Professional Documents
Culture Documents
3fl00250 A Ho Ed03 p02 Ipdslamprotocols Eth Vlan An
3fl00250 A Ho Ed03 p02 Ipdslamprotocols Eth Vlan An
During class please switch off your mobile, pager or other that may interrupt. Entry level requirements:
3FL00250_A Ed 03
Table of contents
Ethernet framing. . . . . . . . p. 3 p.13
3FL00250_A Ed 03
University
Ethernet framing
3FL00250_A Ed 03
Ethernet v2 is a valid IEEE 802.3 frame. used in Local Area Networks uses CSMA/CD
LAN
> When somebody says that they are running Ethernet on their network, inevitably you have to ask: "Which Ethernet?". Currently, there are many versions of the Ethernet Frame Format in the commercial marketplace, all subtly different and not necessarily compatible with each other. > The explanation for the many types of Ethernet Frame Formats currently on the marketplace lies in Ethernet's history. > In 1972, work on the original version of Ethernet, Ethernet Version 1, began at the Xerox Palo Alto Research Center. Version 1 Ethernet as released in 1980 by a consortium of companies comprising DEC, Intel, and Xerox. In the same year, the IEEE meetings on Ethernet began. In 1982, the DIX (DEC/Intel/Xerox) consortium released Version II Ethernet and since then it has almost completely replaced Version I in the marketplace. In 1983 Novell NetWare '86 was released, with a proprietary frame format based on a preliminary release of the 802.3 spec. Two years later, when the final version of the 802.3 spec was released, it had been modified to include the 802.2 LLC Header, making NetWare's proprietary format incompatible. Finally, the 802.3 SNAP format was created to address backwards compatibility issues between Version 2 and 802.3 Ethernet. > As you can see, the large number of players in the Ethernet world has created a number of different choices. The bottom line is this: either a particular driver supports a particular frame format, or it doesn't. Typically, Novell stations can support any of the frame formats, while TCP/IP stations will support only one although there are no hard and fast rules in Networking. > CSMA/CD: Carrier Sense Multiple Access with Collision Detection
3FL00250_A Ed 03
7B 1B 6B 6B preamble SFD DA SA
4B
XXX
FCS
Source MAC address Destination MAC address Fixed sequence to alert the receiver
5
> In the following slides we will outline the specific fields in the different types of Ethernet frames. But first lets look at the fields that are common for each type of Ethernet frame. > The Preamble and SFD (Start Frame delimiter) Regardless of the frame type being used, the means of digital signal encoding on an Ethernet network is the same. While a discussion of Manchester Encoding is beyond the scope of this course, it is sufficient to say that on an idle Ethernet network, there is no signal. Because each station has its own oscillating clock, the communicating stations have to have some way to "synch up" their clocks and thereby agree on how long one bit time is. The preamble facilitates this. The preamble with SFD consists of 8 bytes of alternating ones and zeros, ending in 11. > A station on an Ethernet network detects the change in voltage that occurs when another station begins to transmit and uses the preamble to "lock on" to the sending station's clock signal. Because it takes some time for a station to "lock on", it doesn't know how many bits of the preamble have gone by. For this reason, we say that the preamble is "lost" in the "synching up" process. No part of the preamble ever enters the adapter's memory buffer. Once locked on, the receiving station waits for the 11 that signals that the Ethernet frame follows. > The Destination MAC address and Source MAC address fields are 6-bytes in length The first three bytes of the MAC Address are assigned by the IEEE to the vendor of the adapter are specific to the vendor. > FCS = Frame Check Sequence
3FL00250_A Ed 03
DA
SA
Length or Type
XXX
FCS
> In the case of IEEE 802.3 Ethernet Frame, frame interpretation is based on the Type of Length field in the frame. If the type or length field is less than or equal to 1500 (decimal value) (1500 = 05-DC hex.), then the field is interpreted as length field. If the value is greater than 1500 then it is interpreted as type field.
