2022年2022年合勤交换机.qvlan划分

《2022年2022年合勤交换机.qvlan划分》由会员分享，可在线阅读，更多相关《2022年2022年合勤交换机.qvlan划分（21页珍藏版）》请在金锄头文库上搜索。

1、Virtual Local Area Network(802.1Q Tag-based VLAN)Ethernet Switch ZyNOS 3.8 Support Notes Version 3.80 August 2007 名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 1 页，共 21 页 - - - - - - - - - VLAN Support Note All contents copyright (c) 2007 ZyXEL Communications Corpor

2、ation. 2Separating a physical network into many virtual networks What is Virtual LAN? ?VLAN OverviewA VLAN (Virtual Local Area Network) allows a physical network to be partitioned into multiple logical networks. Stations on a logical network belong to one group called VLAN Group. A station can belon

3、g to more than one group. The stations in the same VLAN group can communicate with each other. With VLAN, a station cannot directly talk to or hear from stations that are not in the same VLAN group(s); the traffic must first go through a router. In MTU or IP-DSLAM applications, VLAN is vital for pro

4、viding isolation and security among the subscribers. When properly configured, VLAN prevents one subscriber from accessing the network resources of another one on the same LAN. Therefore, a user will not see the printers and hard disks of another user in the same building. VLAN also increases networ

5、k performance by limiting broadcasts to a smaller and more manageable logical broadcast domain. A VLAN group is a broadcast domain. In traditional Layer-2 switched environments, all broadcast packets go to each and every individual port. With VLAN, all broadcasts are confined to a specific broadcast

6、 domain. There are two most popular VLAN implementations, Port-based VLAN and IEEE 802.1q Tagged VLAN. ZyXEL Managed Switch supports both VLAN implementations. The biggest difference between both VLAN implementations is that Tagged VLAN can across Layer-2 switch but Port-based VLAN cannot. 名师资料总结 -

7、- -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 2 页，共 21 页 - - - - - - - - - VLAN Support Note All contents copyright (c) 2007 ZyXEL Communications Corporation. 3What is IEEE 802.1Q Tag-basedVLAN?Tag-based VLAN OverviewRegarding the IEEE 802.1Q standard, Tag-based VLAN uses an

8、 extra tag in the MAC header to identify the VLAN membership of a frame going across the bridges. This tag is used for VLAN and QoS (Quality of Service) priority identification. The VLANs can be created statically by hand or dynamically through GVRP . The VLAN ID associates a frame with a specific V

9、LAN and provides the information that switches need to process the frame across the network. A tagged frame is four bytes longer than an untagged frame and contains two bytes of TPID (Tag Protocol Identifier, residing within the type/length field of the Ethernet frame) and two bytes of TCI (Tag Cont

10、rol Information, starting behind the source address field of the Ethernet frame). ?TPID:TPID has a defined value of 8100 in hex. When a frame has the EtherType equal to 8100, this frame carries the tag IEEE 802.1Q / 802.1P.?Priority: The first three bits of the TCI define user priority, giving eight

11、 (23) priority levels. IEEE 802.1P defines the operation for these 3 user priority bits.?CFI: Canonical Format Indicator is a single-bit flag, always set to zero for Ethernet switches. CFI is used for the reason of compatibility between Ethernet type network and Token Ring type network. If a frame r

12、eceived at an 名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 3 页，共 21 页 - - - - - - - - - VLAN Support Note All contents copyright (c) 2007 ZyXEL Communications Corporation. 4Ethernet port has a CFI set to 1, then that frame should not be forwarded to an untagged por

13、t.?VID: VLAN ID is the identification of the VLAN, which is basically used by the 802.1Q standard. It has 12 bits and allows the identification of 4096 (212) VLANs. Of the 4096 possible VIDs, a VID of 0 is used to identify priority frames and value 4095 (FFF) is reserved, so the maximum possible VLA

14、N configurations are 4,094.Note that user priority and VLAN ID are independent of each other. A frame with VID (VLAN Identifier) of null (0) is called a priority frame, meaning that only the priority level is significant and the default VID of the ingress port is given as the VID of the frame. ?How

