For large-scale networks, we often worry about ip planning. Many friends have also asked how to set its ip address for large-scale monitoring or networks with more than 1,000 channels? For large-scale networks, our usual practice of IP planning is to divide VLANs, because dividing VLANs has many advantages, which facilitates management and improves the security of the entire network. Of course, are there other methods besides dividing VLAN? The answer is yes, that is port isolation. These two methods are most used in ip planning. In this issue, we will learn more about VLAN division and port isolation.

 

One, divide vlan

 

When faced with many IP addresses, our common method is to divide VLANs. The role of VLANs is to isolate broadcasts. The same VLAN is in a broadcast domain. Port isolation is to isolate different interfaces of the same VLAN. Use a three-layer switch to divide vlans, so that vlans can communicate with each other.

 

For example, a company has 1000 computers, the company has several departments, and there are mutual exchanges between departments, how to plan the IP address?

 

Analysis: 1000 computers can be set to 6 network segments. Of course, 5 network segments can also be set. Setting 6 network segments is convenient for future scalability. Then our ip address can be as follows:

 

Vlan1: 192.168.1.1/24

 

Vlan2: 192.168.2.1/24

 

Vlan3: 192.168.3.1/24

 

Vlan4: 192.168.4.1/24

 

Vlan5: 192.168.5.1/24

 

Vlan6: 192.168.6.1/24

 

The main advantages of VLAN are:

 

1. Restrict the broadcast domain. The broadcast domain is restricted to one VLAN, which improves network processing capabilities.

 

2. Enhance the security of the local area network. The advantage of VLAN is that the broadcast and unicast traffic within the VLAN will not be forwarded to other VLANs, which helps to control network traffic, reduce equipment investment, simplify network management, and improve network security.

 

3. Flexible construction of virtual working groups. With VLAN, different users can be divided into different working groups. Users in the same working group need not be limited to a certain fixed physical range, and the network construction and maintenance are more convenient and flexible.

 

Two, port isolation

 

As we mentioned above, VLAN is a good solution for net-type networks. In addition to VLAN, port isolation can also be used. Users can add different ports to different VLANs, but this will waste limited VLAN resources. The port isolation function can realize isolation between ports in the same VLAN. The user only needs to add the port to the isolation group to isolate the Layer 2 data between the ports in the isolation group.

 

Port isolation is generally used in the intranet. Ports isolated from ports cannot communicate with each other, so the port isolation function provides users with a more secure solution.

 

Example: The method and application scenario of port isolation are shown in the figure below. PC1, PC2, and PC3 belong to VLAN 10

 

Requirement: realize that pc2 and pc3 can not access each other, pc1 and pc2 can access each other, pc1 and pc3 can access each other.

 

Pc 1 10.10.10.1 255.255.255.0 Connect switch GE1/0/1 port

 

Pc 2 10.10.10.2 255.255.255.0 Connect switch GE1/0/2 port

 

Pc 3 10.10.10.3 255.255.255.0 Connect switch GE1/0/3 port

 

The gateway is: 10.10.10.4

Configuration steps:

 

[Huawei]system-view #Enter system view

 

[Huawei]vlan 10 #Create vlan 10

 

[Huawei-vlan10]int vlan 10 #Enter vlan 10

 

[Huawei-Vlanif10]ip address 192.168.1.1 /24 #Set vlan 10 ip and mask

 

[Huawei-Vlanif10]quit #Quit

 

[Huawei]int GigabitEthernet 1/0/3 #Enter port 3

 

[Huawei-GigabitEthernet1/0/3]port link-type access #Set the port mode to access mode, the access port can only belong to one vlan;

 

[Huawei]int GigabitEthernet 1/0/2 #Enter port 2

 

[Huawei-GigabitEthernet1/0/2]port link-type access #Set the port mode to access mode

 

[Huawei-GigabitEthernet1/0/2]quit #Quit [Huawei]int GigabitEthernet 1/0/2

 

[Huawei-GigabitEthernet1/0/2]am isolate GigabitEthernet 1/0/3 #Isolate port 3

 

[Huawei-GigabitEthernet1/0/2]quit [Huawei]int GigabitEthernet 1/0/3 #Enter port 3

 

[Huawei-GigabitEthernet1/0/3]am isolate GigabitEthernet 1/0/2 #Isolate port 2

 

[Huawei-GigabitEthernet1/0/3]quit This realizes that the port and port 3 cannot communicate with each other.

 

As one of the effective access control security control mechanisms of the switch: port isolation, its safe and flexible features are widely used in actual networking. It can add specified ports to specific port isolation groups, and the same port isolation group Ports are isolated from each other, and ports in different port isolation groups are not isolated. Does it feel familiar? It feels similar to the division of VLANs. In fact, it is not. Although VLAN and port isolation both separate some devices in a space and have protective functions, VLANs are generally used to isolate broadcasts, such as a building, each floor A VLAN isolates the broadcast domain, while port isolation is different. Generally, users of the same VLAN are on the same network segment, so they can be pinged to achieve shared data. However, after port isolation, even in the same network segment The network segment also prohibits mutual access, and the safety index is higher! In short, the role of VLAN is to isolate broadcasts. The same VLAN is in a broadcast domain, and port isolation is to isolate different interfaces of the same VLAN.

 

Three, summary

 

1. Ports isolated from ports cannot communicate with each other, but they can communicate with the uplink port; VLAN is the port with the same VLAN ID can communicate at will, and different VLANs cannot communicate directly.

 

2. The ports isolated by ports are still in the same IP segment; VLANs must correspond to an independent IP segment for each VLAN.

 

3. Port isolation is limited to a single switch, that is, it cannot control the communication of the isolated port between two switches interconnected through the uplink; VLAN can span multiple switches, as long as the VLANID is different, it cannot communicate directly. 4. The uplink port cannot distinguish which port the data isolated from the port comes from, but it can distinguish which VLAN the data of the VLAN belongs to.