3FL00250_A Ed 03
DA
SA
Type
P A Y L O A D (461500 Bytes)
FCS
0800
TYPE >= 1536
0x0800=IP 0x0806 = ARP 0x8035 = RARP 0x888E = 802.1X 0x8863=PPPoE Control frames 0x8864 = PPPoE Data frames
0806
PAD
(18 Bytes)
8035
7
PAD
(18 Bytes)
> The 802.3 specifications include the possibility to have a frame with type field and any protocol in the payload. This way the Ethernet II frame defined by DIX (DEC, Intel, and Xerox) is also a valid 802.3 frame. > Like the 802.3 spec (see later), the Version II spec defines a Data Link Header consisting of 14 bytes (6+6+2) of information, but the Version II spec does not specify an LLC header. > The Type field is 2-bytes and contains the value that defines the protocol that is being encapsulated in the data payload. This Ethertype is expressed in hexadecimal (all these values are greater than 1500 (decimal)) > At the physical layer, the DST MAC field could be preceded by a 7-byte preamble and 1-byte start of frame delimiter. > At the end of the Data field is a 4-byte FCS.. > The minimum frame size for Ethernet media without the preamble is 64 bytes and the maximum frame size without the preamble is 1518 bytes. Hence the minimum frame size on Ethernet with the preamble is 72 bytes and the maximum is 1526 bytes > Note: Preamble and SFD are not shown on the slide.
3FL00250_A Ed 03
DA
SA
length
DSAP SSAP
1B 1B
CONTR
1B
P A Y L O A D (431497 Bytes)
02 = Individual LLC Sublayer Management Function 03 = Group LLC Sublayer Management Function 04 = IBM SNA Path Control (individual) 05 = IBM SNA Path Control (group) 06 = ARPANET Internet Protocol (IP) AA = SubNetwork Access Protocl (SNAP) E0 = Novell NetWare F0 = IBM NetBIOS
FCS
> The following describes the LLC frame format. The Destination MAC address and Source MAC-address fields are 6-bytes in length. > The length field is 2-bytes and contains the length of the frame, not including the preamble, 32 bit CRC, Datalink connection addresses, or the Length field itself. An Ethernet frame can be no shorter than 64 bytes total length, and no longer than 1518 bytes total length > The DSAP and SSAP fields are used to identify the type of the protocol that is encapsulated in the payload. > The DSAP, or Destination Service Access Point, is a 1 byte field that simply acts as a pointer to a memory buffer in the receiving station. It tells the receiving network interface card in which buffer to put this information. This functionality is crucial in situations where users are running multiple protocol stacks, etc... > The SSAP, or Source Service Access Point is analogous to the DSAP and specifies the Source of the sending process. > Following the SAPs is a one byte control field that specifies the type of LLC frame that this is.
3FL00250_A Ed 03
AA
1B
AA
1B
03
1B
00-00-00 TYPE
3B 2B
LLC
SNAP
> While the original 802.3 specification worked well, the IEEE realized that some upper layer protocols required an Ethertype to work properly. For example, TCP/IP uses the Ethertype to differentiate between ARP packets and normal IP data frames. In order to provide this backwards compatibility with the Version II frame type, the 802.3 SNAP (SubNetwork Access Protocol) format was created. > The SNAP Frame Format consists of a normal 802.3 Data Link Header followed by a 802.2 LLC Header and then a 5 byte SNAP field, followed by the normal user data and FCS. > The Sub-Network Access Protocol (SNAP) Header The first 3 bytes of the SNAP header is the vendor code, generally the same as the first three bytes of the source address although it is sometimes set to zero. Following the Vendor Code is a 2 byte field that typically contains an Ethertype for the frame. This is where the backwards compatibility with Version II Ethernet is implemented.
3FL00250_A Ed 03
DA
SA
AA
1B
AA
1B
03 00.00.00 Type P A Y L O A D
1B 3B 2B
(381492 Bytes)
FCS
10
> The following describes the SNAP frame format. The Destination MAC address and Source MAC address fields are 6-bytes in length. The length field is 2-bytes and contains the length of the frame. The DSAP and SSAP fields are used to identify the type of the protocol that is encapsulated in the payload. In this case the value remains as constant and is 0xAA. The header that follows the LLC header is called the SNAP header. This contains a 2-byte type field that contains the value that defines the protocol that is being encapsulated in the data payload.
