1Giuseppe Bianchi

Lecture 5.0Lecture 5.0

Virtual LANsVirtual LANs

Standard 802.1Q, 802.1v, 802.1s

Giuseppe Bianchi

BroadcastBroadcast issuesissues

Switches: - did partition collision domains

- bud DID not partition broadcast domain

2Giuseppe Bianchi

The The obviousobvious solutionsolution: IP : IP subnetssubnets

Partition network into several subnets

Critical approach (especially in the past):

routers were slowNeed to replace switches with routers

No more a problem of efficiency, today

layer 3 switches = hardware-based routers, very fast!

However

Giuseppe Bianchi

ConsCons of of physicalphysical IP IP subnetssubnets

LAB 1

(telecom)

LAB 2

(nanotech)OFFICES

Floor

2

One switch per lab!

Even if all switches in a same floorbox, manual connection necessary

Different LAB rooms = different subnets!

Broadcast domain cannot extendthrough routers more complexmanagement needed

LAB 2

(telecom)Floor

1

3Giuseppe Bianchi

PhysicalPhysical Network Design Network Design vsvs

LogicalLogical Network DesignNetwork Design

Standard design for physicalnetwork

Well before network partitioning needsemerge fromcustomers of the building!

Canalina metallica forata

Prese RJ45

Cablaggio orizzontale in rame

Armadio di

pianoPrese RJ45

Stanza Stanza Stanza

StanzaStanzaStanza

Armadio di

piano

Tubo in PVC Cablaggio verticale in Fibra Ottica

Canalina metallica - Cablaggio verticale di backup in rame

Canalina in PVC

Giuseppe Bianchi

SolutionSolution: : VirtualVirtual LAN (VLAN)LAN (VLAN)

VLAN = area which limits the broadcast domain

Benefits Broadcast confinement solves scalability issues of large flat networks Isolation of failures and network impairments Security (more later)

Multiple VLANs may coexist over a same Switched LAN

4Giuseppe Bianchi

VLAN VLAN MembershipMembership Per Port

THE typical VLAN approach

The IEEE 802.1Q approach

Per UserVia MAC addressVia VLAN tag

Results: anarchic VLAN but too easy to break into

Per Protocol

New feature in IEEE 802.1V

Combination (cross-layer)

Supported as proprietary extensionsVia IP subnet address.

Classification hierarchy may be definedE.g. per IP subnet; if not IP per protocol; if not in the set of classified protocols per MAC;

if not in MAC list per port.

Giuseppe Bianchi

PerPer--PortPort + + PerPer--ProtocolProtocol ControlControl

((exampleexample))

Default = tag with PVID (Port VLAN ID)

5Giuseppe Bianchi

PhysicalPhysical vsvs logicallogical viewview

(i.e. (i.e. whywhy VLANS VLANS insteadinstead of IP network)of IP network)

Layer 3 subnetsought to bephysicallyseparated

BUT manyVLANs mayoverlap

on the same, unique physical network structure!

Robust, failure-proof, single managed

Giuseppe Bianchi

VLANsVLANs and IP and IP subnetssubnets /1/1

1 VLAN = 1 IP subnet

Routers are needed to move frames from different VLANs

Even if STAs are in the same physical network

Inter-VLAN connectivity through router: improves security

May apply packet filtering mechanisms such as ACL, etc

6Giuseppe Bianchi

VLANsVLANs and IP and IP subnetssubnets /2/2

Routers for VLAN interconnection may have as little as just one physical interface

Also called, in jargon, one-armed routers

Multiple IP addresses on the single interface

160.80.80.0/24

160.80.81.0/24

160.80.80.100

160.80.81.100

Giuseppe Bianchi

VLAN taggingVLAN tagging

7Giuseppe Bianchi

PortPort typestypes

ACCESS port: transmits and receives untagged frames

i.e. with no VLAN membership indication

TRUNK port: transmits and receives tagged frames

i.e. with explicit VLAN membership indication

HYBRID ports: may handle both tagged and untagged frames

Giuseppe Bianchi

Access Access linkslinks

A link connected to an access port

Typically the PC-to-switch link

or small-hub-to-switch link

Connected STAs belong to only 1 VLAN

Connected STAs DO NOT NEED TO KNOW they are on a VLAN

They just assume to be on a dedicated IP subnet

TX/RX frames:

standard Ethernet (no QTAG prefix)

S1

S2

S3

HUB

Access port

8Giuseppe Bianchi

Access Access linkslinks ((legacylegacy regionsregions))

May beswitched LANsthemselves

Made up byVLAN-unawareswitches

S2

S3

VLAN-unaware

switch

Access port

VLAN-aware

switch

VLAN-unaware

switch

S1

Giuseppe Bianchi

TrunkTrunk linkslinks A link connected to a trunk port

Typically switch-to-switch or switch-to-router links

frequently server-to-switch link

If PC-to-switch link:Anarchic VLANs considered

Support tagged Ethernet frames

Explicit tagging mechanism to differentiate them

Does not belong to a VLAN but transportVLAN frames

Either from all VLANs

Or just from selected VLANs

However, may belong to a VLAN

Case of hybrid link

Untagged frames assumed to belong to a VLAN

Trunk port

9Giuseppe Bianchi

HybridHybrid linkslinks

Support both tagged and untagged Ethernet frames

Untagged frames belong to the same VLAN (in the example, VLAN C)

Modern understanding and implementations: all links are of hybrid type

Giuseppe Bianchi

EthernetEthernet FrameFrame format format forfor VLANVLAN

(802.3ac, 1998)(802.3ac, 1998)

QTag type = 0x8100

QTag prefix = 4 bytes

Maximum frame: 1522 (!!)> 1528 = baby giant

processed correctly

but might be recorded as error

10

Giuseppe Bianchi

UserUser PriorityPriority (802.1p)(802.1p)

Network ControlNC7

Voice < 10 ms latecny/jitterVO6Video < 100ms latency/jitterVI5Controlled LoadCL4

Excellent EffortEE3

Unspecified---2

BackgroundBK1

Best Effort (default)BE0

Managed via separated output queues

- typically with priority queueing

- but more complex scheduling mechanisms can be used

Giuseppe Bianchi

ProprietaryProprietary solutionssolutions

(e.g. CISCO ISL)(e.g. CISCO ISL)

Cisco Inter Switch Link Protocol

ISL

Frame encapsulated in

External tagging (encapsulation)

frameISL (26 bytes) FCS (4 bytes)

10 bits VLAN tag

Other space for proprietary usage

11

Giuseppe Bianchi

MayMay a station a station belongbelong toto

more more thanthan 1 VLAN?1 VLAN?

Access links Access links

Trunk

link

Yes! (typical case: servers)

Giuseppe Bianchi

Switch operation with Switch operation with VLANsVLANs

12

Giuseppe Bianchi

VLAN and VLAN and forwardingforwarding

Red,Green

GreenBlue,Green

No spanning tree considerations at the moment

Trunk ports may forwardonly selected VLAN tags

Manual (static) configuration

Automatic (dynamic) configurationvia specially devised protocols(GVRP: GARP VLAN Registration Protocol)

GARP = Generic Attribute Registr. Prot.See clause 10, 802.1D 1998 version

Giuseppe Bianchi

VLAN VLAN switchswitch: : relayrelay functionsfunctions

Ingress function

Classification of each received frame as belonging to one and only one VLANBased on tagBased on port (e.g.) for untagged frames

Discard frame based on normal bridging rules PLUS VLAN classificationE.g. unallowed VLAN tag from port

Ingress function = Access control using switches rather than routers!

Forward function

Only on specific enabled ports for given VLAN

Egress function

Add tag (or leave previous tag) if trunk link;

Remove tag if access link

13

Giuseppe Bianchi

LearningLearning

Learning process affected by VLAN

MAC address is no more the only information to consider!

VLAN Identifier is also necessary

Shared VLAN Learning (SVL)

1 single filtering DB

if individual MAC Address learned in one VLAN, learned information used in forwarding decisions relative to all other VLANs

Independent VLAN Learning (IVL)

1 filtering DB per each VLAN ID

if individual MAC Address learned in one VLAN, learned information NOT used in forwarding decisions relative to all other VLANs

General case (SVL/IVL)

Many filtering DBs (each with a Filtering ID FID)

Each FID may include more than 1 VLAN

Giuseppe Bianchi

FilteringFiltering DB DB -- SVLSVL

Dest MAC Address Ports Age vlan----------------- ----- ---

00-00-08-11-aa-01 1/1 1 1200-b0-8d-13-1a-f1 1/7 4 43a8-11-06-00-0b-b4 2/3 0 1208-01-00-00-a7-64 2/4 1 100-ff-08-10-44-01 2/6 5 12

14

Giuseppe Bianchi

FilteringFiltering DB DB -- IVLIVL

FID=12 Dest MAC Address Ports Age----------------- ----- ---

00-00-08-11-aa-01 1/1 1a8-11-06-00-0b-b4 2/3 000-ff-08-10-44-01 2/6 5

FID=43 Dest MAC Address Ports Age----------------- ----- ---

00-b0-8d-13-1a-f1 1/7 4

FID=1 Dest MAC Address Ports Age----------------- ----- ---

08-01-00-00-a7-64 2/4 1

Distinct Filtering DBs (each assigned a Filtering ID)

Giuseppe Bianchi

SVL SVL vsvs IVLIVL

In most cases, no matter wthere IVL or SVL is used

However, in some particolar cases, IVL or SVL are necessary

Notation used in what follows:

Member setSet of ports through which members of the VLAN can be reached

Untagged setSet of ports through which, if frames are to be transmitted, they shall

be transmitted without tag Untagged set for a port may include multi VLANs (see SVL example

next) PVID (Port VLAN ID)

VLAN associated to the port

See 802.1Q-2003, Annex B for detailed explanation of following examples

15

Giuseppe Bianchi

WhyWhy IVL? /1IVL? /1

SVL would not work!! (A learned from both port 1 and 4)

(no STP in the example)

Note: is a bridge device!

Were it a router, no problems!

Giuseppe Bianchi

WhyWhy IVL? /2IVL? /2

SVL would not work!! (A learned from both port 1 and 3)

(STP enabled, VLAN-aware connector)

16

Giuseppe Bianchi

WhyWhy SVL?SVL?

VLAN unawareserver to beshared amongVLANs

Must use untaggedaccess link

AsymmetricVLANs!

Giuseppe Bianchi

Spanning Tree and Spanning Tree and VLANsVLANs

(just motivations (just motivations MSTP details in 802.1Q, clause 13+14)MSTP details in 802.1Q, clause 13+14)

17

Giuseppe Bianchi

VLANsVLANs and and SpanningSpanning TreeTree

Original 802.1Q specification:

Common Spanning Tree (CTS)

One for all VLANsEasy to maintain

No load balancing possible

Bridge priorities (or VLAN trunking) must be carefullyselectedTo guarantee connectivity for

ALL VLANs

Giuseppe Bianchi

Multiple Multiple SpanningSpanning TreeTree

Based on an early proprietary idea:

Per VLAN Spanning TreeProblem: several VLANs BPDU load!

Idea: aggregate VLANs

18

Giuseppe Bianchi

MSTP MSTP (802.1s, 2002)(802.1s, 2002)

Based on RSTP

Hierarchical approach

One single spanning tree connects regions

Common Spanning Tree (CTS) across regions

Each region has at least an Internal Spanning Tree (IST)

Called Common IST (CIST)

One region acts as a virtual single bridge in terms of spanning tree!

Multiple spanning treeinstances (MSTI) are possible inside each region

Details and new BPDU format

quite complex - Refer to standard

(and RFC 2014 for VLAN to MSTI crypted (HMAC-MD5) mapping)

Giuseppe Bianchi

CIST CIST

+ +

MSTIMSTI