VLAN详解：原理、类型与优势（中英文）

LAN 是指网络上两个或多个设备的组合。VLAN 是一种虚拟 LAN，是本地网络中的一个子组。VLAN 使网络管理员可以轻松地将单个交换网络划分为多个组，以满足其系统的功能和安全要求。

A LAN is a grouping of two or more devices on a network. A VLAN is a virtual LAN, a subgroup within a local network. VLANs make it easy for network administrators to separate a single switched network into multiple groups to match the functional and security requirements of their systems.

在上图中，一台交换机支持两个虚拟网络——两个 VLAN。VLAN-10 上的用户无法访问 VLAN-20 上的设备，反之亦然。

In the above diagram, one switch is supporting two virtual networks–two VLANs. The users on VLAN-10 cannot access the devices on VLAN-20, and vice-versa.

然而，VLAN 是完全虚拟的，无需铺设新电缆或对现有网络基础设施进行重大改造即可实现。

However, VLANs are entirely virtual. They can be implemented without having to run new cables or make major changes in the existing network infrastructure.

VLAN 与 LAN

VLANs vs. LAN

VLAN 类型：基于端口的 VLAN 和带标记的 VLAN

Types of VLANs: Port-Based VLAN and Tagged VLAN

多个 VLAN 之间要相互通信，需要使用路由器。VLAN 之间的路由器可以过滤广播流量、增强网络安全、执行地址汇总并缓解网络拥塞。

For multiple VLANs to communicate with each other, a router is required. Routers between VLANs filter broadcast traffic, enhance Network security, perform address summarization, and mitigate network congestion.

VLAN 分为两种类型：基于端口的 VLAN（无标记 VLAN）和带标记 VLAN。对于带标记的 VLAN，会在数据包中插入一个特殊的“标记”，以便交换机和路由器能够正确转发这些数据包。大多数网络设备支持以太网 VLAN 的标准是 IEEE 802.1Q。此标准为以太网帧添加一个四字节的标记。此额外信息标识该帧属于某个 VLAN，并包含 VLAN ID 号（同一网络上最多可以有 4094 个 VLAN）。多个带标记的 VLAN 可以使用交换机上的同一个端口，称为中继端口。

无标记 VLAN 基于交换机上的物理端口（称为访问端口）。以太网帧中没有添加任何额外信息。相反，交换机上的每个端口都被定义为属于特定的 VLAN。这种方法将单个物理交换机划分为多个逻辑交换机。如果设备仅连接到单个 VLAN 中的端口，则该端口应该是无标记的。

The two types of VLANs are port-based (untagged) and tagged. For tagged VLANs, a special “tag” is inserted into packets so that switches and routers will forward those packets correctly. The standard supported by most networking devices for supporting VLANs on Ethernet networks is IEEE 802.1Q. This standard adds a tag of four bytes to an Ethernet frame. This extra information identifies the frame as belonging to a VLAN, and contains the VLAN ID number (up to 4094 VLANs are possible on the same network). Multiple tagged VLANs can use the same port on a switch, called a trunk port.

Untagged VLANs are based on the physical ports on a switch (called access ports). There is no extra information added to the Ethernet frame. Instead, each port on the switch is defined as belonging to a specific VLAN. This approach divides a single physical switch into multiple logical switches. If a device is connected to a port in a single VLAN only, then the port should be untagged.

基于端口的VLAN

Port-based VLAN

标记 VLAN

Tagged VLAN

第三种类型的 VLAN 端口称为混合端口。此选项允许同时进行设备和中继。无线接入点通常使用混合端口进行配置。

There is a third type of VLAN port called a hybrid port. This option allows for both devices and trunking to occur. Wireless access points are often configured using hybrid ports.

