-range)#end
Huawei switch example:
To configure a VLAN, you must first create the VLAN and then assign the switch ports to specific ports:
(1) Step 1: Before dividing VLAN, configure the g0/0 interface of R1 and R2 routers, and ping 192.168.12.2 from R1.
By default, all interfaces of the switch are on VLAN1, and R1 and R2 should be able to communicate;
(2) Step 2: Create VLAN on S1
S1# vlan database
//Enter VLAN configuration mode
S1(vlan)# vlan 2 name VLAN2
VLAN 2 added:
Name: VLAN2
//The above creates vlan, 2 is the number of vlan, the range of VLAN number is 1~1001, VLAN2 is the name of the VLAN:
S1(vlan)# vlan 3 name VLAN3
VLAN 3 added:
Name: VLAN3
S1(vlan)#exit
APPLY completed.
Exiting…
//Exit VLAN mode, the created VLAN will take effect immediately:
[Tip] The VLAN information in the switch is stored in a separate file flash:vlan.dat, so if you want to completely clear
To configure the switch, in addition to using the “erase starting-config” command, you also need to use the “delete
flash:vlan.dat
delete
flash:vlan.dat” command to delete the VLAN data.
[Tip] In the new IOS version, VLAN can be created in global configuration mode, as follows:
S1(config)# vlan 2
S1(config-vlan)# name VLAN2
S1(config-vlan)# exit
S1(config)# vlan 3
S1(config-vlan)# name VLAN3
(3) Step 3: Group the ports into VLANs
S1(config)# interface f0/1
S1(config-if)# switch mode access
//The above changes the mode of the switch port to access mode, indicating that the port is used to connect to the computer, rather than
in trunk
S1(config-if)# switch access vlan 2
//Then divide the port f0/1 into VLAN 2
S1(config)# interface f0/2
S1(config-if)# switch mode access
S1(config-if)# switch access vlan 3
[Tip] By default, all switch interfaces are on VLAN 1, and VLAN 1 cannot be deleted. If there are multiple interfaces
If they need to be divided into the same VLAN, you can also use the following method to save time. Pay attention to the spaces before and after the dash:
S1(config)# interface range f0/2 -3
S1(config-if)# switch mode access
S1(config-if)#switch access vlan 2
【hint】
switch access vlan 2
[Tip] If you want to delete a VLAN, use the “no vlan 2” command. After deleting a VLAN, remember to delete the VLAN
Reclassify the port on the VLAN to another VLAN, otherwise the port will “disappear”.
debug
(1) View VLAN
Use the “show vlan” or “show vlan brief” command to view VLAN information and each
What ports are on the VLAN. Please note that you can only see which port on this switch is on the VLAN, but not which port on the switch is on the VLAN.
What VLAN are the other switch’s ports on. as follows:
SW1# show vlan
VLAN Name Status Ports
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24, Gi0/1
Gi0/2
2 VLAN2 active
3 VLAN3 active
2 VLAN2 active
3 VLAN3 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
//On switching, VLAN1 is the default VLAN and cannot be deleted or renamed. In addition, there are VLANs such as 1002 and 1003.
exist.
(2) Communication between VLANs
Since f0/1 and f0/2 belong to different VLANs, ping 192.168.12.2 from R1 cannot succeed.
2. Implementation of actual networking examples
Set the difference between trunk and access on the switch port: the port receives data differently and the port sends data differently.
1. The port receives data differently:
trunk: If the received data packet itself does not contain VLAN information, the default VLAN information will be added to the data packet; if the received data packet itself already contains VLAN information, it will not be added.
access: Regardless of whether the received data packet already contains VLAN information, the default VLAN information must be added to all packets.
2. The port is different when sending data:
trunk: If the VLAN contained in the sent data packet is the same as the default VLAN of the port, the VLAN information will be removed from the data packet; if the two are different, the data packet will be sent with the original VLAN information. go out.
access: Regardless of whether the port default VLAN is equal to the VLAN in the output packet, the VLAN information will be removed from the packet.
coding:
# 1. Enter switch 1 and create vlan2, vlan3, vlan100 vlan 2 q vlan 3 q vlan 100 q # 2. Enter the port, configure the port mode, and join vlan interface g0/0/1 port link-type hybrid port hybrid pvid vlan 2 interface g0/0/2 port link-type hybrid port hybrid pvid vlan 3 # 3. Enter switch 2 and create vlan100 vlan 100 q interface g0/0/2 port link-type hybrid port hybrid pvid vlan 50 vlan 5 q vlan 10 q # 4. Label switch 1 interface g0/0/3 port link-type hybrid port hybrid tagged vlan 2 3 100 q interface g0/0/1 port hybrid untagged vlan 2 100 q interface g0/0/2 port hybrid untagged vlan 3 100 q save # 5. Label switch 2 interface g0/0/1 port link-type hybrid port hybrid tagged vlan 2 3 100 q interface g0/0/2 port hybrid untagged vlan 2 3 100 q save # 6. After saving, power off and then restart. display vlan
3 ways to divide vlan:
port type
Before learning to divide vlans, you must understand the port types of Huawei switches and how to use them, because the port types must be used in actual configuration, because the following vlan division will be used.
1. Access type port
Run the port default vlan vlan-id command to add the port to the specified VLAN.
Access type ports can only belong to one VLAN and are generally used to connect computer ports;
2. Trunk type port
Trunk type ports can allow multiple VLANs to pass through and can receive and send multiple VLAN messages.
3. Hybrid type port
– Choose to perform one of the steps to configure how the Hybrid port joins the VLAN: Hybrid type port: can allow multiple VLANs to pass through, and can receive and send multiple VLAN packets.
We have mentioned before that there are many ways to divide vlan. The most common methods in project applications are to divide vlan based on port, divide vlan based on mac address, and divide vlan based on ip address. To truly understand vlan, you must be familiar with these three Divide methods for easy application based on actual projects.
1. Port-based vlan division method
In order to facilitate everyone’s understanding, it will be more clear to directly use examples.
1. Networking requirements
As shown in Figure 1, there are many users connected to the switch of an enterprise, and the same business users access the enterprise network through different devices. For the sake of communication security and to avoid flooding of broadcast messages, enterprises hope that users with the same business can access each other, but users with different businesses cannot access directly.
Port-based VLAN classification can be configured on the switch to classify the ports connected by users with the same business into the same VLAN.
That is to say, users in different VLANs cannot directly communicate at Layer 2, but users in the same VLAN can directly communicate with each other.
2. Configuration steps
Step 1 Create VLAN2 and VLAN3 on SwitchA, and add the ports connecting users to the VLANs respectively. The configuration of SwitchB is similar to that of SwitchA and will not be described again.
[Quidway] system-view //Enter configuration view
[Quidway] sysname SwitchA //Name the switch
[SwitchA] vlan batch 2 3 //Create vlan2 and vlan3 at the same time
[SwitchA] interface ethernet 0/0/1 //Enter port 0/0/1
[SwitchA-Ethernet0/0/1] port link-type access //Set the port mode to access
[SwitchA-Ethernet0/0/1] port default vlan 2 //Add the port to vlan2
[SwitchA-Ethernet0/0/1] quit //Exit
[SwitchA] interface ethernet 0/0/2 //Enter port 0/0/2
[SwitchA-Ethernet0/0/2] port link-type access //Port mode is access
[SwitchA-Ethernet0/0/2] port default vlan 3 //Add the port to vlan3
[SwitchA-Ethernet0/0/2] quit //Exit
Step 2 Configure the port type and passing VLAN on SwitchA connected to SwitchB. The configuration of SwitchB is similar to that of SwitchA and will not be described again.
[SwitchA] interface ethernet 0/0/3 //Enter port 0/0/3
[SwitchA-Ethernet0/0/3] port link-type trunk //Set the port mode to trunk
[SwitchA-Ethernet0/0/3] port trunk allow-pass vlan 2 3 // The trunk port allows data packets through vlan2 and vlan3
Step 3 Verify the configuration results. Configure User1 and User2 on the same network segment, such as 192.168.100.0/24; configure User3 and User4 on the same network segment, such as 192.168.200.0/24.
User1 and User2 can ping each other, but neither User3 nor User4 can ping each other. User3 and User4 can ping each other, but neither User1 nor User2 can ping each other.
2. VLAN division method based on MAC address
1. Networking requirements
In a certain company’s network, the network administrator assigns employees in the same department to the same VLAN. In order to improve information security within the department, it is required that only the PCs of employees in the department can access the company network.
As shown in Figure 2, PC1, PC2, and PC3 are the PCs of employees in this department. It is required that these PCs can access the company network through SwitchA and Switch. If they are replaced with other PCs, they cannot access. You can configure VLANs based on MAC addresses and bind the MAC addresses of employee PCs in the department to VLANs to achieve this requirement.
2. Operation steps
As above, you can verify whether you can understand the following configuration code after the above understanding.
Step 1 Configure Switch
#Create VLAN
[Quidway] system-view
[Quidway] vlan batch 10 100
#Configure the PVID of the interface and join the VLAN
[Quidway] interface ethernet 0/0/1
[Quidway-Ethernet0/0/1] port hybrid pvid vlan 100 //Add the interface to vlan100
[Quidway-Ethernet0/0/1] port hybrid untagged vlan 10 //Untagged means that the tag is removed when the data leaves the port. The specified port allows data frames of VLAN 10 to pass through and is sent without a VLAN tag.
[Quidway-Ethernet0/0/1] quit #Exit
[Quidway] interface ethernet 0/0/2 #Enter port 0/0/2
[Quidway-Ethernet0/0/2] port hybrid tagged vlan 10 //tagged means that when the data leaves the port, it is tagged. It specifies that data frames of VLAN 10 are allowed to pass and must be sent with a VLAN tag.
