Usually, the company’s use of the internal network is much higher than the use of the external network. The company’s internal network is constructed by a two-layer switching network, so the quality of the two-layer network design directly affects the company’s normal business. Good design not only enables the function to be reflected, but also can deal with some unknown hidden dangers, such as line damage, equipment damage and so on. Below we mainly understand Huawei’s Layer 2 equipment, but the first thing to understand is that the main thing about Layer 2 equipment (switches) is VLAN.
First, the basic concept of VLAN
In traditional switch Ethernet, all users are in the same broadcast domain. When the network is large, broadcast The number of packets will increase sharply. When the number of broadcast packets accounts for 30% of the total, the efficiency of network transmission will decrease significantly, especially when a network device fails, the network will continue to send broadcasts. , Which led to the occurrence of the broadcast storm, the network communication was in a state of paralysis, so how to solve this problem?
We can use the method of separating broadcast domains to solve this problem. There are two ways to separate broadcast domains:
- Physical separation: divide the network physically For several small networks, use routing equipment that can isolate broadcasts to connect different networks to achieve communication;
- Logical separation, which logically divides the network into several small virtual networks, namely VLANs. VLAN works at the data link layer, a VLAN is a switching network, all users in it are in the same broadcast domain, so that each VLAN can communicate through the connection of routing equipment;
< p>The use of physical separation will have many disadvantages, it will make the design of the LAN lack flexibility. For example: users connected to the same switch can only be divided into the same network, but cannot be divided into multiple different networks.
The creation of VLAN has added flexibility to the design of local area networks, so that network administrators are no longer limited by the geographic location of users when dividing work groups. VLAN can be implemented on a switch or across switches. It can be divided according to the location, role or department of network users, as shown in the figure:
VLAN has the characteristics of flexibility and scalability. Using VLAN technology has the following advantages:
(1) Control broadcast:
Each VLAN is an independent broadcast domain, which reduces the occupation of network bandwidth by broadcast, improves network transmission efficiency, and broadcast storms in each VLAN will not affect other VLANs;
(2) Enhance network security:
Because data can only be exchanged between ports in the same VLAN, and ports of different VLANs cannot be directly accessed, VLANs can restrict individual hosts from accessing resources such as servers. Therefore, the security of the network can be improved by dividing VLANs;
(3) Simplify network management:
For switched Ethernet, if the network segment is allocated to some users, the network is required The administrator re-adjusts the physical structure of the network system, and even needs to add network equipment, which will increase the workload of network management. For a network using VLAN technology, a VLAN can divide users in different geographical locations into a logical network segment according to department functions and object group applications, and workstations can be arbitrarily working without changing the physical connection of the network. Move between groups or subnets. The use of VLAN technology greatly reduces the burden of network management and maintenance, and reduces the cost of network maintenance;
According to the use and management of VLAN, VLAN is divided into two types:
(1) Static VLAN
Static VLAN is also called port-based VLAN, and is currently the most common way of implementing VLAN.
Static VLAN is to clearly specify which VLAN the switch port belongs to, which requires manual configuration by the network administrator. When the user host is connected to the switch port, it is also assigned to the corresponding VLAN;
(2 ) Dynamic VLAN
There are many ways to implement dynamic VLAN. At present, the most common way to implement dynamic VLAN is MAC address-based dynamic VLAN.
Dynamic VLAN based on MAC address is automatically assigned to the corresponding VLNA according to the MAC address of the host. Advantages of this VLAN division method: When the user’s physical location moves, the VLAN will not be re-allocated. Disadvantage: during initialization All users must be configured, the configuration task is very heavy!
The range of VLAN, as shown in the figure:
There are also some VLAN encapsulation processes, so I won’t introduce them in detail here!
Second, Hybrid interface characteristics
According to the VLAN interface encapsulation type, Huawei switch interfaces mainly have three modes: Access, Trunk and Hybrid. Among them, there is no difference between Access and Trunk interface and Cisco technology. Hybrid interface is a unique interface mode of Huawei equipment. Hybrid interface and Trunk interface are similar in that they can allow traffic of multiple VLANs to pass through and be tagged. The difference is that Hybrid interface can allow packets of multiple VLANs to be sent without tags. Mainly introduce the Hybrid interface of Huawei switch!
