Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Teknillinen Korkeakoulu
Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö
Providing Advanced VLANs as a Service
Tekijä: Peter Lindblom 31806A
Ohjaaja: Vesa Kosonen
6.8.1999
Teknillinen Korkeakoulu Sivu 2 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
Abstract
VLANs are being employed more and more in corporate networks. New and advanced
VLAN networking features are becoming available, but they are quite complicated and
consequently companies are beginning to outsource their LANs to service providers. Service
providers, however, need to be able to manage these networks. This work describes some
of the features VLANs can provide, how they can be managed by a new concept called
directory enabled networking and how ready vendors are to provide products supporting
directory enabled networking.
Teknillinen Korkeakoulu Sivu 3 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
Table of Contents
A B S T R A C T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1 V O C A B U L A R Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3 TRADITIONAL VLANS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1 DEFINITION OF VLANS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63.2 THE BENEFIT OF VLANS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83.3 TYPES OF VLAN MEMBERSHIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93.4 AUTOMATION OF VLAN MEMBERSHIP ASSIGNMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.5 VLAN MEMBERSHIP COMMUNICATION BETWEEN SWITCHES. . . . . . . . . . . . . . . . . . . 11
4 ADVANCED VLAN SERVICES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.1 TRAFFIC PRIORITIZATION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134.1.1 QoS... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134.1.2 CoS... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144.1.3 ToS... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144.1.4 IEEE 802.1p .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144.1.5 Prioritization in a LAN/WAN environment..................................... 164.1.6 Queuing mechanisms.............................................................. 16
4.2 POLICY BASED NETWORKING. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174.3 SERVICE LEVEL AGREEMENTS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184.4 USER AND DEVICE AUTHENTICATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184.5 VLANS ACROSS THE WAN .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214.6 CHALLENGES CAUSED BY ADVANCED VLAN SERVICES . . . . . . . . . . . . . . . . . . . . . . . . . 21
5 DIRECTORY ENABLED NETWORKING.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
5.1 DIRECTORY SERVICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225.2 THE PURPOSE OF DIRECTORY ENABLED NETWORKING . . . . . . . . . . . . . . . . . . . . . . . . . . 235.3 THE DEN SCHEMA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265.4 DEN SCHEMA BENEFITS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
6 V E N D O R S A N D P R O D U C T S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
7 CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
8 R E F E R E N C E S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Teknillinen Korkeakoulu Sivu 4 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
1 Vocabulary
AAA Authentication, Authorization and Accounting
ATM Asynchronous Transfer Mode
CFI Canonical Format Indicator
CIM Common Information Model
CoS Class of Service
DEN AHWGDEN Ad Hoc Working Group
DEN Directory Enabled Networking
DMTF Desktop Management Task Force
IEEE Institute of Electrical and Electronics Engineers
IETF Internet Engineering Task Force
IP Internet Protocol
LAN Local Area Network
LDAP Lightweight Directory Access Protocol
MAC Media Access Control
MIB Management Information Base
MPLS Multi-Protocol Label Switching
MTU Maximum Transmission Unit
NFS Network File System
PDP Policy Decision Point
PEP Policy Enforcement Point
QoS Quality of Service
RSVP ReSerVation Protocol
SLA Service Level Agreement
SLM Service Level Management
SNMP Simple Network Management Protocol
TCI Tag control Information
TCP Transmission Control Protocol
ToS Type of Service
VID VLAN Identifier
VLAN Virtual Local Area Network
VoIP Voice over IP
WAN Wide Area Network
Teknillinen Korkeakoulu Sivu 5 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
2 Introduction
Networking has evolved a long way since the first 802.3 10Base5 networks in the 1980's.
Almost all corporate PCs and workstations have network cards installed. But the use of the
network has also changed dramatically, in the beginning the aim of the network was file
sharing but especially to share expensive equipment, such as a laser printer, among users.
File sharing over the network was not so important, because most documents fitted on a
floppy disk. The Internet was focused around the educational world, such as universities
etc. The commercial use of the Internet was unheard of. Nowadays this has all changed, the
network has become more and more important. A workstation that is not networked is
almost useless in a company environment. It is not unusual that a PC doesn't even work if it
can't get access to the network. The network is much more than just sharing printers and
files. Network applications, such as web browsing, voice and video conferencing, multicast
applications etc., have changed the way people work. Companies depend on the network.
At the same time as networks have become increasingly important they have also become
more and more complex. Current management tools focus on element management, i.e. they
manage devices and not the network as a whole. What has been needed for a long time is
end-to-end management. In order to achieve this new level of management, and also to be
able to use the network resources in a cost-effective manner, a group of companies and
interested parties formed the Directory Enabled Networking ad-hoc working group. The
purpose of the DEN AHWG is to create a schema and information model that describes the
networking equipment, network services and networks in a standard and formalized way.
There are also a few other new demands on future networks that are worth mentioning;
Service Level Agreements (SLA) and policy based networks. These also require much from
the underlying network infrastructure. DEN attempts to model policies into the DEN
schema, which also makes it easier to enforce SLAs.