VLAN 的工作原理

How does a VLAN work

使用 VLAN 分段和分离来改进 ITS 网络，VLAN 在实际应用中非常有用。ITS（智能交通系统）应用是 ITS 网络传输数据的一个实际案例。ITS 网络传输数据包括关键交通控制信号、安全监控视频流和数字标牌数据。不同类型的数据具有不同的紧急程度和数据安全要求。当不同类型的数据发生冲突时，关键交通控制信号必须具有最高传输优先级，并且不能丢弃此类数据。为此，建议使用 VLAN 进行数据分离和 QoS（服务质量）分类。交通控制信号数据在其自己的 VLAN 上将被分配高优先级，以便在网络流量较大时优先传输。

Using VLAN Segmentation and Separation to Improve an ITS Network, one real-world example where VLANs are very useful is in ITS (Intelligent Transportation System) applications. ITS network transmission data includes critical traffic control signals, security surveillance video streams, and digital sign board data. Different data types have different urgencies and data security requirements. When there is a conflict between different types of data, critical traffic control signals must have the highest transmission priority, and this data must not be dropped. For this purpose, it is recommended to use VLANs for data separation and QoS (Quality of Service) classification. The traffic control signal data, on its own VLAN, will be assigned a high priority level so that the transmissions will be given priority when network traffic is heavy.

管理 VLAN

The Management VLAN

管理 VLAN 是所有交换机共享的单一网络，无论网络上有多少个其他 VLAN。出于安全考虑，可以将特定端口分配给管理 VLAN，以便只有管理员才能登录该端口。可以列出具有访问权限的特定 MAC 地址（设备）。这可以防止入侵者仅通过连接新设备即可访问网络。请注意，如果管理 VLAN 配置错误，管理员或技术人员可能会失去对该交换机的访问权限，并且必须将交换机重置为出厂默认设置才能再次访问。

The management VLAN is a single network shared by all switches, no matter how many other VLANs exist on the network. For security, a specific port can be assigned to the management VLAN so that only the administrator is able to log in to that port. Specific MAC addresses (devices) can be listed to have access. This prevents an intruder for gaining access to the network just by connecting a new device. Note that if a management VLAN is misconfigured, the administrator or technician can lose access to that switch and the switch will have to be reset to factory default settings in order to access it again.

VLAN 分段的优势

Benefits of VLAN segmentation

• 优化网络性能：

VLAN 通过缩小广播域的规模来提升网络性能。在广播域中，每个设备都可以向其他所有设备发送数据包，并且每个数据包都必须接收和处理。当广播域变得非常大时，这就会成为一个问题，因为大量的广播数据会导致交换机性能下降。使用 VLAN，这些问题得到了缓解，因为它将网络划分为更小、更易于管理的单元。这种优化可以显著提高整体网络效率。

• 增强安全性：

VLAN 提供了额外的安全保障。例如，可以为具有特定安全许可的用户创建特定的 VLAN。这意味着敏感数据和系统可以与常规网络隔离，从而降低未经授权访问的风险。通过创建这些安全特定的 VLAN，组织可以更好地保护其关键资产。

• 简化设备管理：

VLAN 使设备管理更加轻松。如果用户移动到新的物理位置，则无需重新配置该用户的物理工作站。此外，如果用户停留在同一地点但更换工作，则只需更改工作站的 VLAN 成员资格。

• Optimizing Network Performance:
VLANs improve network performance by reducing the size of broadcast domains. In a broadcast domain, every device can send packets to every other device, and every packet must be received and processed. This becomes problematic when a broadcast domain becomes very large, leading to degraded switch performance due to the high volumes of broadcast data. With VLANs, these issues are mitigated, as they segment the network into smaller, more manageable units. This optimization leads to a significant boost in overall network efficiency.

• Enhancing Security:
VLANs offer an additional layer of security. For instance, a specific VLAN can be created for users with specific security clearances. This means that sensitive data and systems can be isolated from the general network, reducing the risk of unauthorized access. By creating these security-specific VLANs, organizations can better safeguard their critical assets.

• Simplified Device Management:
VLANs make device management easier. If a user moves to a new physical location, the physical workstation of that user does not need to be reconfigured. Also, if a user stays in the same location but changes jobs, only the VLAN membership of the workstation needs to be changed.

总而言之，VLAN 通过抑制广播流量和增强安全性来增强交换网络的性能。它们通过中继端口扩展到单个交换机之外，并适应各种端口配置。对于企业和组织而言，VLAN 可以简化网络效率、安全性和设备管理，使其成为现代网络策略中不可或缺的一部分。通过将网络划分为单独的 VLAN，可以实现更强大的控制和优化。

In summary, VLANs enhance switched network performance by curbing broadcast traffic and bolstering security. They extend beyond a single switch through trunk ports and accommodate various port configurations. For businesses and organizations, VLANs streamline network efficiency, security, and device management, making them essential in modern networking strategies. By segmenting your network into separate VLANs, you can achieve even greater control and optimization.