3FL00250_A Ed 03
10
802.3 incorporates aspects of Ethernet version 2 and will replace it for high-speed Ethernet networks
Ethernet v2 is a valid 802.3 frame
11
3FL00250_A Ed 03
11
0800
IP datagram
FCS (4)
Length (2 bytes)
06 06
LSAP
IP datagram
FCS (4)
SNAP
5 Byte
3FL00250_A Ed 03
12
University
13
3FL00250_A Ed 03
13
What is a LAN?
14
> To understand VLAN, you need to understand LAN first. A Local Area Network (LAN) can generally be defined as a broadcast domain. Hubs, bridges or switches in the same physical segment connect all end node devices. End nodes can communicate with each other without the need for a router. However communications with devices on different LAN segments requires the use of a router.
3FL00250_A Ed 03
14
What is VLAN?
Inter-VLAN communication: only via higher-layer devices (e.g. IP routers) LAN membership defined by the network manager
Virtual
15
Corporate LAN
> VLAN allows a network manager to logically segment a LAN into different broadcast domains. Since this is a logical segmentation but not a physical one, workstations do not have to be physically located together. Users on different floors of the same building, or even in different buildings can now belong to the same LAN. > VLAN also allows broadcast domains to be defined without using routers. Bridging software is used instead to define which workstations are included in the broadcast domain. Routers would only have to be used to communicate between two VLANs. > Communication between nodes that are attached to a single physical LAN infrastructure is only possible if they are member of the same VLAN. Inter-VLAN communication requires a higher layer packet forwarder like a router to forward packets packets between the VLANs it belongs to. > A router that only routes packets and does not bridge frames is said to terminate the VLAN. This means that a router uses VLANs to partition a single Ethernet interface in a number of logical sub-interfaces, one for each VLAN. Such a logical interface is called a VLAN terminated (sub-)interface.
3FL00250_A Ed 03
15
VLAN benefits
Performance
VLANs free up bandwidth by limiting traffic.
Simplified Administration
Adding or moving nodes => can be dealt with quickly and conveniently from the management console rather than the wiring closet
Reduced Cost
Use of VLANs can eliminate the need for expensive routers With a VLAN-enabled adapter, a server can be a member of multiple VLANs.
Security
VLANs create virtual boundaries that can only be crossed through a router.
16
> VLAN's offer a number of advantages over traditional LAN's. They are: > 1) Performance In networks where traffic consists of a high percentage of broadcasts and multicasts, VLANs can reduce the need to send such traffic to unnecessary destinations. E.g., in a broadcast domain consisting of 10 users, if the broadcast traffic is intended only for 5 of the users, then placing those 5 users on a separate VLAN can reduce traffic Compared to switches, routers require more processing of incoming traffic. As the volume of traffic passing through the routers increases, so does the latency in the routers, which results in reduced performance. The use of VLANs reduces the number of routers needed, since VLANs create broadcast domains using switches instead of routers. > 2) Formation of Virtual Workgroups Nowadays, it is common to find cross-functional product development teams with members from different departments such as marketing, sales, accounting, and research. These workgroups are usually formed for a short period of time. During this period, communication between members of the workgroup will be high. To contain broadcasts and multicasts within the workgroup, a VLAN can be set up for them. Each group's traffic is largely contained within the VLAN. With VLANs it is easier to place members of a workgroup together. Without VLANs, the only way this would be possible is to physically move all the members of the workgroup closer together. > 3) Simplified Administration Seventy percent of network costs are a result of adds, moves, and changes of users in the network. Every time a user is moved in a LAN, recabling, new station addressing, and reconfiguration of hubs and routers becomes necessary. Some of these tasks can be simplified with the use of VLAN's. If a user is moved within a VLAN, reconfiguration of routers is unnecessary. In addition, depending on the type of VLAN, other administrative work can be reduced or eliminated. > 4) Reduced Cost VLAN's can be used to create broadcast domains which eliminate the need for expensive routers. With a VLAN-enabled adapter, a server can be a member of multiple VLANs. This reduces the need to route traffic to and from the server.
3FL00250_A Ed 03 16 2008 Alcatel-Lucent., All rights reserved
5) Security
IEEE 802.1Q
Explicit
802.1Q tag
Implicit
Port based Port and Protocol based
17
> In order to understand how VLANs work, we need to look at the types of VLANs, the types of connections between devices on VLANs, the filtering database which is used to send traffic to the correct VLAN, and tagging, a process used to identify the VLAN originating the data. > A first and important distinction between VLAN implementations is the method used to indicate membership when a packet travels between switches. Two methods exist implicit and explicit. > When a LAN bridge receives data from a workstation, it tags the data with a VLAN identifier indicating the VLAN from which the data came. This is called explicit tagging. A tag is added to the packet to indicate VLAN membership. The IEEE 802.1q VLAN specifications use this method. Tagging can be based on the port from which it came, the source Media Access Control (MAC) field, the source network address, or some other field or combination of fields. VLANs are classified based on the method used. > It is also possible to determine to which VLAN the data received belongs using implicit tagging. In implicit tagging the data is not tagged, but the VLAN from which the data came is determined based on information like the port on which the data arrived or VLAN membership is indicated by the MAC address. In this case, all switches that support a particular VLAN must share a table of member MAC addresses. > VLAN classification according to IEEE 802.1Q is done based on the tag (explicit), the port (implicit), or port-and-protocol (implicit). Other criteria ( such as MAC address, IP address) are non-standard
3FL00250_A Ed 03
17
Membership in a VLAN is defined based on the ports that belong to the VLAN.
Also refered to as Port switching
Does not allow user mobility Does not allow multiple VLANs to include the same physical segment (or switch port)
PORT 1 2 5 7
18
VLAN
1 2 3 4 5 6 7 8 9
> In this implementation, the administrator assigns each port of a switch to a VLAN. > The switch determines the VLAN membership of each packet by noting the port on which it arrives. > The primary limitation of defining VLANs by port is that the network manager must reconfigure VLAN membership when a user moves from one port to another. He needs to reassign the new port to the users old VLAN. The network change is then completely transparent to the user, and the administrator saves a trip to the wiring closet. > Another significant drawback is in case of a repeater attached to a port on the switch. In that case, all of the users connected to that repeater must be members of the same VLAN
3FL00250_A Ed 03
18
Disadvantages
Too many addresses need to be entered and managed Notebook PCs change docking stations
MAC@ MAC@A MAC@B MAC@C MAC@D
19
VLAN
MAC@D
MAC@A
MAC@B
MAC@C
> The VLAN membership of a packet in this case is determined by its source or destination MAC address. Each switch maintains a table of MAC addresses and their corresponding VLAN memberships. > A key advantage of this method is that the switch doesnt need to be reconfigured when a user moves to a different port. However, assigning VLAN membership to each MAC address can be a time consuming task. Also, a single MAC address cannot easily be a member of multiple VLANs. This can be a significant limitation, making it difficult to share server resources between more than one VLAN. > The main problem with this method is that VLAN membership must be assigned initially. In networks with thousands of users, this is no easy task. Also, in environments where notebook PCs are used, the MAC address is associated with the docking station and not with the notebook PC. Consequently, when a notebook PC is moved to a different docking station, its VLAN membership must be reconfigured.
