An Ethernet switch is a "bridge" device. A traditional bridge works like this, starting with it receiving Ethernet frames and then sending them to all other ports except the receiving port. Ethernet switches allow the ability to allow twisted pair connections. It gradually learns which port is connected to which MAC addresses. At this time, the bridge becomes a learning device that can store all the MAC address tables seen on one port. When a frame needs to be sent, the bridge will view the destination MAC address in the bridge table and know which port the frame should be sent. This ability to send data only to the correct host is a huge advance in exchange technology, as this may significantly reduce communication conflicts. If there is no target MAC address in the bridge table, the switch simply sends the data to all ports. This is the only way to discover where the host is for the first time, so, as you can see, sending data to all ports is an important principle in switching technology. This principle is also very necessary in routing.
Important words related to the second level include:
Unicast segmentation: The bridge can limit which hosts can receive unicast frames (frames sent to only one MAC address). The hub simply sends all data to all ports, so the unicast segmentation itself can save a lot of bandwidth.
Collision Domain: A conflict domain is a network segment that can conflict. Since the switch adopts direct-through transmission technology and the network card adopts duplex technology, conflicts no longer occur. If you see a conflict on one port, it means someone accidentally uses half-duplex equipment, or there is another failure.
Broadcast domain: a network segment that sends and receives broadcast frames.
After a few years of switch product, the old-fashioned storage and sending methods used by bridge operations have changed. The new switch only views the target MAC address of the frame and then immediately sends the frame out. This technique is called "pass-through" to allow frames to pass directly through the switch faster, because frames are rarely processed in this way. This approach also hints about an important thing: a switch no longer checks the CRC (cyclic redundancy check) to see if the packet is corrupted. This also implies that conflict is impossible.
In addition, in order to solve the problem of broadcast network segments, we introduced virtual LAN technology. If you can't send broadcast frames to another machine, those machines are not on your local network, and you have to send all the packets to one router, and the router sends them. In fact, this is what a virtual LAN does: a virtual LAN divides the network into more subnets.
You can set up a virtual LAN on a switch and assign ports to a virtual LAN. If Host A is Virtual LAN 1, this host cannot talk to anyone in Virtual LAN 2 as if they live in devices that have no network connection at all. However, it should be noted that this is only virtual after all. If the switch's MAC address table space has been filled with data and cannot continue to maintain the switch's MAC address table, in order to continue to maintain the communication switch, all the received data will be forwarded to all ports. Many people regard VLAN as a good security measure. In fact, any half-baked hacker can quickly overcome the VLAN limitations of the switch using the right tool. In fact, when the switch has an MAC address table overflow, it will become a simple HUB.
As we already know, if you can't get the target's MAC address using the ARP protocol, you have to use a router. Does this mean you have to physically connect a router between each VLAN? No, because we now have a 3-layer switch! Imagine an example that if you want, a switch can be configured with 48 ports. This switch has two virtual LANs, virtual LAN 1 uses ports 1 to 24, and virtual LAN 2 uses ports 25 to 48. To connect these two virtual LANs, you basically have three options. First, use a router to connect one of the two virtual LANs separately, and divide it into hosts in VLANs to configure the correct default route. The second method is that you can also simply establish a virtual router interface in each virtual LAN. On Cisco devices, such virtual router interfaces may be called "vlan1" and "vlan2". They have their own IP addresses, and hosts in VLANs use these virtual router interfaces as their own routers.
In the third approach, we return to the final topic of the 2-layer overview. If you have multiple switches that need to contain the same virtual LAN, you can connect them all through port aggregation (trunk). In this way, the virtual LAN 1 in switch A and the virtual LAN 1 in switch B are exactly the same. This is done using the 802.1q standard. The 802.1q standard is to put the packet leaving the first switch on a virtual LAN identifier. Cisco calls the links between these switches "trunk ports", and you can have the maximum number of virtual LANs allowed by the switch (most hardware currently allows 4096 virtual LANs). Therefore, the third (and the last) way to establish a connection between virtual LANs is to connect a router in a trunk manner and establish a virtual router interface for each virtual LAN. The hosts on virtual LAN 1 (both on switch A and switch B) can access this router interface (this interface can be on another device) because they are all connected together and share a broadcast domain. For more information about trunk and 802.1q, please refer to this article.
Here we do not adopt the standard teaching model of "This is a layer 2 protocol, remember the Ethernet packet header". To be a true expert, you have to know this knowledge. But to be a useful operator, simply know how 2 layers work. In the next lecture, we will introduce the most interesting protocol spanning tree protocol in the network field.
summary:
●The bridge (also known as a switch) stores the MAC address table to realize the unicast network segment function. That is to say, they only send unicast data to the hosts that need this data.
●Virtual LANs do not provide reliable security.
●A layer 3 switch can provide multiple virtual LANs through trunk and provide routing for these virtual LANs. This can be done exactly on the same line.
Article entry: csh Editor in charge: csh