Providing Advanced VLANs as a Service · 1999. 8. 9. · Teknillinen Korkeakoulu Sivu 2 (33) Teletekniikan laboratorio S-38.128 Teletekniikan erikoistyö 6.8.1999 Peter Lindblom 31806A

Teknillinen Korkeakoulu

Teletekniikan laboratorio

S-38.128 Teletekniikan erikoistyö

Providing Advanced VLANs as a Service

Tekijä: Peter Lindblom 31806A

[email protected]

Ohjaaja: Vesa Kosonen

6.8.1999

Teknillinen Korkeakoulu Sivu 2 (33)Teletekniikan laboratorio

S-38.128 Teletekniikan erikoistyö 6.8.1999Peter Lindblom 31806A

Abstract

VLANs are being employed more and more in corporate networks. New and advanced

VLAN networking features are becoming available, but they are quite complicated and

consequently companies are beginning to outsource their LANs to service providers. Service

providers, however, need to be able to manage these networks. This work describes some

of the features VLANs can provide, how they can be managed by a new concept called

directory enabled networking and how ready vendors are to provide products supporting

directory enabled networking.



Table of Contents

A B S T R A C T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1 V O C A B U L A R Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3 TRADITIONAL VLANS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3.1 DEFINITION OF VLANS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63.2 THE BENEFIT OF VLANS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83.3 TYPES OF VLAN MEMBERSHIP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93.4 AUTOMATION OF VLAN MEMBERSHIP ASSIGNMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.5 VLAN MEMBERSHIP COMMUNICATION BETWEEN SWITCHES. . . . . . . . . . . . . . . . . . . 11

4 ADVANCED VLAN SERVICES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

4.1 TRAFFIC PRIORITIZATION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134.1.1 QoS... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134.1.2 CoS... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144.1.3 ToS... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144.1.4 IEEE 802.1p .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144.1.5 Prioritization in a LAN/WAN environment..................................... 164.1.6 Queuing mechanisms.............................................................. 16

4.2 POLICY BASED NETWORKING. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174.3 SERVICE LEVEL AGREEMENTS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184.4 USER AND DEVICE AUTHENTICATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184.5 VLANS ACROSS THE WAN .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214.6 CHALLENGES CAUSED BY ADVANCED VLAN SERVICES . . . . . . . . . . . . . . . . . . . . . . . . . 21

5 DIRECTORY ENABLED NETWORKING.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

5.1 DIRECTORY SERVICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225.2 THE PURPOSE OF DIRECTORY ENABLED NETWORKING . . . . . . . . . . . . . . . . . . . . . . . . . . 235.3 THE DEN SCHEMA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265.4 DEN SCHEMA BENEFITS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

6 V E N D O R S A N D P R O D U C T S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

7 CONCLUSION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

8 R E F E R E N C E S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32



1 Vocabulary

AAA Authentication, Authorization and Accounting

ATM Asynchronous Transfer Mode

CFI Canonical Format Indicator

CIM Common Information Model

CoS Class of Service

DEN AHWGDEN Ad Hoc Working Group

DEN Directory Enabled Networking

DMTF Desktop Management Task Force

IEEE Institute of Electrical and Electronics Engineers

IETF Internet Engineering Task Force

IP Internet Protocol

LAN Local Area Network

LDAP Lightweight Directory Access Protocol

MAC Media Access Control

MIB Management Information Base

MPLS Multi-Protocol Label Switching

MTU Maximum Transmission Unit

NFS Network File System

PDP Policy Decision Point

PEP Policy Enforcement Point

QoS Quality of Service

RSVP ReSerVation Protocol

SLA Service Level Agreement

SLM Service Level Management

SNMP Simple Network Management Protocol

TCI Tag control Information

TCP Transmission Control Protocol

ToS Type of Service

VID VLAN Identifier

VLAN Virtual Local Area Network

VoIP Voice over IP

WAN Wide Area Network



2 Introduction

Networking has evolved a long way since the first 802.3 10Base5 networks in the 1980's.

Almost all corporate PCs and workstations have network cards installed. But the use of the

network has also changed dramatically, in the beginning the aim of the network was file

sharing but especially to share expensive equipment, such as a laser printer, among users.

File sharing over the network was not so important, because most documents fitted on a

floppy disk. The Internet was focused around the educational world, such as universities

etc. The commercial use of the Internet was unheard of. Nowadays this has all changed, the

network has become more and more important. A workstation that is not networked is

almost useless in a company environment. It is not unusual that a PC doesn't even work if it

can't get access to the network. The network is much more than just sharing printers and

files. Network applications, such as web browsing, voice and video conferencing, multicast

applications etc., have changed the way people work. Companies depend on the network.

At the same time as networks have become increasingly important they have also become

more and more complex. Current management tools focus on element management, i.e. they

manage devices and not the network as a whole. What has been needed for a long time is

end-to-end management. In order to achieve this new level of management, and also to be

able to use the network resources in a cost-effective manner, a group of companies and

interested parties formed the Directory Enabled Networking ad-hoc working group. The

purpose of the DEN AHWG is to create a schema and information model that describes the

networking equipment, network services and networks in a standard and formalized way.

There are also a few other new demands on future networks that are worth mentioning;

Service Level Agreements (SLA) and policy based networks. These also require much from

the underlying network infrastructure. DEN attempts to model policies into the DEN

schema, which also makes it easier to enforce SLAs.

The focus in this study is on how future VLANs can make use of the DEN model in order to

facilitate policy based networking and SLA enforcement mainly in an Ethernet LAN

environment. These two characteristics are essential from a service provider's point of view

for providing LAN and integrated LAN & WAN end-to-end networking solutions. Only

when these are implemented is it possible to provide Quality of Service and guarantee SLAs

in a LAN environment.



3 Traditional VLANs

3.1 Definition of VLANs

A physical Ethernet LAN segment consists of network nodes connected to each other via a

hub or repeater. This means that all network nodes share the bandwidth of the segment,

which in turn means that only one node may transmit successfully at each moment. If two or

more nodes attempt to transmit at the same time a collision occurs, the collision is

propagated through the hubs and repeaters, and the nodes have to resend their data after the

collision. Often a LAN segment is also called a collision domain. This consists of stations,

hubs and repeaters. A bridge, switch or a router can be used as a collision domain boundary;

i.e. collisions are not propagated through these devices.

Bridges and switches connect LAN segment to each other and MAC broadcasts and

multicasts are propagated through bridges and switches. This area is referred to as a

broadcast domain. Routers are traditionally used as a broadcast domain boundary. The

topology of a typical LAN is shown in figure 1.



WAN

10BaseT

100BaseTXSwitch

Hub

RouterServer

Printer Notebook Workstation

Figure 1 A typical LAN.

LAN switches have become more and more commonplace because the price per port has

come down dramatically in the last few years at the same time as the performance and

capabilities of the switches have increased. The impact on LANs is that the number of LAN

segments has increased while the number of users per segment has dropped. Today it is not

unusual for each user to have a dedicated switch port. This is called microsegmentation. On

the other hand this has also meant that the broadcast domains have become bigger, because

relatively cheap switches have been used to replace expensive routers. To address this

broadcast domain problem switch vendors have developed an alternative way to contain

broadcasts instead of using routers. The solution is called virtual LANs or VLANs.

A VLAN can roughly be described as a broadcast domain, but a technically more correct

description is that a VLAN is group of stations, possibly on separate physical LAN

segments, that are not constrained by their physical location and communicate as if they

were on a common LAN (figure 2). [SMI98]



S E

E S

E S S

E S

1

22

13

34 4

565

Trunk

Building 1

1st Floor

2nd Floor

Building 2

1st Floor

2nd Floor

Switch A Switch B

Figure 2 A simple VLAN network.

3.2 The Benefit of VLANs

The advantages of VLANs over traditional LANs are [SMI98]:

• Performance

In broadcast/multicast intensive networks VLANs can be used to control the propagation

of broadcast/multicasts reducing unnecessary traffic. Obviously a router can also do this,

but the latency of a switch is typically smaller than the latency of a router.

• Virtual workgroups

People that work in the same workgroup need not be physically connected to the same

LAN segment or switch in order to be part of the same VLAN, therefore there is no need

to physically reconfigure the network in order to contain the broadcast/multicast traffic

created by the workgroup. If shared resources can't be members of multiple VLANs it

creates a potential bottleneck.



• Simplified administration

According to studies up to seventy percent of network costs are due to moves, adds and

changes of users in the network. By using VLANs some of these tasks can be simplified

reducing the cost of operation. E.g. routers may not need to be reconfigured and the

network address of workstations need not be changed when a user moves. On the other

VLANs create a new administration task that did not exist previously.

• Reduced cost

VLANs can be used to create broadcast domains without the need for routers, which are

more expensive than switches.

• Security

With the use of VLANs broadcast domains can be made smaller which means that

eavesdropping the traffic of a particular LAN is more difficult.

3.3 Types of VLAN Membership

The VLAN membership of stations can be defined in several different ways and not all

vendors support all ways. The following are the most common types of VLAN membership

assignment [NET96]:

• Port based (Layer 1)

The VLAN membership of a station is determined by the physical switch port that station

is connected to. A station can only belong to one VLAN and when the station is moved

the VLAN membership needs to be reconfigured. This is the most common type of

VLAN membership assignment.

• MAC address based (Layer 2)

The VLAN membership of a station is determined by the MAC address of the network

card of the station. When the station is moved the VLAN membership follows it. Often

this means that there can only be one user per switch port or alternatively all users

connected to the same port must belong to the same VLAN. VLAN membership needs to

be reconfigured if the MAC address changes. Several vendors support VLANs based on

MAC addresses.



• Protocol based (Layer 2)

The VLAN membership of a station is determined by the network protocols that the

station uses, e.g. IP, IPX, AppleTalk, NetBEUI, etc. Usually this means that the station

may be a member of several VLANs. Only a few switch vendors support protocol based

VLANs.

• Network number based (Layer 3)

The VLAN membership of a station is determined by the (sub)network that station

belongs to, e.g. IP subnet, IPX network, AppleTalk network, DECNET network etc.