The focus in this study is on how future VLANs can make use of the DEN model in order to
facilitate policy based networking and SLA enforcement mainly in an Ethernet LAN
environment. These two characteristics are essential from a service provider's point of view
for providing LAN and integrated LAN & WAN end-to-end networking solutions. Only
when these are implemented is it possible to provide Quality of Service and guarantee SLAs
in a LAN environment.
Teknillinen Korkeakoulu Sivu 6 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
3 Traditional VLANs
3.1 Definition of VLANs
A physical Ethernet LAN segment consists of network nodes connected to each other via a
hub or repeater. This means that all network nodes share the bandwidth of the segment,
which in turn means that only one node may transmit successfully at each moment. If two or
more nodes attempt to transmit at the same time a collision occurs, the collision is
propagated through the hubs and repeaters, and the nodes have to resend their data after the
collision. Often a LAN segment is also called a collision domain. This consists of stations,
hubs and repeaters. A bridge, switch or a router can be used as a collision domain boundary;
i.e. collisions are not propagated through these devices.
Bridges and switches connect LAN segment to each other and MAC broadcasts and
multicasts are propagated through bridges and switches. This area is referred to as a
broadcast domain. Routers are traditionally used as a broadcast domain boundary. The
topology of a typical LAN is shown in figure 1.
Teknillinen Korkeakoulu Sivu 7 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
WAN
10BaseT
100BaseTXSwitch
Hub
RouterServer
Printer Notebook Workstation
Figure 1 A typical LAN.
LAN switches have become more and more commonplace because the price per port has
come down dramatically in the last few years at the same time as the performance and
capabilities of the switches have increased. The impact on LANs is that the number of LAN
segments has increased while the number of users per segment has dropped. Today it is not
unusual for each user to have a dedicated switch port. This is called microsegmentation. On
the other hand this has also meant that the broadcast domains have become bigger, because
relatively cheap switches have been used to replace expensive routers. To address this
broadcast domain problem switch vendors have developed an alternative way to contain
broadcasts instead of using routers. The solution is called virtual LANs or VLANs.
A VLAN can roughly be described as a broadcast domain, but a technically more correct
description is that a VLAN is group of stations, possibly on separate physical LAN
segments, that are not constrained by their physical location and communicate as if they
were on a common LAN (figure 2). [SMI98]
Teknillinen Korkeakoulu Sivu 8 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
S E
E S
E S S
E S
1
22
13
34 4
565
Trunk
Building 1
1st Floor
2nd Floor
Building 2
1st Floor
2nd Floor
Switch A Switch B
Figure 2 A simple VLAN network.
3.2 The Benefit of VLANs
The advantages of VLANs over traditional LANs are [SMI98]:
• Performance
In broadcast/multicast intensive networks VLANs can be used to control the propagation
of broadcast/multicasts reducing unnecessary traffic. Obviously a router can also do this,
but the latency of a switch is typically smaller than the latency of a router.
• Virtual workgroups
People that work in the same workgroup need not be physically connected to the same
LAN segment or switch in order to be part of the same VLAN, therefore there is no need
to physically reconfigure the network in order to contain the broadcast/multicast traffic
created by the workgroup. If shared resources can't be members of multiple VLANs it
creates a potential bottleneck.
Teknillinen Korkeakoulu Sivu 9 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
• Simplified administration
According to studies up to seventy percent of network costs are due to moves, adds and
changes of users in the network. By using VLANs some of these tasks can be simplified
reducing the cost of operation. E.g. routers may not need to be reconfigured and the
network address of workstations need not be changed when a user moves. On the other
VLANs create a new administration task that did not exist previously.
• Reduced cost
VLANs can be used to create broadcast domains without the need for routers, which are
more expensive than switches.
• Security
With the use of VLANs broadcast domains can be made smaller which means that
eavesdropping the traffic of a particular LAN is more difficult.
3.3 Types of VLAN Membership
The VLAN membership of stations can be defined in several different ways and not all
vendors support all ways. The following are the most common types of VLAN membership
assignment [NET96]:
• Port based (Layer 1)
The VLAN membership of a station is determined by the physical switch port that station
is connected to. A station can only belong to one VLAN and when the station is moved
the VLAN membership needs to be reconfigured. This is the most common type of
VLAN membership assignment.
• MAC address based (Layer 2)
The VLAN membership of a station is determined by the MAC address of the network
card of the station. When the station is moved the VLAN membership follows it. Often
this means that there can only be one user per switch port or alternatively all users
connected to the same port must belong to the same VLAN. VLAN membership needs to
be reconfigured if the MAC address changes. Several vendors support VLANs based on
MAC addresses.
Teknillinen Korkeakoulu Sivu 10 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
• Protocol based (Layer 2)
The VLAN membership of a station is determined by the network protocols that the
station uses, e.g. IP, IPX, AppleTalk, NetBEUI, etc. Usually this means that the station
may be a member of several VLANs. Only a few switch vendors support protocol based
VLANs.
• Network number based (Layer 3)
The VLAN membership of a station is determined by the (sub)network that station
belongs to, e.g. IP subnet, IPX network, AppleTalk network, DECNET network etc.
Usually this means that the station may be a member of several VLANs. Only a few
switch vendors support VLANs based on network numbers.
• IP multicast group based (Layer 3)
The VLAN membership of a station is based on the IP multicast groups that station is a
member of. To be of useful this requires that the station can be a member of several
VLANs. Few switch vendors support VLANs based on IP multicast groups.