3FL00250_A Ed 03
19
preamble SFD
DA SA
Length or Type
PROTOCOL IP IPX
20
VLAN 1 2
> VLANs based on layer 3 information take into account protocol type (if multiple protocols are supported) and possibly network-layer address (e.g., subnet address for TCP/IP networks) in determining VLAN membership. An IP subnet or an IPX network, for example, can each be assigned their own VLAN. > Although these VLANs are based on layer 3 information, this does not constitute a routing function and should not be confused with network-layer routing. > When the VLAN membership is based only on the protocol type field found in the Layer 2 header we talk abouth protocol-based VLANs
3FL00250_A Ed 03
20
VLAN
IP@: 138.22.24.5
21
IP@: 138.21.35.47
IP@: 138.21.35.58
IP@: 138.22.24.10
> In this method, IP addresses are used only as a mapping to determine membership in VLAN's. No other processing of IP addresses is done. No route calculation is undertaken, RIP or OSPF protocols are not employed, and frames traversing the switch are usually bridged according to implementation of the Spanning Tree Algorithm. Therefore, from the point of view of a switch employing layer 3based VLANs, connectivity within any given VLAN is still seen as a flat, bridged topology.. > Having made the distinction between VLANs based on layer 3 information and routing, it should be noted that some vendors are incorporating varying amounts of layer 3 intelligence into their switches, enabling functions normally associated with routing. > Nevertheless, a key point remains: no matter where it is located in a VLAN solution, routing is necessary to provide connectivity between distinct VLANs. There are several advantages to defining VLANs at layer 3. First, it enables partitioning by protocol type. This may be an attractive option for network managers who are dedicated to a service- or application-based VLAN strategy. Secondly, users can physically move their workstations without having to reconfigure each workstations network addressa benefit primarily for TCP/IP users. > One of the disadvantages of defining VLANs at layer 3 (vs. MAC- or port-based VLANs) can be performance. Inspecting layer 3 addresses in packets is more time consuming than looking at MAC addresses in frames.
3FL00250_A Ed 03
21
Default VID
Not standardized within 802.1Q
Interpretation according to context Often equals PVID
22
> A VLAN bridge supports port-based VLAN classification, and may, in addition, support portand-protocol-based VLAN classification > In port-based VLAN classification within a bridge, the VLAN-ID associated with an untagged or priority tagged frame is determined based on the port of arrival of the frame into the bridge. This classification mechanism requires the association of a specific Port VLAN Identifier, or PVID, with each of the bridges ports. In this case, the PVID for a given port provides the VLANID for untagged and priority tagged frames received through that port. > For bridges that implement port-and-protocol-based VLAN classification, the VLAN-ID associated with an untagged or priority-tagged frame is determined based on the port of arrival of the frame into the bridge and on the protocol identifier of the frame. For port-and-protocol based tagging, the VLAN bridge will have to look at the Ethertype, the SSAP, or the SNAP-type of the incoming frames. When the protocol is identified, the VID associated with the protocol group to which the protocol belongs will be assigned to the frame. This classification mechanism requires the association of multiple VLAN-IDs with each of the ports of the bridge; this is known as the VID Set for that port.
3FL00250_A Ed 03
22
Access Link
access link
a link between a computer (PC/SUN/) and a switch most typically carries traffic of VLAN unaware devices and as such, the frames on access link are untagged
VLAN aware Bridge
Access Link
23
> Inside the world of VLANs there are three types of interfaces / links. These links allow us to connect multiple switches together or just simple network devices e.g PC, that will access the VLAN network. Depending on their configuration, they are called Access Links, Trunk Links or Hybrid Links. > The division is based on whether the connected devices are VLAN-aware or VLAN-unaware. Recall that a VLAN-aware device is one which understands VLAN memberships (i.e. which users belong to a VLAN) and VLAN formats. > The type of link, where only traffic for a single VLAN is passed, is referred to as an "Access Link". > When configuring ports on a switch to act as Access Links, we configure only one VLAN per port, that is, the VLAN our device will be allowed to access. An access link is a link that belongs to one, and only one VLAN. The port is not capable of receiving information from another VLAN unless the information has been routed. The port is not capable of sending information to another VLAN unless the port has access to a router. > The access link connects a VLAN-unaware device to the port of a VLAN-aware bridge. Any device connected to an Access Link (port) is totally unaware of the VLAN assigned to the port. The device simply assumes it is part of a single broadcast domain, just as it happens with any normal switch. During data transfers, any VLAN information or data from other VLANs is removed so the recipient has no information about them > All frames on access links must be implicitly tagged (untagged). The VLAN-unaware device can be a LAN segment with VLAN-unaware workstations or it can be a number of LAN segments containing VLAN-unaware devices (legacy LAN).
3FL00250_A Ed 03
23
Trunk Link
trunk link
a link between switches, most typically carrying traffic on multiple VLANs, so the VLANS span over all network switches
24
> What we've seen so far is a switch port configured to carry only one VLAN, that is, an Access Link port. Another type of port configuration is the Trunk port. > While an access link does the job for a single VLAN environment, multiple access links would be required if you wanted traffic from multiple VLANs to be passed between switches. Having multiple access links between the same pair of switches would be a big waste of switch ports. Obviously another solution is required when traffic for multiple VLANs needs to be transferred across a single trunk link. The solution for this comes through the use of VLAN tagging. > When you want traffic from multiple VLANs to be able to traverse a link that interconnects two switches, you need to configure a VLAN tagging (explicit tagging) method on the ports that supply the link. A trunk link is capable of transferring frames from many different VLANs through the use of technologies like 802.1q. > A Trunk Link, or 'Trunk' is a port configured to carry packets for any VLAN. These type of ports are usually found in connections between switches. These links require the ability to carry packets from all available VLANs because VLANs span over multiple switches. > All the devices connected to a trunk link, including workstations, must be VLAN-aware. All frames on a trunk link must have a special header attached (tagged frames).
3FL00250_A Ed 03
24
Hybrid Link
hybrid link
a link which carries tagged as well as untagged traffic, for VLAN aware as well as VLAN unaware devices
(all frames for a specific VLAN are tagged or untagged)
Acess Link
25
> The Hybrid Link is a combination of the previous two links. This is a link where both VLANaware and VLAN-unaware devices are attached. A hybrid link can have both tagged and untagged frames, but all the frames for a specific VLAN must be either tagged or untagged
3FL00250_A Ed 03
25
VLAN Bridge
Q-VLAN aware bridge
comprising a single Q-VLAN component
Frame size : Min 68 bytes , Max 1522 bytes
length type
preamble
SFD
DA
SA
TPID
TCI
P A Y L O A D (461500 Bytes)
FCS
3 bits
CFI
26
> We saw that when frames are sent across the network, there needs to be a way of indicating to which VLAN the frame belongs, so that the bridge will forward the frames only to those ports that belong to that VLAN, instead of to all output ports as would normally have been done. This information is added to the frame in the form of a tag header and there are different ways to determine VLAN membership > Tagging of an Ethernet frame consists in adding a 4-byte tag that allows to specify the VLAN-ID and the priority. Since a VLAN tag is 4 bytes for a frame that is tagged, the frame size ranges between 68 and 1522 bytes. When padding has to be used to reach minimum frame size, tagged frames can be of 64 bytes. > TPID is the tag protocol identifier which indicates that a tag header is following. TPID has a defined value of 8100 in hex. When a frame has the Ethertype equal to 8100, this frame carries the tag IEEE 802.1Q / 802.1P. > The TCI (Tag Control Information) contains three parts. the user priority, canonical format indicator (CFI), and the VLAN ID. > User priority is a 3 bit field which allows priority information to be encoded in the frame. Eight levels of priority are allowed, where zero is the lowest priority and seven is the highest priority. How this field is used is described in the supplement 802.1p. > The CFI bit is used to indicate that all MAC addresses present in the MAC data field are in canonical format. This field is interpreted differently depending on whether it is an Ethernetencoded tag header or a SNAP-encoded tag header.. > The VID field is used to uniquely identify the VLAN to which the frame belongs. There can be a maximum of 2^12-2 = 4094 VLANs! Zero is used to indicate no VLAN ID, and FFF is reserved. Zero is used to indicate no VLAN ID, but that user priority information is present. This allows priority to be encoded in non-priority LANs.
