VLAN Foundation
II. Basic principle of VLAN
1 Ethernet layer 2 interface type
Access interface
The interface on the switch is often used to connect user PC, server and other terminal equipment. The network cards of these devices connected to the access interface often only send and receive unmarked frames. Access interface can only join one VLAN.
Trunk interface
Trunk interface allows data frames of multiple VLAN s to pass through, and these data frames are distinguished through 802.1QTag. Trunk interface is often used for interconnection between switches and sub interfaces connecting routers, firewalls and other devices.
Hybrid interface (Huawei equipment default)
Similar to the Trunk interface, the Hybrid interface also allows multiple VLAN data frames to pass through. These data frames are distinguished by 802.1QTag. Users can flexibly specify whether the Hybrid interface carries tags when sending data frames of a VLAN (or some VLANs).
The mutual communication between devices under the same VLAN is called layer 2 transparent transmission.
2. Implementation principle of Access interface
Description of implementation principle: after the data frame (Untagged frame refers to the unmarked data frame) sent by the terminal enters the Access interface of the switch, a tag will be added. This tag is used to represent the VLAN number (VLAN ID) of the PVID of the current port number. By default (default) all ports of the switch belong to VLAN 1. The data marked with this tag will only be forwarded to the port that is allowed to pass through the VLAN number. If its VLAN ID is different from the PVID of the port, the data frame will be discarded (that is, the effect of isolating the broadcast domain) and when the data frame reaches its target port number, the mark will be stripped to avoid transmitting the marked data packet to the terminal.
Note: VLAN 1 mandatory cannot be deleted.
Experiment: observe VLAN and VLAN activity of the switch
Connect with the experiment in the previous blog post - building a simple VLAN 2021-12-15 fundamentals of network engineering (x) three handshakes and four waves of TCP, UDP protocol, data encapsulation and unsealing, blog of VLAN foundation _x629242 CSDN blog
View VLAN command: display vlan
<Huawei>display vlan
The total number of vlans is : 3
--------------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
--------------------------------------------------------------------------------
VID Type Ports
--------------------------------------------------------------------------------
1 common UT:GE0/0/5(D) GE0/0/6(D) GE0/0/7(D) GE0/0/8(D)
GE0/0/9(D) GE0/0/10(D) GE0/0/11(D) GE0/0/12(D)
GE0/0/13(D) GE0/0/14(D) GE0/0/15(D) GE0/0/16(D)
GE0/0/17(D) GE0/0/18(D) GE0/0/19(D) GE0/0/20(D)
GE0/0/21(D) GE0/0/22(D) GE0/0/23(D) GE0/0/24(D)
2 common UT:GE0/0/1(U) GE0/0/2(U)
3 common UT:GE0/0/3(U) GE0/0/4(U)
VID Status Property MAC-LRN Statistics Description
--------------------------------------------------------------------------------
1 enable default enable disable VLAN 0001
2 enable default enable disable VLAN 0002
3 enable default enable disable VLAN 0003 View port VLAN activity status command: display port vlan active
<Huawei>display port vlan active T=TAG U=UNTAG ------------------------------------------------------------------------------- Port Link Type PVID VLAN List ------------------------------------------------------------------------------- GE0/0/1 access 2 U: 2 GE0/0/2 access 2 U: 2 GE0/0/3 access 3 U: 3 GE0/0/4 access 3 U: 3 GE0/0/5 hybrid 1 U: 1 GE0/0/6 hybrid 1 U: 1 GE0/0/7 hybrid 1 U: 1 GE0/0/8 hybrid 1 U: 1 GE0/0/9 hybrid 1 U: 1 GE0/0/10 hybrid 1 U: 1 GE0/0/11 hybrid 1 U: 1 GE0/0/12 hybrid 1 U: 1 GE0/0/13 hybrid 1 U: 1 GE0/0/14 hybrid 1 U: 1 GE0/0/15 hybrid 1 U: 1 GE0/0/16 hybrid 1 U: 1 GE0/0/17 hybrid 1 U: 1 GE0/0/18 hybrid 1 U: 1 GE0/0/19 hybrid 1 U: 1 GE0/0/20 hybrid 1 U: 1 GE0/0/21 hybrid 1 U: 1 GE0/0/22 hybrid 1 U: 1 GE0/0/23 hybrid 1 U: 1 GE0/0/24 hybrid 1 U: 1
U represents the Tag of the VLAN ID number that will be split
3. Implementation principle of Trunk interface
Description of implementation principle: first, make the same VLAN configuration for the opposite end switch of the Trunk interface (allow the data frame with the tag of the specified VLAN ID to pass through, modify the default PVID, etc.). Different from the Access interface, the Trunk interface allows the data frames of multiple VLANs to pass through. The same is that when the data frame leaves the switch, the VLAN tag corresponding to the PVID of the Trunk interface will be stripped (802.1QTag), when the PVID data frame of the non Trank interface passes through the Trunk interface, the tag will not be stripped, so as to complete the implementation principle of the above Access interface within the switch receiving the data frame, so as to realize a wider range of isolated broadcast domain.
Note: because the PVID of all switch interfaces is 1 by default, when the VLAN1 packet leaves the Trunk, it will be stripped and marked into an original data frame. If the opposite Trunk interface has a different PVID, it will be marked with a Tag other than VLAN1, which will cause VLAN jump and lose the original intention of isolating the broadcast domain.
Solution to VLAN hopping: create a remote VLAN, and modify the PVID on all interconnected Trunk links of the switch to the PVID of the remote VLAN, such as 4423.
Note: mark is allowed for fool (non managed) switch The data frame of (tag) passes through. It can neither identify the tag when receiving the data frame nor split the tag when sending the data frame. It will only flood, forward and discard according to the rules according to the MAC address table in the internal cache. If the opposite end is a network device that can configure VLAN or a network card that can identify 802.1QTag, and the corresponding rules are configured, it can be configured according to the rules Therefore, the fool (non network management) switch can be used as a relay device for layer-2 transparent transmission.
Note: in the data link layer, two terminals in the same network segment cannot communicate with each other, and terminals in the same VLAN can communicate with each other, just like terminals in different VLANs in the same network segment to communicate, because the same network segment is the same broadcast domain, and the role of VLAN is to isolate the broadcast domain. This method of data frame transmission is called layer-2 transparent transmission.
Related commands
Port link type trunk \ \ set the interface type to trunk
port trunk pvid vlan 4423 \ \ modify the default PVID of Trunk interface
Port trunk allow pass VLAN all \ \ allow all VLAN ID s to pass through
4 recognition marker (802.1QTag)
IEEE802. The 1q standard (also known as Dot1Q) defines the "Tag" method. The standard modifies the traditional Ethernet data frame, inserts 802.1QTag in the frame header, and VLAN information can be written in the Tag.
Experiment: grab the bag and observe the mark
Set up the network as shown in the figure above
Use the host 192.168 in VLAN2 1.1 Ping 192.168 1.5, as shown in the figure above
Grab the G/0/0/3 interface of switch 2, as shown in the above figure, observe and analyze
1. The Type in Ethernet frame 2 indicates that the upper layer protocol is 802.1Q (0x8100)
2 priority: 0 (highest)
3 standard format indicator: 0 indicates in Ethernet environment
4 VLAN ID: 2
5 Type: the lower layer protocol is IPv4 (0x0800)