1. The background

1.1. A VLAN

The IEEE802.1Q protocol is used to add VLAN information to the data frame header so that the data frame can be correctly transmitted to the corresponding VLAN. VLAN division is generally based on ports, that is, devices with similar physical locations. In fact, departments with similar functions and services are located in similar physical locations. Therefore, port division is basically based on service division. In addition, the vertical connection of business departments should be considered, such as the financial department of the Municipal Bureau to the financial department of the branch. The traditional routed network segment is a natural physical structure, while the VLAN is artificially implemented through the configuration of switches.

  • The flexibility shown by VLAN can be realized through the virtual private network technology of router or the corresponding routing policy technology, making the necessity of VLAN not so sufficient.
  • All vlans pass through the central router (you can configure a backup central router, of course), that is, all broadcasts pass through the central router. The combination of VLAN technology and switch equipment has effectively transformed Ethernet, which is essentially a broadcast mechanism, into point-to-point communication.

Therefore, VLAN can be used only when the number of sites on the network is about several hundred, the structure of full switching and central router is adopted, and subnets are divided according to corresponding principles. The communication between subnets is very small, and the communication is mainly within subnets. In this case, VLAN will show its unique advantages. Remember: the “switch if you can, route only” principle, the “80/20” principle still holds. Currently, existing network devices can divide 4096 vlans simultaneously on a network.

1.2. Trunk

Vlans are configured using VLAN Trunk Protocol (VTP). VTP is a layer 2 messaging protocol in OSI7 layer model. In port-based vlans, the original meaning of Trunk is that if a port is connected to multiple vlans (and by extension), packets marked with a VLAN port can still be forwarded through that port. A switch can belong to only one VTP domain. The switch can exchange information between vlans in the VTP domain. Each switch in the VTP notifies other switches of VLAN information, including revision number, on the port it connects to the Trunk.

1.3. From the designer’s point of view

Assign different IP subnets to different departments of an enterprise and access different vlans. The following situations may occur when vlans are set:

  • Same VLAN same network segment (for example, within the department)
  • Different vlans on the same network segment (for example, within a department)
  • Different vlans on different network segments (for example, across departments)
  • The same VLAN on different network segments (for example, the same working group across departments)

Subnets cannot communicate with each other directly. Vlans cannot communicate with each other. So what is the difference between setting up a VLAN and setting up different network segments?

Subnets are easily identifiable by IP and mask, and this ease of identification is important in day-to-day management. VLAN is the next layer of network access control and can prevent network storms. In principle, the addressing packet is transparent to the Layer 2 switch. The Layer 2 switch only determines which port to send the packet to based on the VID number. It is worth mentioning that in layer 3 switches, different vlans on the same network segment cannot be configured.

So in this case,

  • Different vlans can limit the information that PCS on the same subnet can receive
  • Different network segments on the same switch cannot communicate with each other
  • Different network segments can be controlled by routing access control lists (ACLs).
  • In the same VLAN, different network segments can communicate with each other without going through routers.

2. Demand

Boson is known as the most realistic simulation tool currently operating. Compared with the real experiment, using it saves the links of making network cables to connect devices, frequently changing the CONSOLE line, and constantly going back and forth between devices. Also, its commands are consistent with the latest Cisco IOS and can simulate multiple connection modes (such as PSTN, ISDN, PPP, etc.).

2.1. STEP1

Start the Boson Network Designer program to enter the topology drawing interface. On the left side of the interface is the analog device provided by Boson, including router, switch, PC, cable, etc. Draw the topology according to the drawing.

  • Console port :Serial port for initial configuration. In this case, the router does not have a LOCAL area network (LAN) address. Therefore, you cannot log in to the router through Ethernet ports. Also used for the docking between routers (after my experiment, not also can)
  • Ethernet: Network port. By default, only one port is available. You can select two or more ports

2.2. STEP2

2.2.1. Set their IP addresses

Run the ipconfig/IP 172.16.1.2 255.255.255.0 command

2.2.2. Pc1 and PC2 are on the same network segment:

Pc1:172.16.1.2 pc2:172.16.1.3Copy the code

2.2.3. Pc3, PC4, PC5, PC6, PC7, and PC8 on the same network segment (configured) :

Pc3 :172.16.2.4 PC4 :172.16.2.5 PC5 :172.16.2.6 PC6 :172.16.2.7 PC7 :172.16.2.8 PC8 :172.16.2.9Copy the code

2.3. Step 3

2.3.1. Configuring switches to connect PCS on the same Switch (The default is VLAN1)

Some commands are listed:

enable // Enter privileged mode from user mode
show version // Displays the switch version
conf t // config terminal to enter the global configuration mode
host 2950 // Rename the switch
int fe 0/1 // interface is short for port 0/1
speed 100 // Set the port rate to 100M
du full / / full duplex
no shut // Activate the port
exit // Exit port
copy run start // Save the port Settings
show int // View all ports
Copy the code

The configuration process

The PCS on the same switch are connected

2.3.2. Connect switches so that PCS on the same network segment can communicate with each other

You do not need to add the ports on each switch to the same VLAN(PCS on different switches belong to the same VLAN), but you need to set the ports on the cascading lines to Trunk[1]

VTP domain test// Start VTP, where test is my name
vtp client // The switch is set up as a VTP client, so that the VLAN configuration on the primary switch is automatically synchronized to the switch
int fe 0/1Switchport mode Trunk// Start Trunk with other switches
Copy the code

Configure the results

PCS on different switches in the same network segment can communicate with each other

2.3.3. Configure routers so that PCS can communicate with each other across broadcast domains

Some commands are listed:

enable // Enter privileged mode from user mode
password:
conf t
int e 0/0 // Enter port 0/0Int f0 /0.2                               // Create a subinterface
ip addr 172.161.1. 255.255255.. 0 // Configure the IP address of the routing port
ip route 0.0. 0. 0 0.0. 0. 0 172.162.4. // Set the default route address to 172.16.2.4
no ip route 0.0. 0. 0 0.0. 0. 0 172.162.4. // Remove the default route address 172.16.2.4
~
interfaceSerial 2 // Configure serial interface encapsulation fame-relay // Configure the port in frame relay modeinterfaceSerial 2.1 // A subport 1 of serial interface 2 is configured, named 2.1Copy the code

The configuration process Configure E0/0->172.16.1.1 and E1/0->172.16.2.1. Set the default gateway of the PC (the IP address of gateway [2] is the IP address of the device with the routing function, and the gateway of host is a route when a router is installed) to the corresponding 172.16.1.1 or 172.16.2. 1,. Otherwise, the routing table does not know where to forward, and the host sends packets to the default gateway (which is the original/DG configuration) MAC address. The same is true for the connection between two routers. Each router is configured with the default port IP address to forward to the other router.

Configure the results

  • routing for Networks:along
  • PC7 on the other network segment can ping PC7

2.4. STEP4

2.4.1. Divide vlans. Pc3, PC5, and PC7 belong to VLAN10

Some commands are listed:

VLAN database // View a list of existing vlans
VLAN 2 VLAN2 has been added compared to the default VLAN1
switchport access VLAN 2 // Divide vlans by portSwitchport mode access// This step is necessary on the simulator, otherwise the ping will fail, equivalent to the command to start the port, the type is access, there are other types such as hybrid
Copy the code

2.4.2. Pc4, PC6, and PC8 are on VLAN20

Same as in the previous step.

Result PC3/5/7 and PC4/6/8 can communicate with each other. The two vlans cannot communicate with each other

2.5. STEP5

Note that PC3 to 8 belong to the same network segment. They belong to different vlans, so they cannot access gateways and routes. This is because routers, by default, do not recognize labeled frames. Through hybrid, tags can be removed, and hosts in their respective vlans can access the gateway but remain isolated among vlans [3].

But in any case, different vlans and the same network segment determine that layer 2 and layer 3 communication is impossible! Because the host does not know that the destination host in the same network segment with it is not in the same VLAN, it will not take the logical gateway and adopt the broadcast method [4], but is blocked by THE VLAN, so it cannot pass the layer 2 communication (the network bridge can be directly queried and forwarded [5]).

In order to communicate through Layer 3, the same network segment means that the two interfaces of the router should be configured as the same network segment, but the network segment ID is unique [6], which does not conform to the configuration specifications of the router at all. Even if it is a molecular interface, overlap will also be displayed, because in this way, you will not know which one of the two same network segments to transfer to after configuring the router [7].