• Higher layer VLANs
The VLAN membership of a station can also be based on higher layer applications, user
IDs, or other policies. This means that for example HTTP, Lotus Notes, SAP R/3, NFS,
Novell SAP etc. can be in different VLANs, or depending on the user the station may be
a member of different VLANs. Very few switch vendors support VLANs based on
higher layer definitions.
It is important to note that one type of VLAN membership does not implicate that other types
of VLAN memberships may be not used at the same time. The combining of different
VLAN membership classification criteria is sometimes called policy based VLANs.
Teknillinen Korkeakoulu Sivu 11 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
3.4 Automation of VLAN Membership Assignment
An important aspect of using VLANs is how they are configured and how good the
configuration tools are and also the degree of automation. Basically there are three different
levels of automation [SMI98]:
• Manual
The initial VLAN membership setup and subsequent moves, adds and changes are done
by the network administrator. The level of control is high, but in big networks this also
means a lot of configuration work, which defeats one purpose of using VLANs in the
first place. However the amount of work depends on the, usually vendor specific, VLAN
administration tools used.
• Semi-automated
Initial VLAN membership setup or subsequent changes or even both may be automated.
Initial VLAN membership setup can be automated by defining protocol based or
subnet/network number based VLANs. Subsequent moves may also be automated by
using these types of VLANs or by using MAC address based VLANs. Even if both
initial setup and subsequent changes are automated this is still considered semi-automated
because the administrator has the option of manual configuration.
• Fully-automated
Stations dynamically and automatically join VLANs depending on preset application,
user ID or other policies.
3.5 VLAN Membership Communication Between Switches
At least equally important is how VLAN membership information is propagated through the
switches. Without a mechanism for this VLANs would be limited to a single switch or
alternatively two switches should be interconnected with as many links as there are VLANs
defined, which clearly is not scalable. Exceptions are, of course, VLANs based on protocol
type, network number etc, because in these cases the VLAN membership can be derived
from the frame itself. Usually, however, there is a need for communicating VLAN
membership information, which can be done in the following three ways [NET96]:
Teknillinen Korkeakoulu Sivu 12 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
• Signaling
Each switch keeps a table of stations and associated VLANs. Whenever there is a change
in the table for locally attached users, i.e. users directly connected to that switch, the
switch sends the updated information to the other switches. Depending on the size of the
network, the amount of changes and the specific type of signaling used, this approach
doesn't necessarily scale well. A few vendors use this method.
• Frame tagging
Each frame sent on an interswitch link is tagged with the corresponding VLAN
membership information; i.e. a tag containing the necessary information is inserted in
each frame. If the original frame is big enough the tagged may be bigger than the
maximum size of layer 2 frames. Previously the tag format and the solving of oversized
frames were vendor specific, but this has now been standardized in IEEE 802.1Q. This
is the most common method used.
• Time Division Multiplexing
In this method timeslots are reserved for each VLAN on the interswitch link. This means
that there is no overhead with signaling or tagging. On the other hand it wastes
bandwidth, because if a certain VLAN timeslot doesn’t have any traffic that timeslot may
not be used by any other VLAN. No major switch vendors use this method.
Teknillinen Korkeakoulu Sivu 13 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
4 Advanced VLAN Services
4.1 Traffic Prioritization
Nowadays it is not enough just to have high performance networking products; equally
important is getting the highest network service. Service providers as well as network
managers look for better ways to service their customers. IT managers, service providers,
backbone operators, and standards organizations research and develop service quality
systems, such as QoS and CoS, for current and future. At the same it is vital to maintain a
migration path to newer technology that is both practical and economically feasible. [INT98]
The are different approaches to traffic prioritization, such as Quality of Service (QoS), Class
of Service (CoS), and Type of Service (ToS).
4 .1 .1 QoS
Quality of Service (QoS) mechanisms provide the necessary level of service (bandwidth and
delay) to an application in order to maintain an expected quality level. The expected quality
level from a technical point of view depends on the application that requires the Quality of
Service. To a mission-critical application, QoS means guaranteed bandwidth with zero frame
loss. For a telephony application, such as voice over IP (VoIP), QoS means guaranteed
frame latency. [STA99]
QoS places a significant burden on the network infrastructure. Each device must keep an
entry in its forwarding table for each application flow. In a large corporate network, devices
can become overwhelmed with the millions of flows, especially at the boundaries. ATM,
Frame Relay, and Multi-Protocol Label Switching (MPLS) are examples of protocols that
deliver level of service by application flow. Resource Reservation Protocol (RSVP) is
another protocol that has gained acceptance as a valid QoS mechanism. RSVP delivers end-
to-end service by reserving bandwidth and availability of resources along a particular path.
RSVP is implemented in some routers, Layer 3 switches, and in Microsoft's NT 5.0 Server.
However, complete end-to-end QoS implementations are difficult to achieve in today's
corporate LAN environment and come at a high price.
Teknillinen Korkeakoulu Sivu 14 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
4 .1 .2 CoS
Class of Service (CoS) mechanisms reduce flow complexity by mapping multiple flows into
a few service levels. Network resources are then allocated based on these service levels, and
flows can be aggregated and forwarded according to the service class of the packet. CoS
applies bandwidth and delay to different classes of network services, instead of the fine-
grain control provided by QoS. CoS easily scales with network expansion. As the network
grows, traffic continues to be managed based on a few service levels, keeping infrastructure
burdens to a minimum. In the LAN environment IEEE 802.1p is a standard method of
signaling CoS at OSI Layer 2.
4 .1 .3 ToS
Type of Service (ToS) was defined in the early 80s, but was largely unused until recent IP
traffic bottlenecks at the access routers required prioritization of traffic in order to achieve
better service levels. The Type of Service octet in the IPv4 header includes three precedence
bits defining seven different priority levels ranging from highest priority for network control
packets to lowest priority for routine traffic. The remaining five bits are not used. Some
access routers and ToS-aware Layer 3 LAN switches read the precedence bits and map them
to forward and drop behaviours. ToS applies only to IP and not to other protocols.
4 .1 .4 IEEE 802.1p
IEEE 802.1p is a supplement to the 1998 version of IEEE 802.1D bridging standard, to
which it adds Traffic Class Expediting functionality. Traffic class expediting consists of two
parts called Dynamic Multicast Filtering and Traffic Classification. Traffic Classification
defines a method of prioritizing packets based on a Layer 2 tag that is inserted in the frame
either by a station, a switch, or a router. This standard defines eight different priorities. The
Tag Control Information (TCI) field is defined in the IEEE 802.1Q standard and it is shown
in figure 3. The user_priority field consists of three bits and may represent eight priority
levels, 0 through 7. The highest priority is 7 and the lowest is 1, the default priority is 0.
Teknillinen Korkeakoulu Sivu 15 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
The insertion of the priority value (0-7) allows all tag aware devices in the network to make
intelligent forwarding decisions based on its own level of support for prioritization. A
switch or router that complies to IEEE 802.1p maps each priority into a specific transmit
queue, and the standard requires that devices must support at least two transmit queues per
port. It is important to note although there are eight different priority levels that can be
signaled the device doesn’t need to have eight different priority queues. Most vendors’ LAN
switches support four priority queues, which means that the switch by default maps the
incoming signaled priority according to table 1.
Table 1 Priority queues and transmit queues.
Transmit
Queue
802.1p
Priority
7 3
6 3
5 2
4 2
3 1
2 0
1 0
0 1
user_priority CFI VLAN Identifier (VID)
Octets: 1 2
Bits: 8 6 5 4 1 8 1
Figure 3 IEEE 802.1Q TCI.
Teknillinen Korkeakoulu Sivu 16 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
The following things should be noted in this table:
• Priority 7 is the highest.
• Transmit queue 3 is serviced first.
• Two IEEE 802.1p priorities are mapped to each transmit queue.
• because 0 is the default value in the tag it is mapped to transmit queue 1 and not transmit
queue 0, in essence this means that priorities 1 and 2 are lowest and are accordingly
mapped to transmit queue 0.
It is also important to note that the switch doesn’t need to accept the incoming signaled
priority, instead the switch may classify and re-label the priority according to different
classification rules. [ROM99]
4 .1 .5 Prioritization in a LAN/WAN environment
In a LAN prioritization signaling may be achieved through the use of 802.1p. Routers,
however, operate at layer 3 and accordingly they do not forward layer 2 headers, which
means that the IEEE 802.1Q header is lost when a router forwards a frame. Therefore the
router receiving a frame with 802.1p priority information needs to be able to map that
priority to a layer 3 priority or to classify the frame according to its own rules.
In the case of IP the layer 3 prioritization scheme may be IP ToS, but for other protocols
there is not yet a standard way to signal priority. This means that either the protocol used
should be IP and all routers in the path should support IP ToS, or each router should be able
to classify and prioritize frames independently.
4 .1 .6 Queuing mechanisms
In order to support prioritization a device needs to support multiple transmit queues. These
queues can typically be serviced based on a strict queuing mechanism or based on a fair
weighted queuing mechanism.
Strict queuing specifies that all frames in the highest priority transmit queue will be
transmitted before the frames in lowest priority transmit queue. Weighted fair queuing
allows the network administrator to give a certain percentage or weight to each queue,
preventing a lower priority queue from being starved.
Teknillinen Korkeakoulu Sivu 17 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
4.2 Policy Based Networking
Network resources are complicated to control today, and networking professionals and IT
managers don’t have tools to measure their success at keeping both the networks functioning
and the users satisfied with the service they are getting.
For example, when mission-critical applications and end users demand reliable network
service, IT managers often must:
• Over-allocate network capacity
This potentially wastes resources that could be applied elsewhere. It is also very
probable that the capacity required is underestimated, because actual usage is difficult to
predict.
• Restrict overall computing capabilities
This potentially prevents some end users from getting the most out of their workstations.
For example, some IT managers will ban applications such as distance learning or
business video broadcasts, because they fear the network might collapse.
Therefore there is a need for being able to configure the network so that the mission critical
applications and users are recognized and prioritized. This can be achieved by using simple
rules called policies. [STR99]
All policies consist of two components.
• A set of conditions must be specified under which the policy applies; otherwise the
policy has no context.
• Second, a set of actions must be specified that either maintain the current state of the
object or transition the object to a new state as a consequence of either satisfying or not
satisfying the condition set.
Policies can be classified into two categories, simple and complex. Complex policies are
policies that are comprised of simpler policies, and consist of a complex set of conditions
and actions. Hierarchical policies are another example of complex policies. This hierarchy
can be used to simplify the administration of policies. In general, complex policies model
intricate interactions between objects that have complex interdependencies. Examples of this
include a sophisticated user logon policy that sets up application access, security, and
reconfigures network connections based on a combination of user identity, network
Teknillinen Korkeakoulu Sivu 18 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
location, logon method and time of day. Simple policies are those that can be expressed in a
simple statement. They can be represented effectively in schemas or MIBs. Examples of this
are VLAN assignments, simple yes/no QoS requests, and IP address allocations. [SEM98]
There are both static and dynamic policies. Static policies require only enforcement and they
characterize static user attributes or situational parameters, such as a specific location.
Dynamic policies get enforced when needed, such as when a user with "Gold Service" logs
on or when the network gets congested and SLAs are violated. Dynamic policies require
both policy decisions and enforcement. [STR98]
4.3 Service Level Agreements
A Service Level Agreement (SLA) is an explicit, formal statement indicating what the service
providers will deliver to their customers. Service providers include, among others, LAN
service providers and internal corporate IT organizations. A means to enforce the contract
must be available. The management system must take actions to maintain service quality
because SLAs are becoming more common within organizations as well as between service
providers and customers. [PAS99]
SLAs define the provided services, including the criteria, measurements, and commitments.
Standard metrics are availability, mean time to repair, response time, throughput, data
volume, jitter, wait time, and so on. [MCC98]
Some examples of contracts are:
"SAP R/3 users are each guaranteed 4 Mbps of bandwidth everyday between 08:00 and
17:00."
“Authenticated healthcare users can access the healthcare server, other users can’t”
4.4 User and Device Authentication
Authentication is to establish identity, it is integrated into user applications, host operating
systems, network operating systems and in some cases also into network devices, such as
switches. In a VLAN environment authentication is used to grant network access to users
and devices such as printers, servers, etc.
Teknillinen Korkeakoulu Sivu 19 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
The most typical way to identify a user is with a user ID and password, but nowadays more
and more authentication schemes involve several factors to prove identity with greater
confidence. These factors include [XYL98]:
• Something you are
For humans this includes fingerprints, retinas, keystroke-timing etc. For devices these
include MAC address, protocol types, network addresses. Greater security can be
achieved by mapping these characteristics to a switch port or a group of switch ports. For
many devices like printers and servers this is the only kind of authentication that can be
used, because the devices may not support any authentication protocol. This can be
spoofable but usually requires physical access to the device.
• Something you know
This is the user ID and password method, as a form of authentication it is better than
nothing but not much. Often both user IDs and passwords are sent in clear text and
passwords are easily guessed. There are also many password-cracking tools available. A
way around these limitations is the use of one-time passwords.
• Something you possess
This includes tokens and smart cards. This is also a weak form of authentication when
used alone, because it is possible that the user of the mechanism is not the one that
authorized to use it. They are easy to lose and in some cases easy to forge. However,
when used together with something you know, a strong authentication system is created.
User authentication can be used to create secure network access; a user has to be
authenticated before he is given access to the network. Once the user has been authenticated
he is given access to the network and membership in specific VLANs. This means that the
user can be mobile and get the same privileges in the network indepent from the workstation
that the user is using.
This is a very important ability from a service provider's point of view because
authenticating the user serves as a basis for being able to provide really useful CoS and
SLAs. Prioritization also creates a need for authentication. This is because prioritization
means that some users get better service than others and consequently users may try to spoof
the network in order to get a better service.
Teknillinen Korkeakoulu Sivu 20 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
However, user authentication currently usually requires proprietary software on the
workstation so that the authentication can be done. Of course, a network login to e.g. an NT
domain or a Novell NDS tree could be used, but a standard way of authentication would be
preferable.
Device authentication has to be based on switch port and device MAC and network
addresses until a standard for authentication is created.
The Authentication, Authorization and Accounting (AAA) working group of the IETF is
currently defining an AAA architecture and an authentication protocol framework. The
working group is also working on identifying the relationship and interaction between policy
and authorization. This is still a work in progress.
User
NetworkDevice
AAA Server
Service Provider
Either or
Contractual Agreement
Trust Relationship
Figure 4 AAA architecture.
Teknillinen Korkeakoulu Sivu 21 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
The architecture involves an authentication server, an authorization (policy) server, and an
accounting server; these may be separate servers or integrated. Figure 4 shows the
architecture with an integrated AAA server. The user is connected to a network device and
there is a contractual relationship between the user and the service provider. There is a trust
relationship between the network device and the AAA server. After the user is authenticated
a trust relationship exists between the user and either the network device or AAA server. The
AAA server can be considered a Policy Decision Point (PDP) and the network device a
Policy Enforcement Point (PEP). [VOL99]
4.5 VLANs across the WAN
VLANs have been used in local area networks for a few years already, but it is also possible
to use VLANs instead of routing in the WAN. However this means that LAN broadcasts
consume relatively expensive WAN bandwidth. On the other hand it is probable that WAN
bandwidth will become much cheaper in the future, but when that happens bandwidth
requirement will also have gone up. It may be that WAN bandwidth will never be cheap
enough for VLANs unless something can be done to reduce broadcasts in standards based
way.
However, there is an obvious need for some kind of advance support for remote dial-in
users, and users in a remote branch office to be able to utilize these new advanced services
as well. The problem is how it can be done.
4.6 Challenges Caused by Advanced VLAN Services
All above mentioned advanced services are useful from a service provider’s point of view,
but in order to be able to produce these kinds of services in a cost efficient manner, these
services need to be manageable in a consistent way. Because many of these new services are
also closely linked together it makes sense to be able to configure, monitor and manage the
services in a vendor independent fashion. However current management tools are not
sufficient for doing this efficiently in a multivendor network. Most management applications
are aimed for device management and not end to end network service management.
Therefore there is an urgent need for a way of managing large multivendor networks
providing advances services. Directory enabled networking seems to be a promising
approach.
Teknillinen Korkeakoulu Sivu 22 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
5 Directory Enabled Networking
5.1 Directory Services
A directory service is a physically distributed but logically centralized data repository for
infrequently changing data needed for managing a computing environment. It can be viewed
as a special purpose database built to store typed and structured information. [ABO98]
A directory service enables a user to locate and identify other users and resources in a
distributed system. Directory services provide the foundation for adding, modifying,
removing, renaming and managing system components without interrupting the services
provided by other system components. [GON99]
Directory services are able to:
• Serve as a distributed repository of information about system components. The directory
can be replicated among several servers, and a user can query a local server for all
information.
• Support lookup by attribute (e.g. name, phone number, etc.) and by classification (e.g.
printer, etc.), i.e. support “white pages” and “yellow pages” lookup.
• Enable single user logon to network services, so that the user gets access to all network
resources available to him without having to logon to several servers separately.
• Enable distribution of management and administration, i.e. administrative tools don't
have to be centrally located and managed.
• Replicate data between all directory servers so that the information is seen in a consistent
way throughout the network.
Teknillinen Korkeakoulu Sivu 23 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
Characteristics of a directory are [KIL98]:
• Information is strongly typed and structured.
• It stores information about objects of interest.
• It can be highly distributed and supports replication.
• Reads are much more frequent than writes.
• It provides for search as well as retrieval.
• Allows access to information from multiple locations.
• It is frequently used in an application-specific manner.
• Objects are essentially independent in the directory.
• It has a fixed core schema that controls directory structure.
• The directory structure is hierarchical.
• The schema for individual objects is highly extensible.
A general-purpose enterprise directory provides a central corporate repository for commonly
and widely used information. The information may be white pages data, such as email
addresses and phone numbers, and information that gives a user access to services, such as
printers, computers and buildings. Digital signatures may also be stored in the directory.
Traditional directory services were designed for administrative needs, but directories have
changed from a simple data warehouse to an intelligent, authoritative and distributed
repository of information for services and applications. The directory can be accessed using
the Lightweight Directory Access Protocol (LDAP). [WAH97]
5.2 The Purpose of Directory Enabled Networking
Nowadays the computing environment that needs to be managed not only includes
computers, but also networking devices that interconnect the computers. There are several
new advanced network services available and at the same time new applications demand
more and more of the network. Examples of this are:
• Voice and video applications
• Quality of Service (QoS)
• Policy based networking
• Authentication
Teknillinen Korkeakoulu Sivu 24 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
All these new services, features and demands cause a management problem. The huge
amount of data to be managed requires that device configurations, user profiles, service
profiles, policy rules, SLAs, etc., should be stored in a standardized manner. It should be
easy to replace a failed device with as little configuration effort as possible. This means that
network devices should be able to retrieve their configuration from a configuration
repository. Preferably it should also be possible to replace a failed device with a similar, but
not identical, device without needing to configure the device manually. [GON99]
Directory services are already used successfully to store application and user information. It
is logical to extend directory services to include networks, so that the new and more
demanding network management requirements can be met. This approach is referred to as
directory enabled networking (DEN). Cisco Systems Inc. and Microsoft Corp. launched the
DEN initiative in September 1997 and together with several other hardware and software
vendors they formed the DEN ad-hoc working group (DEN AHWG) in order to define what
directory enabling networking is.
It is important to note that directory enabled networking is not a replacement for network
management, because they address different needs. Network elements typically have a
dynamic state and a persistent state:
• Network management
This addresses the dynamic state of individual network devices. Network management
protocols, such as SNMP, CMIP, and RMON, are used to talk to network devices.
Current tools focus on individual devices rather than on the network as a whole.
• Directory enabled networking
This addresses the persistent state of network elements and also describes the
relationships between users, applications, network elements and network services. The
information in the directory network extensions is used to talk about network elements.
Directory enabled networking has two aims:
• To bind users to services available from the network according to a consistent and
rational set of policies.
• To provide the foundation to build intelligent networks and network-enabled
applications.
Teknillinen Korkeakoulu Sivu 25 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
These require network-enabled applications that can access diverse information from a
common logical repository or directory. The storing and retrieval of this information uses
the LDAP protocol. Using a directory means that a directory schema is needed.
