Learn VLAN division from scratch to double your network performance!

When it comes to network security and performance optimization, VLAN (Virtual Local Area Network) segmentation is a key strategy. It not only provides better network management, but also enhances data isolation and access control.

• Have you ever thought about how 4094 VLANs can be divided?
• Which method is easy to use?

The careful editor has specially compiled it for you to play with.

VLAN division method

• Interface-based VLAN division: VLAN IDs are assigned based on switch interfaces. The configuration is simple and can be used in various scenarios.
• MAC-based VLAN division: VLAN IDs are assigned based on the source MAC address of the message. This is often used in scenarios where the user's location changes and there is no need to reconfigure the VLAN.
• VLAN division based on subnet: VLAN ID is assigned according to the source IP address of the message. It is generally used for unified management of users in the same network segment.
• Protocol-based VLAN division: VLAN IDs are assigned based on the protocol type of the message. This is suitable for scenarios where users with the same application or service need to be managed in a unified manner.
• VLAN division based on matching strategy: VLAN IDs are assigned based on specified strategies (such as matching the source MAC, source IP, and port of the message). This is suitable for scenarios with high security requirements.

Among the various ways to divide VLANs, dividing VLANs based on interfaces is the most commonly used and simplest way. So how to configure and use it?

Before configuring and using, let's review the commonly used link types of ports:

• access: used to connect the switch to the PC;
• Trunk: used to connect switches;
• Hybrid: It can be used to connect switches to PCs or switches to switches. This type is often used when using hub link switches.

Okay, now let's take the actual networking as an example to explain the configuration of VLAN division based on interfaces.

Case Demonstration

Scenario 1: There are two users on one switch. How can we implement isolation by dividing VLANs through interfaces?

Let's first see if two PCs in the same network segment are directly connected to the switch without dividing VLANs. Can they ping each other?

As can be seen from the above figure, it can be pinged. Why is this?

By default, the interfaces of Huawei switches are added to VLAN 1. If two PCs are directly connected to the switch, they can communicate with each other as long as they belong to the same network segment.

So how do you achieve isolation through VLAN? Just add the interfaces to different VLANs. For example, add the GE0/0/1 and GE0/0/2 ports of the switch to VLAN 10 and VLAN 20 as access types, respectively.

 interface GigabitEthernet0/0/1 port link-type access port default vlan 10 # interface GigabitEthernet0/0/2 port link-type access port default vlan 20

At this point, the two PCs are divided into different VLANs based on the interfaces, and the interconnection cannot be pinged through, achieving isolation.

Friends, have you ever thought about why it can be isolated?

By capturing packets on G0/0/1 and G0/0/2 of switch SW1, we found that the ARP broadcast packet of G0/0/1 was not sent to G0/0/2.

According to the working principle of sending and receiving data packets on the access interface, after the data packet arrives at G0/0/2, it is unpacked and it is found that the VLAN ID is inconsistent with the VLAN ID of G0/0/2, so the data packet is lost.

Scenario 2: Four users across switches. How to achieve isolation and intercommunication by dividing VLANs through interfaces?

As shown in the figure below: By default, the four PCs belong to the same network segment and can ping each other. Assume that PC1 and PC3 belong to the same department, and PC2 and PC4 belong to the same department. How can we configure interface-based VLAN to allow the same department to visit each other, but prevent different departments from visiting each other?

Two users PC1 and PC3 in the same department are assigned to the same VLAN 10. GE0/0/1 of switch 1 and GE0/0/1 of switch 2 are added to VLAN 10 as access ports.

 interface GigabitEthernet0/0/1 port link-type access port default vlan 10

Two users of another department, PC2 and PC4, are assigned to another VLAN 20.

 interface GigabitEthernet0/0/2 port link-type access port default vlan 20

The GE0/0/23 ports of the two connected switches are added to VLAN 10 and VLAN 20 as trunk ports to achieve cross-switch communication.

 interface GigabitEthernet0/0/23 port link-type trunk port trunk allow-pass vlan 10 20

In this way, it can be achieved that users PC1 and PC3 of the same department can communicate with each other, but users PC2 and PC4 of different departments cannot communicate with each other.

Configuration tips

Have you noticed that in the above two scenarios, the number of VLANs and ports is relatively small? In real networking, multiple VLANs and multiple ports often need to be configured. Is there any way to quickly complete the configuration? The following editor will introduce the method of batch configuration and quick restoration of port VLAN default configuration.

1. Create VLANs in batches

 < Huawei > system-view [Huawei]vlan batch 2 to 100

2. Add ports in batches to VLAN

 [Huawei] port-group group-member GigabitEthernet 0/0/10 to GigabitEthernet 0/0/20 [Huawei-port-group]port link-type access [Huawei-port-group]port default vlan 100

3. Quickly restore the port VLAN default configuration

If you want to quickly restore the default configuration of the port VLAN, you must know what the default configuration is. Huawei switches, by default, all ports are added to VLAN1 only. So let's take a look at how to quickly restore the default configuration under the three link types.

• Access interface: One-step solution, the command is undo port default vlan
• Trunk and hybrid ports: Three steps to complete, first restore the PVID configuration, then delete all VLANs under the port, and then add the default VLAN1. The specific commands are as follows: