A fancy way to solve inter-VLAN routing

In a local area network, we use VLAN to group different users, departments, and areas with different purposes. One VLAN distinguishes a group of users for easy management and use.

What is VLAN?

VLAN technology can logically divide a physical LAN into multiple broadcast domains, each of which is called a virtual LAN (VLAN). Each host can only belong to one VLAN, and hosts belonging to the same VLAN communicate directly through Layer 2. VLAN division is not to completely isolate communication, but to reduce the scope of broadcast domain propagation, filter redundant packets, and improve network transmission efficiency.

How to achieve host communication between different VLANs?

VLAN isolation of Layer 2 networks must be implemented through Layer 3 network devices. These devices perform routing and forwarding operations for traffic between different VLANs based on IP addresses, which is called inter-VLAN routing.

What are the methods for implementing inter-VLAN routing?

Three inter-VLAN routing methods are introduced in the order of time and technology development.

The first type: traditional inter-VLAN routing

The role of a router is to forward data packets between different networks, and VLAN is to divide different LANs on one or a group of switches and isolate them into different network segments. Therefore, it is natural that communications between different VLANs require routers to forward.

Different VLANs are connected to different router interfaces, and one router interface is connected to the switch port of one VLAN.

Assume that both the PC and the router have ARP cache tables of all devices in the same network segment, and the MAC address table of the switch also has the MAC address information of each device. Then when PC1 sends data to PC5, the whole process is as follows:

• PC1 queries the routing table and finds that PC5's IP address is in another network segment and needs to forward data through the default gateway.
• PC1 uses PC5's IP address as the destination IP address and the default gateway's MAC address as the destination MAC address, encapsulates the data frame and sends it to the switch.
• After receiving the data frame, the switch queries the MAC address table, finds the port corresponding to the destination MAC address, and then forwards the data frame from this port, that is, forwards it to the router.
• After receiving the data frame, the router checks the destination MAC address of the data frame and finds that it is itself, so it decapsulates the frame and checks the destination IP address. It queries the routing table based on the network number of the destination IP address and finds the direct route to the destination network segment and the corresponding outbound interface.
• The router encapsulates the message with PC5's IP address as the destination IP address and PC5's MAC address as the destination MAC address, and forwards it from the outbound interface, that is, to the switch.

The switch checks the destination MAC address of the data frame and forwards the data frame to PC5 based on the destination MAC address.

How do hosts in the same VLAN communicate with each other?

When PC1 sends data to PC2, since the destination IP address is in the same network segment as PC1, PC1 will use PC2's MAC address as the destination MAC address to encapsulate the data frame; the switch will also directly forward the data frame to PC2 through PC2's port.

If PC1 and PC3 in different VLANs communicate, will the switch forward the message sent by PC1 directly to PC3 based on the MAC address?

The MAC address table not only records the correspondence between the switch port and the MAC address, but also includes the VLAN of the port. The switch will not forward data frames from ports of different VLANs by querying the MAC address table.

Traditional inter-VLAN routing experiment

Experimental topology diagram

Interface List

Experimental requirements

• ENSP Simulator
• PC1 can ping PC5

Experimental procedures

• According to the interface IP address table, each device is configured with an IP address.
• According to the VLAN classification table, SW configures the VLAN of each port.
• Test: PC1 pings PC5 successfully, and inter-VLAN routing is achieved through the router's interface.

Experimental Summary

Before configuring the network, sort out the interface list, interface IP address table and VLAN division table to facilitate device configuration.

The second type: single-arm routing

Routers are used to connect heterogeneous networks, and their characteristics are that they have different types of physical interfaces and a small number of interfaces; switches are used to build local area networks, and their characteristics are that they have a small number of physical interface types and a large number of interfaces. In actual network environments, a large number of VLANs will be created on a switch, and each VLAN uses a router interface as the default gateway, so the router interface is not enough.

In order to save the router interface, use one interface to connect to the switch. No matter which VLAN the traffic is from, it will enter and exit the router through this one interface, thus realizing traffic forwarding between all VLANs. This method is called one-arm routing.

The physical topology diagram above may not be very clear. You can better understand the principle by looking at the logical topology diagram of one-arm routing below.

• Physical topology diagram: A topology diagram that shows how network devices are physically connected.
• Logical topology diagram: A logical channel diagram that network devices use to forward data packets based on network addresses.

Can a router interface act like multiple interfaces and carry traffic from multiple different VLANs at the same time?

The router provides a logical interface called a sub-interface. As the name implies, a sub-interface logically divides a router physical interface into multiple logical sub-interfaces to meet the need to connect multiple networks with one physical interface.

One-arm routing experiment

Experimental topology diagram

Interface List

The traditional multiple router interfaces for inter-VLAN routing are transformed into one router interface for one-arm routing, which is used to connect to the switch. The configuration of other interfaces remains unchanged.

Experimental requirements

• PC1 can ping PC5.

Experimental procedures

• According to the interface IP address table, configure the sub-interface IP address of the router. For the configuration of other devices, refer to step 1 of the previous experiment.
• The command interface interface-type interface-number.sub-interface number creates a sub-interface. The sub-interface number ranges from 1 to 4096 and is consistent with the VLAN ID.
• The dot1q termination vid command configures 802.1Q encapsulation and specifies the PVID of the port to ensure that the encapsulation mode of the router sub-interface is consistent with that of the switch port on the opposite end.
• The command arp broadcast enable enables the ARP broadcast function of the sub-interface. By default, the ARP broadcast function is disabled, and received ARP broadcast frames will be directly discarded.
• According to the VLAN classification table, configure the VLAN of the SW connected to the router port. For the configuration of other devices, refer to step 2 of the previous experiment.
• Test, PC1 pings PC5 successfully, and inter-VLAN routing is achieved through the router's sub-interface.

The third type: three-layer switching technology

From the perspective of traffic flow, single-arm routing is a long-term solution. The port traffic of two different VLANs on the switch cannot be directly forwarded through the switch, but needs to go around the router. This is because the layer 2 switch does not have the layer 3 forwarding capability and cannot view its own routing table based on the destination IP address of the data packet; the layer 2 switch cannot become the gateway of the connected host, and a router is required to act as the gateway.

Then, a device that adds special routing and forwarding hardware to the traditional Ethernet switch appeared. This type of device not only has the functions of a traditional layer 2 switch, but can also route data packets through ASIC (application-specific integrated circuit). This switch that integrates the layer 3 packet forwarding function is called a layer 3 switch.

A layer 3 switch can isolate terminals in different VLANs and provide inter-VLAN routing for these terminals, eliminating the need for routers to forward traffic between different VLANs.

To implement inter-VLAN routing, each VLAN needs to be assigned an independent Layer 3 interface as a gateway. The Layer 3 switch does not use a Layer 3 physical interface to connect each VLAN, but instead creates a virtual VLAN interface and assigns a virtual Layer 3 interface to each VLAN.

Virtual VLAN interfaces are created by Layer 3 switches, so Layer 3 switches will act as direct interfaces and fill their networks into the routing table as direct routes. At the same time, the virtual VLAN interface and the physical Layer 2 port in the corresponding VLAN are in the same subnet, acting as the gateway of this VLAN.

The forwarding efficiency and scalability of a three-layer switch are far better than that of a single-arm router to implement inter-VLAN routing, and its management and configuration are also simpler. Currently, this solution has become the first choice for implementing inter-VLAN routing.

Three-layer switch experiment

Experimental topology diagram

Interface List

Experimental procedures

• Configure the VLANIF interface of the switch according to the interface IP address table. For the IP address configuration of PC1 ~ PC5 and the VLAN configuration of the peer switch interface, refer to steps 1 and 2 of the previous experiment.
• The interface Vlanif vlan-id command is used to create a VLANIF interface. The number of the VLANIF interface must be consistent with the VLAN ID. The hosts in the VLAN use the IP address of the VLANIF interface as their default gateway.
• Use the display ip interface brief command to view the IP address information and check whether the configuration is correct.
• Use the display vlan command to view VLAN information and check whether the VLAN configuration of the switch port is correct.
• Run the display ip routing-table command to view the routing table information. The directly connected network segments of the two VLANIF interfaces are added to the IP routing table, and inter-VLAN routing is implemented through this.
• Test: PC1 pings PC5 successfully, and inter-VLAN routing is achieved through the VLANIF interface of the Layer 3 switch.

Can a Layer 3 switch replace a router?

The routing function of a Layer 3 switch is usually relatively simple, mainly connecting to a LAN, and contains a large number of Ethernet interfaces. Its main purpose is to provide fast data exchange functions to meet the application characteristics of frequent data exchange in the LAN.

Routers are different. They are designed to meet different types of network connections, such as the connection between a LAN and a WAN, and the connection between networks with different protocols. Its main function is routing and forwarding, solving network connections with various complex paths. It is not only applicable to LANs with the same protocol, but also to LANs and WANs with different protocols. It has the functions of selecting the best route, load sharing, link backup, and exchanging routing information with other networks.

Therefore, there is an essential difference between a layer 3 switch and a router, and a layer 3 switch cannot completely replace the work of a router.