[Quidway-Ethernet0/0/2] quit
#PC’s MAC address is associated with VLAN10
[Quidway] vlan 10
[Quidway-Vlan10] mac-vlan mac-address 22-22-22
//Associate the mac address of pc1
[Quidway-Vlan10] mac-vlan mac-address 33-33-33
//Associate the mac address of pc2
[Quidway-Vlan10] mac-vlan mac-address 44-44-44
//Associate the mac address of pc3
[Quidway-Vlan10] quit
#Enable the VLAN function of the interface based on MAC address
[Quidway] interface ethernet 0/0/1
[Quidway-Ethernet0/0/1] mac-vlan enable
//Start the mac-vlan function of the port
[Quidway-Ethernet0/0/1] quit
3. VLAN division based on IP subnet
1. Networking requirements
An enterprise has multiple services, such as IPTV, VoIP, Internet, etc., and each service uses a different IP address segment. In order to facilitate management, it is now necessary to divide the same type of services into the same VLAN and divide different types of services into different VLANs.
As shown in Figure 3, the user packets received by the Switch include multiple services such as data, IPTV, and voice. The IP address segments of the user equipment are different. Now it is necessary to divide different types of services into different VLANs and distribute them to different remote servers through different VLAN IDs to achieve service interoperability.
There are many of this type in practical applications.
2. Configuration ideas
Use the following idea to configure VLAN division based on IP subnets:
a. Create a VLAN and determine the VLAN to which each service belongs.
b. Associate IP subnets and VLANs to determine the VLAN based on the source IP address or specified network segment in the packet.
c. Configure the port to join the VLAN so that the VLAN based on the IP subnet passes through the current port.
d. Configure the priority of the VLAN division method to ensure that VLAN division based on IP subnets is preferred.
e. Enable VLAN classification based on IP subnets.
3. Operation steps
Step 1 Create VLAN
#Create VLAN100, VLAN200 and VLAN300 on Switch.
[Quidway] system-view
[Quidway] vlan batch 100 200 300
Step 2 Configure the interface
#Configure interface Eth0/0/1 on the Switch as Hybrid type, and add VLAN100, VLAN200, and VLAN300.
[Quidway] interface ethernet 0/0/1
[Quidway-Ethernet0/0/1] port link-type hybrid //Set the port to hybrid mode
[Quidway-Ethernet0/0/1] port hybrid untagged vlan100 200 300 //The specified port allows data frames of VLAN 100, vlan200, and vlan300 to pass through, and is sent without VLAN tags
[Quidway-Ethernet0/0/1] quit
#Configure interface Eth0/0/2 on the Switch to join VLAN 100.
[Quidway] interface ethernet 0/0/2
[Quidway-Ethernet0/0/2] port link-type trunk
[Quidway-Ethernet0/0/2] port trunk allow-pass vlan 100 //Interface 0/0/2 joins vlan100
[Quidway-Ethernet0/0/2] quit
#Configure interface Eth0/0/3 on the Switch to join VLAN 200.
[Quidway] interface ethernet 0/0/3
[Quidway-Ethernet0/0/3] port link-type trunk
[Quidway-Ethernet0/0/3] port trunk allow-pass vlan 200 //Interface 0/0/3 joins vlan200
[Quidway-Ethernet0/0/3] quit
#Configure interface Eth0/0/4 on the Switch to join VLAN300.
[Quidway] interface ethernet 0/0/4
[Quidway-Ethernet0/0/4] port link-type trunk
[Quidway-Ethernet0/0/4] port trunk allow-pass vlan 300 //Interface 0/0/4 joins vlan300
[Quidway-Ethernet0/0/4] quit
#Configure interface Eth0/0/1 on the Switch to enable VLAN classification based on IP subnets.
[Quidway] interface ethernet 0/0/1
[Quidway-Ethernet0/0/1] ip-subnet-vlan enable
[Quidway-Ethernet0/0/1] quit
Step 3 Configure VLANs based on IP subnets
#Configure VLAN 100 on the Switch to associate with IP address 192.168.1.2/24, with priority 2.
[Quidway] vlan 100
[Quidway-vlan100] ip-subnet-vlan 100 ip 192.168.1.2 24 priority 2
[Quidway-vlan100] quit
#Configure VLAN 200 on the Switch to associate with IP address 192.168.2.2/24, with priority 3.
[Quidway] vlan 200
[Quidw ay-vlan200] ip-subnet-vlan 200 ip 192.168.2.2 24 priority 3
[Quidway-vlan200] quit
#Configure VLAN300 on the Switch to associate with IP address 192.168.3.2/24, with priority 4.
[Quidway] vlan 300
[Quidway-vlan300] ip-subnet-vlan 300 ip 192.168.3.2 24 priority 4
[Quidway-vlan300] quit
Step 4 Verify configuration results
Execute the following command on Switch, and the following information will be displayed:
[Quidway] display ip-subnet-vlan vlan all
Vlan Index IpAddress SubnetMask Priority
100 1 192.168.1.2 255.255.255.0 2
200 1 192.168.2.2 255.255.255.0 3
300 1 192.168.3.2 255.255.255.0 4
ip-subnet-vlan count: 3 total count: 3
That means the network configuration is successful.