Usually this means that the station may be a member of several VLANs. Only a few

switch vendors support VLANs based on network numbers.

• IP multicast group based (Layer 3)

The VLAN membership of a station is based on the IP multicast groups that station is a

member of. To be of useful this requires that the station can be a member of several

VLANs. Few switch vendors support VLANs based on IP multicast groups.

• Higher layer VLANs

The VLAN membership of a station can also be based on higher layer applications, user

IDs, or other policies. This means that for example HTTP, Lotus Notes, SAP R/3, NFS,

Novell SAP etc. can be in different VLANs, or depending on the user the station may be

a member of different VLANs. Very few switch vendors support VLANs based on

higher layer definitions.

It is important to note that one type of VLAN membership does not implicate that other types

of VLAN memberships may be not used at the same time. The combining of different

VLAN membership classification criteria is sometimes called policy based VLANs.



3.4 Automation of VLAN Membership Assignment

An important aspect of using VLANs is how they are configured and how good the

configuration tools are and also the degree of automation. Basically there are three different

levels of automation [SMI98]:

• Manual

The initial VLAN membership setup and subsequent moves, adds and changes are done

by the network administrator. The level of control is high, but in big networks this also

means a lot of configuration work, which defeats one purpose of using VLANs in the

first place. However the amount of work depends on the, usually vendor specific, VLAN

administration tools used.

• Semi-automated

Initial VLAN membership setup or subsequent changes or even both may be automated.

Initial VLAN membership setup can be automated by defining protocol based or

subnet/network number based VLANs. Subsequent moves may also be automated by

using these types of VLANs or by using MAC address based VLANs. Even if both

initial setup and subsequent changes are automated this is still considered semi-automated

because the administrator has the option of manual configuration.

• Fully-automated

Stations dynamically and automatically join VLANs depending on preset application,

user ID or other policies.

3.5 VLAN Membership Communication Between Switches

At least equally important is how VLAN membership information is propagated through the

switches. Without a mechanism for this VLANs would be limited to a single switch or

alternatively two switches should be interconnected with as many links as there are VLANs

defined, which clearly is not scalable. Exceptions are, of course, VLANs based on protocol

type, network number etc, because in these cases the VLAN membership can be derived

from the frame itself. Usually, however, there is a need for communicating VLAN

membership information, which can be done in the following three ways [NET96]:



• Signaling

Each switch keeps a table of stations and associated VLANs. Whenever there is a change

in the table for locally attached users, i.e. users directly connected to that switch, the

switch sends the updated information to the other switches. Depending on the size of the

network, the amount of changes and the specific type of signaling used, this approach

doesn't necessarily scale well. A few vendors use this method.

• Frame tagging

Each frame sent on an interswitch link is tagged with the corresponding VLAN

membership information; i.e. a tag containing the necessary information is inserted in

each frame. If the original frame is big enough the tagged may be bigger than the

maximum size of layer 2 frames. Previously the tag format and the solving of oversized

frames were vendor specific, but this has now been standardized in IEEE 802.1Q. This

is the most common method used.

• Time Division Multiplexing

In this method timeslots are reserved for each VLAN on the interswitch link. This means

that there is no overhead with signaling or tagging. On the other hand it wastes

bandwidth, because if a certain VLAN timeslot doesn’t have any traffic that timeslot may

not be used by any other VLAN. No major switch vendors use this method.



4 Advanced VLAN Services

4.1 Traffic Prioritization

Nowadays it is not enough just to have high performance networking products; equally

important is getting the highest network service. Service providers as well as network

managers look for better ways to service their customers. IT managers, service providers,

backbone operators, and standards organizations research and develop service quality

systems, such as QoS and CoS, for current and future. At the same it is vital to maintain a

migration path to newer technology that is both practical and economically feasible. [INT98]

The are different approaches to traffic prioritization, such as Quality of Service (QoS), Class

of Service (CoS), and Type of Service (ToS).

4 .1 .1 QoS

Quality of Service (QoS) mechanisms provide the necessary level of service (bandwidth and

delay) to an application in order to maintain an expected quality level. The expected quality

level from a technical point of view depends on the application that requires the Quality of

Service. To a mission-critical application, QoS means guaranteed bandwidth with zero frame

loss. For a telephony application, such as voice over IP (VoIP), QoS means guaranteed

frame latency. [STA99]

QoS places a significant burden on the network infrastructure. Each device must keep an

entry in its forwarding table for each application flow. In a large corporate network, devices

can become overwhelmed with the millions of flows, especially at the boundaries. ATM,

Frame Relay, and Multi-Protocol Label Switching (MPLS) are examples of protocols that

deliver level of service by application flow. Resource Reservation Protocol (RSVP) is

another protocol that has gained acceptance as a valid QoS mechanism. RSVP delivers end-

to-end service by reserving bandwidth and availability of resources along a particular path.

RSVP is implemented in some routers, Layer 3 switches, and in Microsoft's NT 5.0 Server.

However, complete end-to-end QoS implementations are difficult to achieve in today's

corporate LAN environment and come at a high price.



4 .1 .2 CoS

Class of Service (CoS) mechanisms reduce flow complexity by mapping multiple flows into

a few service levels. Network resources are then allocated based on these service levels, and

flows can be aggregated and forwarded according to the service class of the packet. CoS

applies bandwidth and delay to different classes of network services, instead of the fine-

grain control provided by QoS. CoS easily scales with network expansion. As the network

grows, traffic continues to be managed based on a few service levels, keeping infrastructure

burdens to a minimum. In the LAN environment IEEE 802.1p is a standard method of

signaling CoS at OSI Layer 2.

4 .1 .3 ToS

Type of Service (ToS) was defined in the early 80s, but was largely unused until recent IP

traffic bottlenecks at the access routers required prioritization of traffic in order to achieve

better service levels. The Type of Service octet in the IPv4 header includes three precedence

bits defining seven different priority levels ranging from highest priority for network control

packets to lowest priority for routine traffic. The remaining five bits are not used. Some

access routers and ToS-aware Layer 3 LAN switches read the precedence bits and map them

to forward and drop behaviours. ToS applies only to IP and not to other protocols.

4 .1 .4 IEEE 802.1p

IEEE 802.1p is a supplement to the 1998 version of IEEE 802.1D bridging standard, to

which it adds Traffic Class Expediting functionality. Traffic class expediting consists of two

parts called Dynamic Multicast Filtering and Traffic Classification. Traffic Classification

defines a method of prioritizing packets based on a Layer 2 tag that is inserted in the frame

either by a station, a switch, or a router. This standard defines eight different priorities. The

Tag Control Information (TCI) field is defined in the IEEE 802.1Q standard and it is shown

in figure 3. The user_priority field consists of three bits and may represent eight priority

levels, 0 through 7. The highest priority is 7 and the lowest is 1, the default priority is 0.



The insertion of the priority value (0-7) allows all tag aware devices in the network to make

intelligent forwarding decisions based on its own level of support for prioritization. A

switch or router that complies to IEEE 802.1p maps each priority into a specific transmit

queue, and the standard requires that devices must support at least two transmit queues per

port. It is important to note although there are eight different priority levels that can be

signaled the device doesn’t need to have eight different priority queues. Most vendors’ LAN

switches support four priority queues, which means that the switch by default maps the

incoming signaled priority according to table 1.

Table 1 Priority queues and transmit queues.

Transmit

Queue

802.1p

Priority

7 3

6 3

5 2

4 2

3 1

2 0

1 0

0 1

user_priority CFI VLAN Identifier (VID)

Octets: 1 2

Bits: 8 6 5 4 1 8 1

Figure 3 IEEE 802.1Q TCI.



The following things should be noted in this table:

• Priority 7 is the highest.

• Transmit queue 3 is serviced first.

• Two IEEE 802.1p priorities are mapped to each transmit queue.

• because 0 is the default value in the tag it is mapped to transmit queue 1 and not transmit

queue 0, in essence this means that priorities 1 and 2 are lowest and are accordingly

mapped to transmit queue 0.

It is also important to note that the switch doesn’t need to accept the incoming signaled

priority, instead the switch may classify and re-label the priority according to different

classification rules. [ROM99]

4 .1 .5 Prioritization in a LAN/WAN environment

In a LAN prioritization signaling may be achieved through the use of 802.1p. Routers,

however, operate at layer 3 and accordingly they do not forward layer 2 headers, which

means that the IEEE 802.1Q header is lost when a router forwards a frame. Therefore the

router receiving a frame with 802.1p priority information needs to be able to map that

priority to a layer 3 priority or to classify the frame according to its own rules.

In the case of IP the layer 3 prioritization scheme may be IP ToS, but for other protocols

there is not yet a standard way to signal priority. This means that either the protocol used

should be IP and all routers in the path should support IP ToS, or each router should be able

to classify and prioritize frames independently.

4 .1 .6 Queuing mechanisms

In order to support prioritization a device needs to support multiple transmit queues. These

queues can typically be serviced based on a strict queuing mechanism or based on a fair

weighted queuing mechanism.

Strict queuing specifies that all frames in the highest priority transmit queue will be

transmitted before the frames in lowest priority transmit queue. Weighted fair queuing

allows the network administrator to give a certain percentage or weight to each queue,

preventing a lower priority queue from being starved.



4.2 Policy Based Networking

Network resources are complicated to control today, and networking professionals and IT

managers don’t have tools to measure their success at keeping both the networks functioning

and the users satisfied with the service they are getting.

For example, when mission-critical applications and end users demand reliable network

service, IT managers often must:

• Over-allocate network capacity

This potentially wastes resources that could be applied elsewhere. It is also very

probable that the capacity required is underestimated, because actual usage is difficult to

predict.

• Restrict overall computing capabilities

This potentially prevents some end users from getting the most out of their workstations.

For example, some IT managers will ban applications such as distance learning or

business video broadcasts, because they fear the network might collapse.

Therefore there is a need for being able to configure the network so that the mission critical

applications and users are recognized and prioritized. This can be achieved by using simple

rules called policies. [STR99]

All policies consist of two components.

• A set of conditions must be specified under which the policy applies; otherwise the

policy has no context.

• Second, a set of actions must be specified that either maintain the current state of the

object or transition the object to a new state as a consequence of either satisfying or not

satisfying the condition set.

Policies can be classified into two categories, simple and complex. Complex policies are

policies that are comprised of simpler policies, and consist of a complex set of conditions

and actions. Hierarchical policies are another example of complex policies. This hierarchy

can be used to simplify the administration of policies. In general, complex policies model

intricate interactions between objects that have complex interdependencies. Examples of this

include a sophisticated user logon policy that sets up application access, security, and

reconfigures network connections based on a combination of user identity, network



location, logon method and time of day. Simple policies are those that can be expressed in a

simple statement. They can be represented effectively in schemas or MIBs. Examples of this

are VLAN assignments, simple yes/no QoS requests, and IP address allocations. [SEM98]

There are both static and dynamic policies. Static policies require only enforcement and they

characterize static user attributes or situational parameters, such as a specific location.

Dynamic policies get enforced when needed, such as when a user with "Gold Service" logs

on or when the network gets congested and SLAs are violated. Dynamic policies require

both policy decisions and enforcement. [STR98]

4.3 Service Level Agreements

A Service Level Agreement (SLA) is an explicit, formal statement indicating what the service

providers will deliver to their customers. Service providers include, among others, LAN

service providers and internal corporate IT organizations. A means to enforce the contract

must be available. The management system must take actions to maintain service quality

because SLAs are becoming more common within organizations as well as between service

providers and customers. [PAS99]

SLAs define the provided services, including the criteria, measurements, and commitments.

Standard metrics are availability, mean time to repair, response time, throughput, data

volume, jitter, wait time, and so on. [MCC98]

Some examples of contracts are:

"SAP R/3 users are each guaranteed 4 Mbps of bandwidth everyday between 08:00 and

17:00."

“Authenticated healthcare users can access the healthcare server, other users can’t”

4.4 User and Device Authentication

Authentication is to establish identity, it is integrated into user applications, host operating

systems, network operating systems and in some cases also into network devices, such as

switches. In a VLAN environment authentication is used to grant network access to users

and devices such as printers, servers, etc.



The most typical way to identify a user is with a user ID and password, but nowadays more

and more authentication schemes involve several factors to prove identity with greater

confidence. These factors include [XYL98]:

• Something you are

For humans this includes fingerprints, retinas, keystroke-timing etc. For devices these

include MAC address, protocol types, network addresses. Greater security can be

achieved by mapping these characteristics to a switch port or a group of switch ports. For

many devices like printers and servers this is the only kind of authentication that can be

used, because the devices may not support any authentication protocol. This can be

spoofable but usually requires physical access to the device.

• Something you know

This is the user ID and password method, as a form of authentication it is better than

nothing but not much. Often both user IDs and passwords are sent in clear text and

passwords are easily guessed. There are also many password-cracking tools available. A

way around these limitations is the use of one-time passwords.

• Something you possess

This includes tokens and smart cards. This is also a weak form of authentication when

used alone, because it is possible that the user of the mechanism is not the one that

authorized to use it. They are easy to lose and in some cases easy to forge. However,

when used together with something you know, a strong authentication system is created.

User authentication can be used to create secure network access; a user has to be

authenticated before he is given access to the network. Once the user has been authenticated

he is given access to the network and membership in specific VLANs. This means that the

user can be mobile and get the same privileges in the network indepent from the workstation

that the user is using.

This is a very important ability from a service provider's point of view because

authenticating the user serves as a basis for being able to provide really useful CoS and

SLAs. Prioritization also creates a need for authentication. This is because prioritization

means that some users get better service than others and consequently users may try to spoof

the network in order to get a better service.



However, user authentication currently usually requires proprietary software on the

workstation so that the authentication can be done. Of course, a network login to e.g. an NT

domain or a Novell NDS tree could be used, but a standard way of authentication would be

preferable.

Device authentication has to be based on switch port and device MAC and network

addresses until a standard for authentication is created.

The Authentication, Authorization and Accounting (AAA) working group of the IETF is

currently defining an AAA architecture and an authentication protocol framework. The

working group is also working on identifying the relationship and interaction between policy

and authorization. This is still a work in progress.

User

NetworkDevice

AAA Server

Service Provider

Either or

Contractual Agreement

Trust Relationship

Figure 4 AAA architecture.



The architecture involves an authentication server, an authorization (policy) server, and an

accounting server; these may be separate servers or integrated. Figure 4 shows the

architecture with an integrated AAA server. The user is connected to a network device and

there is a contractual relationship between the user and the service provider. There is a trust

relationship between the network device and the AAA server. After the user is authenticated

a trust relationship exists between the user and either the network device or AAA server. The

AAA server can be considered a Policy Decision Point (PDP) and the network device a

Policy Enforcement Point (PEP). [VOL99]

4.5 VLANs across the WAN

VLANs have been used in local area networks for a few years already, but it is also possible

to use VLANs instead of routing in the WAN. However this means that LAN broadcasts

consume relatively expensive WAN bandwidth. On the other hand it is probable that WAN

bandwidth will become much cheaper in the future, but when that happens bandwidth

requirement will also have gone up. It may be that WAN bandwidth will never be cheap

enough for VLANs unless something can be done to reduce broadcasts in standards based

way.

However, there is an obvious need for some kind of advance support for remote dial-in

users, and users in a remote branch office to be able to utilize these new advanced services

as well. The problem is how it can be done.

4.6 Challenges Caused by Advanced VLAN Services

All above mentioned advanced services are useful from a service provider’s point of view,

but in order to be able to produce these kinds of services in a cost efficient manner, these

services need to be manageable in a consistent way. Because many of these new services are

also closely linked together it makes sense to be able to configure, monitor and manage the

services in a vendor independent fashion. However current management tools are not

sufficient for doing this efficiently in a multivendor network. Most management applications

are aimed for device management and not end to end network service management.

Therefore there is an urgent need for a way of managing large multivendor networks

providing advances services. Directory enabled networking seems to be a promising

approach.



5 Directory Enabled Networking

5.1 Directory Services

A directory service is a physically distributed but logically centralized data repository for

infrequently changing data needed for managing a computing environment. It can be viewed

as a special purpose database built to store typed and structured information. [ABO98]

A directory service enables a user to locate and identify other users and resources in a

distributed system. Directory services provide the foundation for adding, modifying,

removing, renaming and managing system components without interrupting the services

provided by other system components. [GON99]

Directory services are able to:

• Serve as a distributed repository of information about system components. The directory

can be replicated among several servers, and a user can query a local server for all

information.

• Support lookup by attribute (e.g. name, phone number, etc.) and by classification (e.g.

printer, etc.), i.e. support “white pages” and “yellow pages” lookup.

• Enable single user logon to network services, so that the user gets access to all network

resources available to him without having to logon to several servers separately.

• Enable distribution of management and administration, i.e. administrative tools don't

have to be centrally located and managed.

• Replicate data between all directory servers so that the information is seen in a consistent

way throughout the network.



Characteristics of a directory are [KIL98]:

• Information is strongly typed and structured.

• It stores information about objects of interest.

• It can be highly distributed and supports replication.

• Reads are much more frequent than writes.

• It provides for search as well as retrieval.

• Allows access to information from multiple locations.

• It is frequently used in an application-specific manner.

• Objects are essentially independent in the directory.

• It has a fixed core schema that controls directory structure.

• The directory structure is hierarchical.

• The schema for individual objects is highly extensible.

A general-purpose enterprise directory provides a central corporate repository for commonly

and widely used information. The information may be white pages data, such as email

addresses and phone numbers, and information that gives a user access to services, such as

printers, computers and buildings. Digital signatures may also be stored in the directory.

Traditional directory services were designed for administrative needs, but directories have

changed from a simple data warehouse to an intelligent, authoritative and distributed

repository of information for services and applications. The directory can be accessed using

the Lightweight Directory Access Protocol (LDAP). [WAH97]

5.2 The Purpose of Directory Enabled Networking

Nowadays the computing environment that needs to be managed not only includes

computers, but also networking devices that interconnect the computers. There are several

new advanced network services available and at the same time new applications demand

more and more of the network. Examples of this are:

• Voice and video applications

• Quality of Service (QoS)

• Policy based networking

• Authentication



All these new services, features and demands cause a management problem. The huge

amount of data to be managed requires that device configurations, user profiles, service

profiles, policy rules, SLAs, etc., should be stored in a standardized manner. It should be

easy to replace a failed device with as little configuration effort as possible. This means that

network devices should be able to retrieve their configuration from a configuration

repository. Preferably it should also be possible to replace a failed device with a similar, but

not identical, device without needing to configure the device manually. [GON99]

Directory services are already used successfully to store application and user information. It

is logical to extend directory services to include networks, so that the new and more

demanding network management requirements can be met. This approach is referred to as

directory enabled networking (DEN). Cisco Systems Inc. and Microsoft Corp. launched the

DEN initiative in September 1997 and together with several other hardware and software

vendors they formed the DEN ad-hoc working group (DEN AHWG) in order to define what

directory enabling networking is.

It is important to note that directory enabled networking is not a replacement for network

management, because they address different needs. Network elements typically have a

dynamic state and a persistent state:

• Network management

This addresses the dynamic state of individual network devices. Network management

protocols, such as SNMP, CMIP, and RMON, are used to talk to network devices.

Current tools focus on individual devices rather than on the network as a whole.

• Directory enabled networking

This addresses the persistent state of network elements and also describes the

relationships between users, applications, network elements and network services. The

information in the directory network extensions is used to talk about network elements.

Directory enabled networking has two aims:

• To bind users to services available from the network according to a consistent and

rational set of policies.

• To provide the foundation to build intelligent networks and network-enabled

applications.



These require network-enabled applications that can access diverse information from a

common logical repository or directory. The storing and retrieval of this information uses

the LDAP protocol. Using a directory means that a directory schema is needed.

Because objects in a directory are essentially independent an information model is needed in

order to establish relationships between objects. The information model defines the

interaction of users and applications with the network elements and services, and the

management of network elements and services. The information model is an object-oriented

model that defines the behaviour of network elements and services and users and

applications and the interaction between them. The DEN philosophy is shown in figure 5.

[JUD98]

Existing ManagementProtocols (SNMP, RMON,...)

DEN Information Model

ExistingManagementApplications

FutureManagementApplications

DS-Enabled DistributedApplications and Tools

DirectoryService

Figure 5 The DEN philosophy



5.3 The DEN Schema

The DEN schema is based on the Common Information Model (CIM) defined by the

Desktop Management Task Force (DMTF). CIM is used to present a consistent view of the

managed environment independent of the various protocols and data formats supported by

the devices and applications in it. CIM is mainly concerned with the management of

individual components in an enterprise environment.

Schemas, such as SNMP MIBs and CIM, are intended primarily to address the details of

individual devices. CIM is concerned with many types of information, such as collections of

general-purpose devices, applications, and other components of a system. DEN attempts to

model collections of devices, networks, autonomous systems, and network clouds.

DEN has many information needs that are already addressed by CIM, so DEN schema is

designed as an extension to the CIM schema version 2.0. This schema is referred to as the

DEN extended schema or simply as the DEN schema.

The DEN schema expresses and manages network element information not only in an

enterprise environment, but also in service provider networks. The DEN schema also

addresses network services and policies that control the provisioning of network elements,

however the DEN schema does not address this completely. This enhances and

complements the existing CIM network model. [JUD98]



The DEN schema uses concepts from both X.500 and CIM. The DEN base classes and their

relationship to the X.500 and CIM classes are shown in figure 6.

ManagedSystemElement Configuration Application Person*

Top Alias, DSA

Location Group*

Organization*Product, FRU, ..

Protocol*

NetworkProtocol

"NetworkDevice"

NetworkMedia

Profile Policy

LinkedContainer

NetworkElement

Software*,System*

Check,Action

Service*

CIM

DEN

X.500

NOTE: 2. Software, System, Service,Protocol, Person, Group,and Organization representsets of classes correspondingto that general function orservice.

1. NetworkDevice is anabstraction of changesto existing CIM classesand not an actual class.

Figure 6 DEN Base Classes.



5.4 DEN Schema Benefits

A common namespace in a directory means that applications developed by different vendors

can interoperate with each other. This is independent of which directory service is used to

implement the schema and which network elements and services are being represented and

managed in the directory service. There are two forms of interoperability: the ability to share

information and the ability to reuse information. The former means that two applications

made by two different vendors can share information while they are running. The latter

means that one application from one vendor can reuse information that another application

from a different vendor has operated on. For example [MIC98]:

• Application X from vendor A can populate the directory with information about a

network.

• Application Y from vendor B could then provision part of the network using this

information according to policies that it has defined.

• Application Z from vendor C could then run background checks on another part of the

network, gathering statistical information and performing fault analysis.

It is important to note that in the above scenario, none of the three applications need to have

any knowledge about the other applications. The Directory Enabled Networks specification

defines a schema, which defines a namespace that enables applications to share and reuse

information. Furthermore, the Directory Enabled Networks specification defines an

information model that relates the different classes of that schema to each other. Another

benefit is the simplification of some administrative tasks, such as configuration

management. For example, if the SNMP Trap destination IP address has to be changed on

all network devices the administrator doesn't need to individually reconfigure each device,

instead the configuration change is done in the directory to a group containing all devices.

DEN management applications may then automatically reconfigure the devices in question.

DEN is a different way of looking at networks [STR99]:

• It focuses on managing the network instead of on individual devices.

• It offers an extensible way for different applications to share and reuse data with each

other.

• It facilitates the mapping of network clients to services provided by the network.



6 Vendors and Products

Most major networking vendors are members of the DEN AHWG, but this doesn’t mean

that products are available. Most vendors have shown a roadmap detailing how they intend

to implement directory enabled networking, authentication, prioritization and so on in their

product lines. But at the moment very little is available.

There are many different things needed in order to create a directory enabled network:

• LDAP-compliant directory servers

• Authentication servers and clients

• Devices with an LDAP client

• Accounting and auditing servers and applications

• Policy servers and applications

• Directory-aware network management applications

Several LDAP-compliant directory servers are available, e.g. Netscape Directory Server,

IBM eNetwork LDAP Directory, Microsoft Windows 2000 Server Active Directory, and

Novell LDAP Services for NDS. The DEN schema can be incorporated in any LDAP-

compatible directory server.

Authentication, authorization, and accounting servers are also available, e.g. Merit

Networks AAA Server. Proprietary policy servers are available from a few vendors, such as

3Com Transcend Network Control Services, Cabletron Spectrum Connection Services

Manager and Cisco QoS Policy Manager.

Some vendors offer network devices that support user authentication, for example Xylan

OmniSwitch switches.

