802。1q吧?802.1Q 是关于- Virtual LANs的协议。The IEEE's 802.1Q standard was developed to address the problem of how to break large networks into smaller parts so broadcast and multicast traffic wouldn't grab more bandwidth than necessary. The standard also helps provide a higher level of security between segments of internal networks.
The 802.1Q specification establishes a standard method for inserting virtual LAN (VLAN) membership information into Ethernet frames.
In a LAN, datalink-layer broadcast and multicast traffic is delivered to all endstations, but this traffic cannot go beyond the LAN boundary. In the past, shared cabling or hubs were the boundaries for LANs.
Because network protocols typically rely on broadcast queries to let endstations discover one another, devices on two LANs cannot "see" each other without the help of a network-layer device with ports in both LANs, such as a router.
The fact that broadcasts are distributed to all devices in a LAN means LANs cannot become very large. If they do, devices become overburdened with broadcast traffic.The ability of devices in a LAN to discover each other also means servers housing sensitive data should be placed in a LAN separate from the average user, with router filters controlling access. These factors make it critical for network administrators to control LAN boundaries.
A VLAN is an administratively configured LAN or broadcast domain. Instead of going to the wiring closet to move a cable to a different LAN, network administrators can accomplish this task remotely by configuring a port on an 802.1Q-compliant switch to belong to a different VLAN. The ability to move endstations to different broadcast domains by setting membership profiles for each port on centrally managed switches is one of the main advantages of 802.1Q VLANs.
The switch acts as an intelligent traffic forwarder and a simple network security device. Frames get sent only to the ports where the destination device is attached.Broadcast and multicast frames are constrained by VLAN boundaries so only stations whose ports are members of the same VLAN see those frames. This way, bandwidth is optimized and network security is enhanced.
802.1Q VLANs aren't limited to one switch. VLANs can span many switches,even across WAN links.Sharing VLANs between switches is achieved by inserting a tag with a VLAN identifier (VID) between one and 4,094 into each frame. A VID must be assigned for each VLAN.By assigning the same VID to VLANs on many switches, one or more VLAN (broadcast domain) can be extended across a large network.
The secret to performing this magic is in the tags. 802.1Q-compliant switch ports can be configured to transmit tagged or untagged frames. A tag field containing VLAN (and/or 802.1p priority) information can be inserted into an Ethernet frame.If a port has an 802.1Q-compliant device attached (such as another switch), these tagged frames can carry VLAN membership information between switches, thus letting a VLAN span multiple switches.
There is one important caveat:Network administrators must ensure ports with non-802.1Q-compliant devices attached are configured to transmit untagged frames. Many network interface cards for PCs and printers are not 802.1Q-compliant.If they receive a tagged frame, they will not understand the VLAN tag and will drop the frame. Also,the maximum legal Ethernet frame size for tagged frames was increased in 802.1Q (and its companion, 802.3ac) from 1,518 to 1,522 bytes.This could cause network interface cards and older switches to drop tagged frames as "oversized."
In the case of a network with an ATM WAN, Ethernet switches with ATM uplinks can have a VLAN-to-emulated-LAN (ELAN) mapping feature that matches 802.1Q VIDs to ATM ELAN names. This lets the benefits of VLAN bandwidth optimization and security be extended between campus buildings or even between remote sites.
802.1q Trunking
cat5000 show port capabilities 3
Model WS-X5225R
Port 3/1
Type 10/100BaseTX
Speed auto,10,100
Duplex half,full Trunk encap type 802.1Q,ISL !-- This particular port supports both 802.1Q and ISL.
Trunk mode on,off,desirable,auto,nonegotiate Channel 3/1-2,3/1-4
Broadcast suppression percentage(0-100)
Flow control receive-(off,on),send-(off,on)
Security yes Membership static,dynamic Fast start yes
QOS scheduling rx-(none),tx-(none) CoS rewrite yes
ToS rewrite IP-Precedence
Rewrite no UDLD yes Auxiliary Vlan 1..1000,1025..4094,untagged,dot1p,none SPAN source,destination
IEEE's 802.1Q 标准用于将大的网络分隔成许多更小的网段,从而令广播及组播不必占用过多的带宽。 该标准也有助于为内部网段之间提供更高的安全等级。
802.1Q 规范建立了一个标准的方法, 用于向以太网帧中插入虚拟局域网 (VLAN)的成员数据。
在局域网里面, 数据链路层的广播和组播通信会被传送到所有的末端工作站, 但是不能超越局域网的边界。 在过去,共享式的线缆和集线器是局域网的边界。
由于网络协议都典型地仰赖广播的请求,让工作站能彼此发现。位于两个局域网上的设备,不借助双方网络上的网络层设备的话,是"看" 不到双方的。
局域网中所有设备都会接收到广播,这意味着局域网不能太大;否则,广播会成为设备的过度负载。由于局域网中的设备能相互发现,因此负责提供敏感数据的服务器应该处于与一般用户隔离的局域网中,并通过路由器来控制访问。这些因素令网管员们控制好局域网的边界这一任务显得格外重要。
虚拟局域网是一个可管理配置的局域网或广播域。网管员只要在兼容802.1Q的交换机上配置端口,就能变得隶属于不同的虚拟局域网,而无需到配线箱处移动线缆。802.1Q VLAN的其中一个优点就是,通过在集中管理的交换机的每个端口上设定VLAN成员的数据,就可以将工作站移动到不同的广播域中去。
交换机充当着一个智能数据转发器和简单网络安全装置的角色,数据帧只会被发往它所隶属的目的地设备的端口。广播和组播帧也被 VLAN 边界限制着,只有相同的 VLAN 成员才能看见。 这样一来,带宽可得到优化,而网络安全也得到提高。
802.1Q VLAN并不仅限定于一个交换机中, VLAN可以跨越许多交换机,甚至跨越广域网链路。在每个帧当中插入一个数值介乎1和 4,094的标签作为VLAN标识(VID),就可以在交换机之间共享VLAN。通过在多个交换机上分配相同的VID,一个或多个 VLAN(广播域) 就可以延伸到一个大的网络中。
实现这一功能的秘密就在于那些标签中。兼容802.1Q标准的交换机端口可以被配置为传送标记帧或者非标记帧。标记字段包括了可插入以太网帧中的VLAN( 和/或者802.1p优先权) 数据。 假若一个端口上接有兼容802.1Q标准的设备(例如另一个交换机) , 那么这些标记帧就能在交换机之间传送 VLAN 的成员数据,从而让VLAN 可以跨越多个交换机。
在这里,有一条重要的守则:网管员必须确保,接有不兼容802.1Q标准的设备的端口要配置成传送非标记帧。 许多PC和打印机的网卡都是不兼容802.1Q标准的。要是它们收到这些标记帧,它们将不能识别VLAN 标签并将它丢弃。 同时,作为标记帧的以太网帧,它的最大合法长度也由于802.1Q标准(和它的伙伴协议 802.3ac)从1,518增长为1,522字节。这会引起网卡和旧式交换机将标记帧判定为"oversized" ,而将它丢弃。
在一个ATM广域网中,使用ATM uplink的以太网交换机拥有一个VLAN和仿真LAN (ELAN) 的映射,用于802.1Q VID和ATM ELAN名的匹配。这使得VLAN的带宽得到优化,同时加强了校园网甚至远程站点之间的安全性。