15、802.1Q VLAN worksAccording to the VID information in the tag, the switch forwards and filters the frames among ports. The ports with the same VID can communicate with each other. IEEE 802.1Q VLAN function contains the following three tasks, Ingress Process, Forwarding Process and Egress Process. 名师资

16、料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 4 页，共 21 页 - - - - - - - - - VLAN Support Note All contents copyright (c) 2007 ZyXEL Communications Corporation. 5 I. Ingress Process:Each port is capable of passing tagged or untagged frames. Ingress Process identifies if

17、the incoming frames contain tag and classifies the incoming frames belonging to a VLAN. Each port has its own Ingress rule. If Ingress rule accepts tagged frames only, the switch port will drop all incoming non-tagged frames. If Ingress rule accept all frame types, the switch port simultaneously all

18、ows the incoming tagged and untagged frames:?When a tagged frame is received on a port, it carries a tag header that has explicit VID. Ingress Process directly passes the tagged frame to Forwarding Process.?An untagged frame doesnt carry any VID stating to which VLAN it belongs. When an untagged fra

19、me is received, Ingress Process inserts a tag containing the PVID into the untagged frame. Each physical port has a default VID called PVID (Port VID). PVID is assigned to untagged frames or priority tagged frames (frames with null (0) VID) received on this port.After Ingress Process, all frames hav

20、e 4-bytes tag and VID information, and then go to Forwarding Process. II. Forwarding Process: The Forwarding Process decides how to forward the received frames according to the Filtering Database. If you want to allow the tagged frames to be forwarded to certain port, this port must be the egress po

21、rt of this VID. The egress port is an outgoing port for the specified VLAN, that is, frames with specified VID tag can go through this port. The Filtering Database stores and organizes VLAN registration information useful for switching frames to and 名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - -

22、 - - - 名师精心整理 - - - - - - - 第 5 页，共 21 页 - - - - - - - - - VLAN Support Note All contents copyright (c) 2007 ZyXEL Communications Corporation. 6from the switch ports. It consists of static registration entries (Static VLAN or SVLAN table) and dynamic registration entries (Dynamic VLAN or DVLAN table

23、). SVLAN table is manually added and maintained by the administrator. DVLAN table is automatically learned via GVRP protocol, and cant be neither created nor upgraded by the administrator. The VLAN entries in Filtering Database contain the following information: 1. VID: VLAN ID 2. Port: The switch p

24、ort number 3. Ad Control: Registration administration control. There are 3 types of ad control, including forbidden registration, fixed registration and normal registration. ?Forbidden registration: This port is forbidden to be the egress port of the specified VID. ?Fixed registration: When ad contr

25、ol is set to fixed registration, it means this is a static registration entry. This port is the egress port of the specified VID (a member port of the specified VLAN). The frames with specified VID tag can go through this port. ?Normal registration: When ad control is set to normal registration, it

26、means this is a dynamic registration entry. The forwarding decision depends on Dynamic VLAN table. 4. Egress tag Control: This information is used for Egress Process. The value can be either tagged or untagged. If the value is tagged, the outgoing frame in the egress port is tagged. If the value is

27、untagged, the tag will be removed before frame leaves the egress port. VIDPortAd ControlTag Control10 1 Forbidden Tag 10 2 Fixed Tag 10 3 Normal UnTag 20 1 Fixed Tag 20 5 Fixed UnTag 名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 6 页，共 21 页 - - - - - - - - - VLAN Sup

28、port Note All contents copyright (c) 2007 ZyXEL Communications Corporation. 7Filtering Database VIDEgress Port10 1 10 2 20 3 Dynamic VLAN (DVLAN) table III. Egress Process: The Egress Process decides whether the outgoing frames will be sent tagged or untagged. The Egress Process refers to the egress

29、 tag control information in the Filtering Database. If the value is tagged, the outgoing frame on the egress port is tagged. If the value is untagged, the tag will be removed before the frame leaves the egress port. 名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 7 页，