2.5.1. Change the PCS in the two vlans to different network segments

The gateways on the same VLAN must be the same

VLAN 10
gateway:172.16.2.1
PC3:172.16.2.4
PC5:172.16.2.6
PC7:172.16.2.8
VLAN 20
gateway:172.16.3.1
PC4:172.16.3.5
PC6:172.16.3.7
PC8:172.16.3.9
Copy the code

2.5.2. Routing between vlans

Configure the router

Int fa0/1 switch Trunk encap dot1q // The Trunk protocol is encapsulated as dot1Q, that is, IEEE 802.1Q. It is a VLAN encapsulation mode and a public protocol. There is also a Trunk protocol, ISL, which is another way to encapsulate a VLAN, but it is Cisco proprietary and cannot be used by other vendors.Copy the code

If you set up a switch-to-router Trunk, there are a number of problems:

  • Routers crash when pinging other hosts
  • A PC in the VLAN of the switchpingNetSim 9.9.5231 crash…..

Add the ports on switch 2950-2 that connect to a router to VLAN20 as an example:

Configure the results

3. Summary

1. Start VTP. 2. Configure the Trunk. 3. Create a VLAN. 4. Assign ports to vlans. 5. Route between vlans

4. Bugs

4.1. Request timed out

  • Error:
C:>ipconfig/IP 172.16.1.2 255.255.255.0 // The gateway is not specified at this time C:>ping 172.16.1.3 Pinging 172.16.1.3 with 32 bytes of data: Request timed out.Copy the code
  • Solutions:
  1. There are five steps to check connectivity using Ping

1. Run the ipconfig /all command to check whether the local network Settings are correct.

Ping 127.0.0.1 to check whether the TCP/IP protocol of the local network card is set correctly.

3. Ping the local IP address to check whether the local IP address is incorrectly configured.

4. Ping the gateway or IP address of the local network to check whether the hardware device is faulty, and whether the connection between the local computer and the local network is normal. To this normal can rule out the problem of the near end area network.

5. Ping the remote IP address to check whether the local network or the local PC is properly connected to external devices. 2. Eliminate errors on the basis of ping, and finally suspect the switch. Switch to model 2950 under the instructions of the tutorial and carry out relevant configurations

  • Reflection: I did not look carefully at the sample given. The switch model 1900 was originally chosen instead of model 2950. In fact, Catalyst 1900 was eliminated in 2002 [8]

4.2. Gateway of last resort is not set

  • Error The value is configured between different network segmentsripAfter the protocol is configured, network segments cannot be forwarded through routes.
  • The solution
  1. show ip int briCheck the port information and find that the port is activated properly
  2. Consider the possible difference between static and dynamic routes

Static routes are fixed routing tables set up in routers. Static routes do not change unless the administrator intervenes. It is used on a small network with a fixed topology. Dynamic routing is a process in which routers on the network communicate with each other, transmit routing information, and update the router table using the received routing information. When a dynamic route conflicts with a static route, the static route prevails.

It is a mistake for a beginner like me to think that a router can configure only dynamic routing and that it will get the routing table itself by communicating with hosts in the network segment. But if a gateway is configured, it is itself an IP route.

  1. According to Cisco official instructions[9]useIP route 0.0.0.0 0.0.0.0Configure; It is important to note that certain commands on its model will not be used here – but it doesn’t matter
  • Introspection is an English documentation, but it is still good to see

4.3. Failed to change IP Addr once

4.4. The ping gateway is different

Someone said to configure static routes

  1. Use Trunk between switches ↩︎

  2. A gateway is a hardware device designed for communication between different network segments. The hardware devices used as a gateway include routers, Layer-3 switches, and firewalls. In most cases, a host is not a gateway. Two hosts on different network segments cannot be pinged through. ↩︎

  3. Communication between different vlans on the same network segment ↩︎

  4. If the destination IP address is a local address, it will be sent back to the local upper layer for processing, not to the network card; If yes, other IP addresses on the same network segment can be queried in the ARP table or send ARP requests. If the destination IP addresses are on different network segments, the IP address is sent to Layer 3. In this case, the MAC address of the Gateway is used as the destination MAC address ↩︎

  5. What exactly is a gateway? ↩ ︎

  6. Che xiaopang: Select any interface, and use the network mask of the interface to calculate “bitwise and” with the IP addresses of all interfaces. If the network segment IDS are the same, the configuration is invalid ↩︎

  7. Same VLAN Same network segment _ Same VLAN Different network segment _ Different VLAN Same network segment _ Different VLAN Different network segment ↩︎

  8. Quality and price: Cisco 2950 series switches ↩︎

  9. Three methods for setting the default gateway of a router ↩︎