Construction of a unit in the network, initially using a 3Com SuperStack Ⅱ Switch 1100 as the main switch and a Cisco 2509 WAN router. In the second network construction, in accordance with a limited budget to install the 2 sets of Cisco Catalyst 1924 switches and a Cisco 3640 router for branch offices and WAN interconnection around. The unit hopes to take advantage of these network equipment by sector, virtual LAN (VLAN), in order to better network security management.
First, proprietary protocol compatible
However, the implementation of VLAN in the preparation of the plan encountered some problems. We know that the VLAN virtual local area network can be logically divided into independent physical network, can generally be considered equivalent to a second broadcast domain. Data frames in the switch can not be transmitted between two VLAN, VLAN to achieve communication between the need to switch to connect to the third layer devices (such as routers or switches, the third layer) routing. In general, a physical port belongs to a VLAN, VLAN number that must be the number of physical port Ethernet router and switch port number for the cascade line, this will lead to a large number of port waste, and greatly limits the VLAN flexibility of expansion and division. To solve this problem, the realization of a physical port VLAN to transmit multiple data streams, you can use the "label" (Tagging) technology, which at this port for each data frame labeled (Tag) to tag the frame belongs the VLAN, the system is using its VLAN ID VLAN ID to determine the data frame forwarding, which requires network equipment to support Tagging package deal.
In this instance the technical problem is encountered, Catalyst 1924 switches and SuperStack 1100 switches support different VLAN tagging each package deal: Catalyst 1924 to Cisco's proprietary ISL encapsulation protocol, and SuperStack 1100 can only package IEEE 802.1Q, This two kinds of agreements are incompatible. This two kinds of switches can not be transmitted through a cascade multiple VLAN port data streams simultaneously, inevitably will result in the port waste and limit the flexibility of VLAN classification.
Fortunately, the units have a Cisco 3640 router and the router includes two Ethernet ports, while the Cisco 3640's IOS version supports more than two kinds of VLAN tagging package deal, this time can use the router and transparent bridge access function. In introducing the solution before the transparent bridging on the Cisco router features a brief description.
Second, Cisco routers, transparent bridging
In Cisco routers, the IOS software supports Ethernet, FDDI fiber-optic network and serial link transparent bridging.
Cisco routers to provide integrated routing and bridging (Integrated Routing and Bridging, IRB) functions. When the configuration of the IRB, the non-routable protocol data stream can be configured to the same port on a bridge group to achieve bridging the exchange, while the protocol data stream can be routed to other routes in the port or between different bridge groups routing.
Mentioned here, a concept that bridges group (Bridge-Group). To realize the bridge between the different ports to exchange, these ports must be owned to the same bridge group were. Conceptually, the configuration for the same bridge group, all ports belong to the same second layer broadcast domain, regardless of the port type is the WAN port or Ethernet port, and regardless of the port is the physical port or logical port ( such as X.25 or Ethernet VLAN's bead bead). Cisco routers have been configured for each bridge group automatically creates a virtual interface, called Beidge-Group Virtual Interface (BVI), or between different BVI BVI and other ports can be achieved between the routing capabilities. BVI below the main concepts and configuration tasks IRB.
One port E0, E1, E2 is the bridge port, go to the same bridge group Bridge-Group 1, the router automatically generates a logic for this virtual interface BVI 1, port E3 is routed port. The working principle, the configuration of the router this figure is equivalent to such a network connection, that is an E0, E1, E2, and a joint port on the composition of the four switches and a BVI 1, E3 component of the two routers BVI 1 interface connection, obviously E0, E1 and E2 which three I was in the same broadcast domain.
Third, the solution
With the IRB of related concepts, we can solve the aforementioned problem. In the actual solution, first of all, to the Catalyst 1924 and SuperStack 1100 switch division of VLAN, and their associated ports are enabled on ISL and IEEE 802.1Q Tag Protocol, and then they were connected to the Cisco 3640 Router 2 to Ethernet port on the Catalyst 1924 is used here in the Bx mouth and SuperStack 1100 of 26 mouth as the mouth together. After the completion of the physical cable connection, main job is to configure the Cisco 3640 router. As an example, here consider the case 2 VLAN, namely VLAN 1 and VLAN 2, assume that corresponding to the sales department and finance department, the network structure as shown in photo.
In the router, make Ethernet ports simultaneously transmit data streams of different VLAN, the agreement should be Tagging package to the child population. For example, Cisco 3640 and Catalyst 1924 port connected to the corresponding VLAN 1 should use the following configuration command:
interface fastethernet 0/0.1
encapsulation isl 1
Similarly, the port is connected with the SuperStack 1100 also do bead configuration, only to package agreement to IEEE 802.1Q, the command is as follows:
interface fastethernet 0/1.1
encapsulation dot1q 1
With VLAN bead, the bead as long as the same VLAN return to the same bridge group, and you can achieve Catalyst 1924 and SuperStack 1100's VLAN interoperability of the. Here, if the property of fastethernet 0/0.1 and fastethernet 0/1.1 to bridge-group 1, then the VLAN 1 Catalyst 1924 and SuperStack 1100's VLAN 1 from logic into a single VLAN.
Finally, to bridge group IP address on the BVI interface configuration, supplemented by a list of some of the ACL settings can be achieved between VLAN 1 and VLAN 2 routing of the security.
In the configuration on the network server and workstation, VLAN 1 of financial sector should be set to the default gateway computer configuration of the interface BVI 1 router address, that is, 192.168.1.254. Similarly, VLAN 2 sales should be set to the default gateway computer interfaces BVI 2 address, that is 192.168.2.254.