30、共 21 页 - - - - - - - - - VLAN Support Note All contents copyright (c) 2007 ZyXEL Communications Corporation. 8Application Scenario There is a company which is going to implement 3 Zones (LAN, DMZ and the Wireless). The network administrator of the company has got a Firewall (ex: ZyWALL 1050) for the

31、 secure gateway. Also he has 4 servers in the DMZ zones, 10 PCs at the LAN Zone, 3 Access Points in the Wireless Zone. How many switches does he need to purchase? The answer is three for un-managed VLAN unaware Switch. (One for each zone) 名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心

32、整理 - - - - - - - 第 8 页，共 21 页 - - - - - - - - - VLAN Support Note All contents copyright (c) 2007 ZyXEL Communications Corporation. 9However, if you got a VLAN aware ZyXEL Management Switch (e.g. ZyXEL ES-3124), you will just need one big Switch instead of the three Unmanageable Switches. Virtually

33、cut the Switch into three smaller Switches and your job is done. For example, VLAN10 for DMZ Zone, VLAN20 for the LAN Zone, VLAN30 for the Wireless Zone. Still, none of them can talk across Zones, although they are all physically connected to one Switch. 名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - -

34、- - - - - - 名师精心整理 - - - - - - - 第 9 页，共 21 页 - - - - - - - - - VLAN Support Note All contents copyright (c) 2007 ZyXEL Communications Corporation. 10In a small/medium business, the IT infrastructure may consist three parts: DMZ (DMZ-1, to provide WWW and FTP server for external customer), Client LA

35、N zone (for normal client users), and Server farm (DMZ-2, for internal server, e.g. Mail server, HR/Finance Server) We ll use ZyXEL ZyWALL 1050 as a firewall device to setup this scenario. ZyWALL 1050 equips five configurable WAN/DMZ/LAN interfaces. Due to the physical port only have five, we need t

36、o use Switch(es) to extend the Ethernet ports. Here we use a ZyXEL Management Switch like ES-3124 to setup our scenario. Because it is a VLAN aware Switch, we can treat it as logically three Switches in our case. The network topology is as the following picture shown. Based on this topology, well cr

37、eate three VLANs: VLAN 10, VLAN 20, and VLAN 30. Each VLAN mapping to DMZ-1, Clients LAN zone, and Server farm(DMZ-2) respectively. 名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 10 页，共 21 页 - - - - - - - - - VLAN Support Note All contents copyright (c) 2007 ZyXEL Co

38、mmunications Corporation. 11Configuration via GUI on ZyXEL Management Switch1. Connect PC or Notebook to the port 1 using the RJ45 Cable. 2. By default, the MGMT IP of every in-band port is 192.168.1.1/24 3. Set your NIC to 192.168.1.2/24 4. Open an Internet browser such as IE and enter http:/192.16

39、8.1.1 in the URL field. 5. By default, you will need to insert “admin” as the username and “1234” as the password. 6. After you login successfully, you will see a screen similar to the one below. 名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 11 页，共 21 页 - - - - - -

40、- - - VLAN Support Note All contents copyright (c) 2007 ZyXEL Communications Corporation. 127. Click “Advanced Application” on your left menu, and then choose “VLAN ”. 8. Second, click “Static VLAN” to create VLAN 10, VLAN 20 and VLAN30. 9. First of all, we click the check box “ACTIVE ” to enable th

41、is new VLAN. Then we need to give this VLAN a name and assign a VLAN ID to it. In this case, we are going to create VLAN10, thus we assign VLAN ID 10 to this VLAN. Moreover, we are going to make port 16 join VLAN10. Since 名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - -

42、第 12 页，共 21 页 - - - - - - - - - VLAN Support Note All contents copyright (c) 2007 ZyXEL Communications Corporation. 13all PCs connected to the Switch are VLAN unaware, all un-check the “Tx Tagging ” to take away the VLAN tag during egress. 10. By following the above procedures, create VLAN 20 for po

43、rt 718 and VLAN 30 for port 19 24. 名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 13 页，共 21 页 - - - - - - - - - VLAN Support Note All contents copyright (c) 2007 ZyXEL Communications Corporation. 14名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - -

44、 - - - - 第 14 页，共 21 页 - - - - - - - - - VLAN Support Note All contents copyright (c) 2007 ZyXEL Communications Corporation. 1511. Now if you check the VLAN status, you should see a summary page like below. You can see VLAN10, 20 and 30 are there now. 12. Now you need to define the PVID of VLAN10, 2

45、0 and 30 on the Switch. To do so, please click “VLAN Port Setting”. 名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 15 页，共 21 页 - - - - - - - - - VLAN Support Note All contents copyright (c) 2007 ZyXEL Communications Corporation. 1613. We put PVID 10 for port 16, PVID

46、 20 for port 718, PVID 30 for port 1924. 14. At this point everything is done. The Switch is virtually cut into three. For Security Appliance ZyWALL 1050s setting, we create three IP domains for the three separate zones, here is the example: 1. Configure physical port-1 as DMZ with IP subnet 192.168

47、.1.0/24, and connect port-1 to the ZyXEL Management Switch port-01 to join the VLAN10 2. Configure physical port-2 as LAN with IP subnet 192.168.2.0/24, and 名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 16 页，共 21 页 - - - - - - - - - VLAN Support Note All contents co

48、pyright (c) 2007 ZyXEL Communications Corporation. 17connect port-2 to the ZyXEL Management Switch port-06 to join the VLAN20. 3. Configure physical port-3 as DMZ with IP subnet 192.168.3.0/24, and connect prot-3 to the ZyXEL Management Switch port-23 to join the VLAN30. 名师资料总结 - - -精品资料欢迎下载 - - - -

49、 - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 17 页，共 21 页 - - - - - - - - - VLAN Support Note All contents copyright (c) 2007 ZyXEL Communications Corporation. 18Configuration via CLI on ZyXEL Management SwitchConnect the Switch Console port with your PC or Notebook. 1. Open your Terminal prog

50、ram.(Ex, Hyper Terminal in Windows System) 2. Make sure that your port settings are bps:9600 Data bits:8 Parity: None Stop bits:1 Flow control: None: 3. After you connected successfully, give the correct user name and password. 4. Now you have already gotten into the enable mode. Then put “configure

51、” to go into the configuration mode. Issue the following commands to setup your Switch in this scenario.To create VLAN 10, 20 and 30 on the Switch: Issue the following commands. vlan 10 name VLAN10 normal 7-28 fixed 1-6 forbidden untagged 1-6 exit vlan 20 name VLAN20 normal 1-6,19-28 fixed 7-18 forb

52、idden untagged 7-18 exit vlan 30 名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 18 页，共 21 页 - - - - - - - - - VLAN Support Note All contents copyright (c) 2007 ZyXEL Communications Corporation. 19 name VLAN30 normal 1-18,25-28 fixed 19-24 forbidden untagged 19-24 exi

53、t interface port-channel 1 pvid 10 exit interface port-channel 2 pvid 10 exit interface port-channel 3 pvid 10 exit interface port-channel 4 pvid 10 exit interface port-channel 5 pvid 10 exit interface port-channel 6 pvid 10 exit interface port-channel 7 pvid 20 exit interface port-channel 8 pvid 20

54、 exit interface port-channel 9 pvid 20 exit interface port-channel 10 pvid 20 exit interface port-channel 11 名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 19 页，共 21 页 - - - - - - - - - VLAN Support Note All contents copyright (c) 2007 ZyXEL Communications Corporatio

55、n. 20 pvid 20 exit interface port-channel 12 pvid 20 exit interface port-channel 13 pvid 20 exit interface port-channel 14 pvid 20 exit interface port-channel 15 pvid 20 exit interface port-channel 16 pvid 20 exit interface port-channel 17 pvid 20 exit interface port-channel 18 pvid 20 exit interfac

56、e port-channel 19 pvid 30 exit interface port-channel 20 pvid 30 exit interface port-channel 21 pvid 30 exit interface port-channel 22 pvid 30 exit interface port-channel 23 pvid 30 名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 20 页，共 21 页 - - - - - - - - - VLAN Support Note All contents copyright (c) 2007 ZyXEL Communications Corporation. 21exit 名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 21 页，共 21 页 - - - - - - - - -