Because objects in a directory are essentially independent an information model is needed in
order to establish relationships between objects. The information model defines the
interaction of users and applications with the network elements and services, and the
management of network elements and services. The information model is an object-oriented
model that defines the behaviour of network elements and services and users and
applications and the interaction between them. The DEN philosophy is shown in figure 5.
[JUD98]
Existing ManagementProtocols (SNMP, RMON,...)
DEN Information Model
ExistingManagementApplications
FutureManagementApplications
DS-Enabled DistributedApplications and Tools
DirectoryService
Figure 5 The DEN philosophy
Teknillinen Korkeakoulu Sivu 26 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
5.3 The DEN Schema
The DEN schema is based on the Common Information Model (CIM) defined by the
Desktop Management Task Force (DMTF). CIM is used to present a consistent view of the
managed environment independent of the various protocols and data formats supported by
the devices and applications in it. CIM is mainly concerned with the management of
individual components in an enterprise environment.
Schemas, such as SNMP MIBs and CIM, are intended primarily to address the details of
individual devices. CIM is concerned with many types of information, such as collections of
general-purpose devices, applications, and other components of a system. DEN attempts to
model collections of devices, networks, autonomous systems, and network clouds.
DEN has many information needs that are already addressed by CIM, so DEN schema is
designed as an extension to the CIM schema version 2.0. This schema is referred to as the
DEN extended schema or simply as the DEN schema.
The DEN schema expresses and manages network element information not only in an
enterprise environment, but also in service provider networks. The DEN schema also
addresses network services and policies that control the provisioning of network elements,
however the DEN schema does not address this completely. This enhances and
complements the existing CIM network model. [JUD98]
Teknillinen Korkeakoulu Sivu 27 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
The DEN schema uses concepts from both X.500 and CIM. The DEN base classes and their
relationship to the X.500 and CIM classes are shown in figure 6.
ManagedSystemElement Configuration Application Person*
Top Alias, DSA
Location Group*
Organization*Product, FRU, ..
Protocol*
NetworkProtocol
"NetworkDevice"
NetworkMedia
Profile Policy
LinkedContainer
NetworkElement
Software*,System*
Check,Action
Service*
CIM
DEN
X.500
NOTE: 2. Software, System, Service,Protocol, Person, Group,and Organization representsets of classes correspondingto that general function orservice.
1. NetworkDevice is anabstraction of changesto existing CIM classesand not an actual class.
Figure 6 DEN Base Classes.
Teknillinen Korkeakoulu Sivu 28 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
5.4 DEN Schema Benefits
A common namespace in a directory means that applications developed by different vendors
can interoperate with each other. This is independent of which directory service is used to
implement the schema and which network elements and services are being represented and
managed in the directory service. There are two forms of interoperability: the ability to share
information and the ability to reuse information. The former means that two applications
made by two different vendors can share information while they are running. The latter
means that one application from one vendor can reuse information that another application
from a different vendor has operated on. For example [MIC98]:
• Application X from vendor A can populate the directory with information about a
network.
• Application Y from vendor B could then provision part of the network using this
information according to policies that it has defined.
• Application Z from vendor C could then run background checks on another part of the
network, gathering statistical information and performing fault analysis.
It is important to note that in the above scenario, none of the three applications need to have
any knowledge about the other applications. The Directory Enabled Networks specification
defines a schema, which defines a namespace that enables applications to share and reuse
information. Furthermore, the Directory Enabled Networks specification defines an
information model that relates the different classes of that schema to each other. Another
benefit is the simplification of some administrative tasks, such as configuration
management. For example, if the SNMP Trap destination IP address has to be changed on
all network devices the administrator doesn't need to individually reconfigure each device,
instead the configuration change is done in the directory to a group containing all devices.
DEN management applications may then automatically reconfigure the devices in question.
DEN is a different way of looking at networks [STR99]:
• It focuses on managing the network instead of on individual devices.
• It offers an extensible way for different applications to share and reuse data with each
other.
• It facilitates the mapping of network clients to services provided by the network.
Teknillinen Korkeakoulu Sivu 29 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
6 Vendors and Products
Most major networking vendors are members of the DEN AHWG, but this doesn’t mean
that products are available. Most vendors have shown a roadmap detailing how they intend
to implement directory enabled networking, authentication, prioritization and so on in their
product lines. But at the moment very little is available.
There are many different things needed in order to create a directory enabled network:
• LDAP-compliant directory servers
• Authentication servers and clients
• Devices with an LDAP client
• Accounting and auditing servers and applications
• Policy servers and applications
• Directory-aware network management applications
Several LDAP-compliant directory servers are available, e.g. Netscape Directory Server,
IBM eNetwork LDAP Directory, Microsoft Windows 2000 Server Active Directory, and
Novell LDAP Services for NDS. The DEN schema can be incorporated in any LDAP-
compatible directory server.
Authentication, authorization, and accounting servers are also available, e.g. Merit
Networks AAA Server. Proprietary policy servers are available from a few vendors, such as
3Com Transcend Network Control Services, Cabletron Spectrum Connection Services
Manager and Cisco QoS Policy Manager.
Some vendors offer network devices that support user authentication, for example Xylan
OmniSwitch switches.