Hybrid interface as a unique attribute interface of Huawei switches, the main features are:
- Huawei switch interfaces are in Hybrid mode by default;
- It can realize the functions of Access interface and Trunk interface;
- It can realize cross-VLAN communication and access control without the help of three-layer equipment;
- Compared to Access interface and Trunk The interface has higher flexibility and controllability;
The function of the Hybrid interface is mainly reflected in:
- Traffic isolation:Hybrid interface itself has powerful access control capabilities. Through the configuration of the interface, the traffic from the same VLAN can be isolated, and the traffic from different VLANs can also be isolated;
- Traffic intercommunication:Hybrid interface can enable communication between different VLANs at Layer 2;
Note: Layer 2 solutions are always better than Layer 3 solutions The solution is better, because the efficiency of the second floor is higher than that of the third floor. In fact, the higher the level involved, the lower the efficiency!
Three. Working principle of Hybrid interface
Hybrid interface can flexibly control the addition and removal of VLAN tags of data frames on an interface. For example, when the device at the opposite end of the interface is a switch, you can configure the interface to allow certain VLAN data frames to pass through the interface with VLAN tags, while other VLANs are sent without VLAN tags. In the case that the device at the opposite end of the interface is the host, the data frames sent to these interfaces can be configured to not carry any VLAN tags.
The working principle of the Hybrid interface involves three attributes of the interface, which are:
- Untag list: Only sent on the interface It works during data frames. If the VLAN tag of the data to be sent is in the untag list of the interface, the tag will be removed to send the data;
- tag list: Function and reception are marked Data frame and send data frame. Its function is similar to a list of allowed VLAN IDs. When the interface receives a data frame with a VLAN tag, the tag list of the interface is equivalent to the VLAN allowed list, and data frames not in the list will be discarded; when the interface sends data, the VLAN tag of the data is in the tag list of the interface middle. The tag will keep sending the data frame, otherwise the data frame will be discarded.
- PVID: The default PVID of the interface is VLAN1, and the PVID only works when receiving untagged frames. PVID is used to mark the data frame with the current PVID identification when receiving untagged data frame;
From the perspective of functional characteristics, the untag list and PVID in the Hybrid interface are used It is used to implement the Access feature, and the tag list is used to implement the Trunk feature. But it’s not only that, because the Hybrid interface is more flexible than the Access interface and Trunk interface, and is suitable for various scenarios.
(1) Encapsulate 802.1Q according to PVID
When the network is isolated by VLAN, traffic can be divided into two types:
- One is marked traffic, that is, data frames tagged with 802.1Q;
- The other is untagged traffic, which is the original Ethernet frame.
PVID working principle: Under normal circumstances, the traffic sent and received by the terminal device is unmarked traffic. When the switch receives a tagged traffic, it will identify its VLAN ID through its 802.1Q tag, but when the switch receives an untagged traffic, it will perform 802.1Q encapsulation on the traffic according to the interface PVID.
In Huawei equipment, various types of interfaces have default PVIDs, as shown in the figure:
Any traffic entering the switch should be marked. If the traffic entering the switch carries a VLAN tag, it can identify the VLAN information itself. If the traffic entering the switch is not tagged, it will be tagged with the PVID of the interface, and the purpose of tagging is for subsequent forwarding!
The schematic diagram of the data frame entering the switch with PVID tag is as follows:
(2) Forwarding based on untag list and tag list
The Hybrid interface of the switch receives or sends data based on the untag list and tag list, and its work The principle is as follows:
- Each Hybrid interface has an untag list by default, which contains one or more VLAN numbers, and the default value is VLAN1;
- Each interface has A tag list, the default value is empty, and it can also be set to include one or more VLAN numbers;
- After the Hybrid interface receives a data frame, it first checks whether the data frame carries a tag, and if it carries a tag, then check The tag list of this interface. If there is a VLAN ID encapsulated in the data frame in the tag list, it will be received, otherwise it will be discarded; if it does not carry a tag, it will be marked according to the PVID of the Hybrid interface;
- Check this interface before sending the data frame on the Hybrid interface If the VLAN ID encapsulated by the data frame exists in the untag list, remove the 802.1Q encapsulation and send the original data frame; if it exists in the tag list, keep the 802.1Q encapsulation and send the tagged data frame; if If there is no VLAN ID of the data frame in the two lists, it will not be sent;
The function of the untag list when sending data, as shown in the figure:
The role of the tag list when sending data, as shown in the figure:
The basic principle of the Hybrid interface to send data frames, The corresponding processing flowchart is as follows:
< p>Hybrid interface and Trunk interface can both tag different VLANs, and can also transmit traffic of multiple VLANs; but Hybrid interface can allow multiple different VLAN packets to be sent without tags, while Trunk interface only allows default VLAN The message is sent without labeling.