Networking devices with an LDAP client are also available from some vendors, but they

usually only support retrieval of information and not updating of the directory. Some

management applications are available that retrieve station information, such as MAC

address, layer 3 addresses, etc., from network devices and store it in a proprietary directory.

An example is Cabletron Spectrum VLAN Manager.



The problem is making it all fit together. Authentication and authorization mechanisms must

be standardized, and the network must support policies bound to users and not devices.

No vendor has complete set of products yet. Fortunately the standards-based approach

defined by DEN enables products from different vendors to work together. In other words it

will be possible to choose a directory server from one vendor, policy and authentication

servers from another vendor, management and accounting application from a third vendor

and network devices from other vendors.

Nevertheless, there is still a long way to go and it will take a few years before the potential

of DEN can be fulfilled.



7 Conclusion

There are many new and powerful features available in new networking devices and

concepts. Many of these features are useful for service providers and also for network

administrators in large enterprises. These features include:

• Versatile VLANs

• Prioritization

• Authentication

• Service level agreements

• Accounting and billing

However these features also cause a large administrative load on the people responsible for

running the network. For example device configurations for devices from different vendors

need to be stored, policies need to be defined, configured and enforced, SLAs need to be

monitored, and users need to be authenticated.

There is a need for new tools to manage these new and complex environments and directory

enabled networking is promising to provide the basis for these tools. A next generation

network may be based on the use of directory, policy, authentication and accounting

servers. Third-party software vendors can provide applications that make use of the

directory servers. If and when this becomes a reality it might be possible to provide high

class, secure and authenticated network services bound to useful and verifiable SLAs in a

cost-effective manner.

Auditing and accounting software can correlate between application response time and

network response time, and help ascertaining if it is the server, the application, or the

network that is causing a delay.

Network resources are not infinite. Sooner or later the demands on the LAN will be greater

than what it can supply. Although directory enabled networking is a huge and complex

project, and perhaps it is not needed today or even in the foreseeable future.

However, in the field of data communications, the foreseeable future is not very long.



8 References

[ABO98] Aboba, B., Appropriate Use of Directory Services (Presentation at DEN

AHWG meeting 28.2.1998). Microsoft Corp. February 1998.

[GON99] Goncalves, M., Directory-Enabled Networks. McGraw-Hill. 1999.

[INT98] Intel Corporation, Delivering Guaranteed Services Levels (Presentation at

Summit ’98 Conference), Intel Corporation. August 1998.

[JUD98] Judd, S. & Strassner, J., Directory Enabled Networks - Information Model

and Base Schema (Preliminary Draft version 3.0c5). Directory Enabled

Networks Ad Hoc Working Group. 29.08.1998.

[KIL98] Kille, S., Why do I need a Directory when I could use a Relational Database?

(Presentation at EMA99 Conference). Isode Inc. April 1998.

[MCC98] McConnell, J., Service Level Management - Leveraging Your Network

Investments (White Paper). McConnell Associates. July 1998.

[MIC98] Microsoft Corporation, Lowering TCO With Active Directory-Enabled

Applications (White Paper). Microsoft Corp. July 1998.

[NET96] NetReference, Guide to Virtual LANs (White Paper). NetReference Inc. May

1996.

[PAS99] Passmore, L.D., The Fine Print of SLAs. Business Communications Review.

February 1999.

[ROM99] Roman, M., SmartSwitch Multi-Layer Frame Classification (Cabletron

Systems Technology White Paper). Cabletron Systems Inc. May 1999.



[SEM98] Semeria, C. & Fuller, F., Directory-Enabled Networks and 3Com’s

Framework for Policy-Powered Networking (3Com Technology White

Paper). 3Com Corporation. May 1998.

[SMI98] Smith, M., Virtual LANs – A Guide to Construction, Operation, and

Utilization. McGraw-Hill. 1998.

[STA99] Stardust Technologies, The Need for QoS (QoS Forum White Paper).

Stardust Technologies Inc. July 1999.

[STR98] Strassner, J., Policy Breakout Session (Presentation at DEN AHWG meeting

28.2.1998). Cisco Systems Inc. February 1998.

[STR99] Strassner, J., McNeill, T., Grimstad, A., CIM V2.2 Network Model

(Presentation at DMTF Annual Conference June 1999). CMTF. June 1999.

[VOL99] Vollbrecht, J. & Calhoun, P. & Farrell, S. & Gommans, L. & Gross, G. &

de Bruijn, B. & Holdrege, M. & Spence, D., AAA Authorization Architecture

and Requirements (Internet Draft). Internet Engineering Task Force. June

1999. Work in progress.

[WAH97] Wahl, M. & Howes, T. & Kille, S., RFC 2251 Lightweight Directory Access

Protocol (v3). Internet Engineering Task Force. December 1997.

[XYL98] Xylan Corporation, Switched Network Services – Authentication (Xylan

Technology White Paper). Xylan Corporation. May 1998.

Documents

Providing Advanced VLANs as a Service · 1999. 8. 9. · Teknillinen Korkeakoulu Sivu 2 (33) Teletekniikan laboratorio S-38.128 Teletekniikan erikoistyö 6.8.1999 Peter Lindblom 31806A