Networking devices with an LDAP client are also available from some vendors, but they
usually only support retrieval of information and not updating of the directory. Some
management applications are available that retrieve station information, such as MAC
address, layer 3 addresses, etc., from network devices and store it in a proprietary directory.
An example is Cabletron Spectrum VLAN Manager.
Teknillinen Korkeakoulu Sivu 30 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
The problem is making it all fit together. Authentication and authorization mechanisms must
be standardized, and the network must support policies bound to users and not devices.
No vendor has complete set of products yet. Fortunately the standards-based approach
defined by DEN enables products from different vendors to work together. In other words it
will be possible to choose a directory server from one vendor, policy and authentication
servers from another vendor, management and accounting application from a third vendor
and network devices from other vendors.
Nevertheless, there is still a long way to go and it will take a few years before the potential
of DEN can be fulfilled.
Teknillinen Korkeakoulu Sivu 31 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
7 Conclusion
There are many new and powerful features available in new networking devices and
concepts. Many of these features are useful for service providers and also for network
administrators in large enterprises. These features include:
• Versatile VLANs
• Prioritization
• Authentication
• Service level agreements
• Accounting and billing
However these features also cause a large administrative load on the people responsible for
running the network. For example device configurations for devices from different vendors
need to be stored, policies need to be defined, configured and enforced, SLAs need to be
monitored, and users need to be authenticated.
There is a need for new tools to manage these new and complex environments and directory
enabled networking is promising to provide the basis for these tools. A next generation
network may be based on the use of directory, policy, authentication and accounting
servers. Third-party software vendors can provide applications that make use of the
directory servers. If and when this becomes a reality it might be possible to provide high
class, secure and authenticated network services bound to useful and verifiable SLAs in a
cost-effective manner.
Auditing and accounting software can correlate between application response time and
network response time, and help ascertaining if it is the server, the application, or the
network that is causing a delay.
Network resources are not infinite. Sooner or later the demands on the LAN will be greater
than what it can supply. Although directory enabled networking is a huge and complex
project, and perhaps it is not needed today or even in the foreseeable future.
However, in the field of data communications, the foreseeable future is not very long.
Teknillinen Korkeakoulu Sivu 32 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
8 References
[ABO98] Aboba, B., Appropriate Use of Directory Services (Presentation at DEN
AHWG meeting 28.2.1998). Microsoft Corp. February 1998.
[GON99] Goncalves, M., Directory-Enabled Networks. McGraw-Hill. 1999.
[INT98] Intel Corporation, Delivering Guaranteed Services Levels (Presentation at
Summit ’98 Conference), Intel Corporation. August 1998.
[JUD98] Judd, S. & Strassner, J., Directory Enabled Networks - Information Model
and Base Schema (Preliminary Draft version 3.0c5). Directory Enabled
Networks Ad Hoc Working Group. 29.08.1998.
[KIL98] Kille, S., Why do I need a Directory when I could use a Relational Database?
(Presentation at EMA99 Conference). Isode Inc. April 1998.
[MCC98] McConnell, J., Service Level Management - Leveraging Your Network
Investments (White Paper). McConnell Associates. July 1998.
[MIC98] Microsoft Corporation, Lowering TCO With Active Directory-Enabled
Applications (White Paper). Microsoft Corp. July 1998.
[NET96] NetReference, Guide to Virtual LANs (White Paper). NetReference Inc. May
1996.
[PAS99] Passmore, L.D., The Fine Print of SLAs. Business Communications Review.
February 1999.
[ROM99] Roman, M., SmartSwitch Multi-Layer Frame Classification (Cabletron
Systems Technology White Paper). Cabletron Systems Inc. May 1999.
Teknillinen Korkeakoulu Sivu 33 (33)Teletekniikan laboratorio
S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A
[SEM98] Semeria, C. & Fuller, F., Directory-Enabled Networks and 3Com’s
Framework for Policy-Powered Networking (3Com Technology White
Paper). 3Com Corporation. May 1998.
[SMI98] Smith, M., Virtual LANs – A Guide to Construction, Operation, and
Utilization. McGraw-Hill. 1998.
[STA99] Stardust Technologies, The Need for QoS (QoS Forum White Paper).
Stardust Technologies Inc. July 1999.
[STR98] Strassner, J., Policy Breakout Session (Presentation at DEN AHWG meeting
28.2.1998). Cisco Systems Inc. February 1998.
[STR99] Strassner, J., McNeill, T., Grimstad, A., CIM V2.2 Network Model
(Presentation at DMTF Annual Conference June 1999). CMTF. June 1999.
[VOL99] Vollbrecht, J. & Calhoun, P. & Farrell, S. & Gommans, L. & Gross, G. &
de Bruijn, B. & Holdrege, M. & Spence, D., AAA Authorization Architecture
and Requirements (Internet Draft). Internet Engineering Task Force. June
1999. Work in progress.
[WAH97] Wahl, M. & Howes, T. & Kille, S., RFC 2251 Lightweight Directory Access
Protocol (v3). Internet Engineering Task Force. December 1997.
[XYL98] Xylan Corporation, Switched Network Services – Authentication (Xylan
Technology White Paper). Xylan Corporation. May 1998.