Three types of interfaces can coexist on an Ethernet switch, but the Trunk interface and Hybrid interface cannot be switched directly, which means that they can be set as Access interface first, and then set to other types Interface.
Four. Application scenarios of Hybrid interface
Hybrid interface is based on three attributes to send and receive data, and analyze its working process based on understanding its working principle. Through the configuration of the Hybrid interface, the following requirements are achieved:
- PC1 and PC2 can access each other, and can only access PC4;
- PC3 cannot be connected to PC1 and PC2. Can not communicate with each other, can only visit PC5;
Experimental diagram, as follows:
When you see the experimental requirements and experimental topology, you should first plan what VLAN information should be added to the untag list and the tag list to implement the function !
If you understand the work of PVID, untag list, and tag list, you can add which VLANs to fill in the untag list and tag list. This is one of the methods.
Note: Normally, the default PVID of the interface is 1, and the default untag list contains VLAN1. If you set additional PVID numbers for the interface, you must also put the numbers in In the tag list or untag list, otherwise it will not be able to communicate.
(1) Hybrid configuration
1. Configure the IP address of the terminal device
Omitted!
2. Create VLAN2, VLAN3 and VLAN10 on switch S1 and switch S2 respectively
[S1]vlan batch 2 3 10
[S2]vlan batch 2 3 10
3. Configure Hybrid interfaces on switches S1 and S2
The configuration of the S1 switch is as follows:
[S1]int g0/0/2
[S1-GigabitEthernet0/0/2]port link-type hybrid
//Configure the interface mode to Hybrid (the default is Hybrid interface)
[S1-GigabitEthernet0/0/2]port hybrid pvid vlan 1
//The PVID of the configuration interface is 1 (the default is also)
[S1-GigabitEthernet0/0/2]port hybrid untagged vlan 1 2
//Add VLAN1 and VLAN2 to untag List
[S1-GigabitEthernet0/0/2]int g0/0/3
[S1-GigabitEthernet0/0/3]port link-type hybrid
[S1-GigabitEthernet0/0/3 ]port hybrid pvid vlan 1
[S1-GigabitEthernet0/0/3]port hybrid untagged vlan 1 2
[S1-GigabitEthernet0/0/3]int g0/0/4
[S1 -GigabitEthernet0/0/4]port link-type hybrid
[S1-GigabitEthernet0/0/4]port hybrid pvid vlan 10
[S1-GigabitEthernet0/0/4]port hybrid untagged vlan 3 10< br />[S1-GigabitEthernet0/0/4]int g0/0/1
[S1-GigabitEthernet0/0/1]port link-type hybrid
[S1-GigabitEthernet0/0/1]port hybrid pvid vlan 1
[S1-GigabitEthernet0/0/1]port hybrid untagged vlan 1 2
[S1-GigabitEthernet0/0/1]port hybrid tagged vlan 3 10
//Vlan3, VLAN10 Add to the tag list
The configuration of the S2 switch is as follows:
[S2-GigabitEthernet0/0/3]int g0/0/1
[S2-GigabitEthernet0/0 /1]port link-type hybrid
[S2-GigabitEthernet0/0/1]port hybrid pvid vlan 1
[S2-GigabitEthernet0/0/1]port hybrid untagged vlan 1 2
[ S2-GigabitEthernet0/0/1]port hybrid tagged vlan 3 10
[S2]int g0/0/2
[S2-GigabitEthernet0/0/2]port link-type hybrid
[ S2-GigabitEthernet0/0/2]port hybrid pvid vlan 2
[S2-GigabitEthernet0/0/2]port hybrid untagged vlan 1 2
[S2-GigabitEthernet0/0/2]int g0/0/ 3
[S2-GigabitEthernet0/0/3]port link-type hybrid
[S2-GigabitEthernet0/0/3]port hybrid pvid vlan 3
[S2-GigabitEthernet0/0/3] port hybrid untagged vlan 3 10
4. Verify network communication
The test of PC1 is as follows:
The test of PC3 is as follows:
The experimental requirements have been met!
There are many ways to achieve such a requirement, such as:
The first one:
Follow the method in the figure to configure it yourself!
The second type:
You can configure yourself according to the figure! But there is no special requirement for the interface between the switches!
———————— This concludes this article, thanks for reading ————————