3FL00250_A Ed 03
26
Priority-tagged frame
A frame with tag header carries priority but no VLAN ID (VID=0)
VLAN-tagged frame
A frame with Q-tag header carries both priority and VID.
VLAN-aware
The device can recognize and support VLAN-tagged frame
VLAN-unaware
The device can't recognize VLAN-tagged frame
27
> Untagged frame: An untagged frame is a frame that does not contain a tag header immediately following the Source MAC Address field of the frame or, if the frame contained a Routing Information field, immediately following the Routing Information field. > Priority-tagged frame : A tagged frame whose tag header carries priority information, but carries no VLAN identification information. > VLAN-tagged frame : A tagged frame whose tag header carries both VLAN identification and priority information. > An untagged frame or a priority-tagged frame does not carry any identification of the VLAN to which it belongs. Such frames are classified as belonging to a particular VLAN based on parameters associated with the receiving port, or, through proprietary extensions to this standard, based on the data content of the frame (e.g., MAC Address, layer 3 protocol ID, etc.implicit tagging). > Priority tagged frames, which, by definition, carry no VLAN identification information, are treated the same as untagged frames. > A VLAN-tagged frame carries an explicit identification of the VLAN to which it belongs; i.e., it carries a tag header that carries a non-null VID. Such a frame is classified as belonging to a particular VLAN based on the value of the VID that is included in the tag header. > Each VLAN group has unique VID and the ports with the same VID can communicate with each other. It is important for a LAN bridge (switch) to determine what devices are VLAN-aware or VLAN-unaware. VLAN-aware device can recognize and support VLAN-tagged frame but VLAN-unaware device can't. So it can decide whether to forward a tagged packets (to a VLAN-aware device) or first strip the tag from a packet and then forward it (to a VLAN-unaware device)
3FL00250_A Ed 03
27
Ingress
Towards the forwarding Engine
Egress
Out of the forwarding engine
Ingress Egress
Ethernet port
Forwarding engine
End-user End-user
Upstream
From user to network
Downstream Upstream
Downstream
From network to user
28
3FL00250_A Ed 03
28
Forwarding Process
Decide to filter or forward the frame
Egress Rule
Decide if the frames must be sent tagged or untagged Packet Receive Filtering Database Packet Transmit
Ingress Rule
Forwarding Process
Egress Rule
29
> When the bridge receives the data/Ethernet frames, it determines to which VLAN the data belongs either by implicit or explicit tagging. In explicit tagging a tag header is added to the data. > According to the VID information the switch forwards and filters the frames among ports . The bridge keeps track of VLAN members in a filtering database which it uses to determine where the data is to be sent. > The ports with the same VID can communicate with each other. > IEEE 802.1Q VLAN function contains the following three tasks, ingress process, forwarding process and egress process. > While a frame goes to the tag VLAN switch, the ingress process classifies the received frame first and then passes the frame to the forwarding process. After the forwarding process, it goes to the egress process where it will be decided how the frame will leave the switch (tagged or not).
3FL00250_A Ed 03
29
Ingress rule
VLAN-aware switch can accept tagged and untagged frames Tagged frame:
is directly sent to the forwarding engine
Untagged frame:
A tag is added onto this untagged frame (with the PVID) Then the tagged frame is sent to the forwarding engine
PVID
Default Port VLAN ID for incoming untagged frames Tagged frame VID Untagged frame Ingress Rule Tagged frame VID Tagged frame PVID
30
> Each port is capable of passing tagged or untagged frames. The ingress process identifies if the incoming frames contain a tag, and classifies the incoming frames belonging to a VLAN. Each port has its own ingress rule. If the ingress rule accepts tagged frames only, the switch port will drop all incoming untagged frames. If the ingress rule accepts all frame types, the switch port simultaneously allows incoming tagged and untagged frames : When a tagged frame is received on a port, it carries a tag header that has a explicit VID. The ingress process directly passes the tagged frame to the forwarding process. An untagged frame does not carry any VID to which it belongs. When a untagged frame is received, the ingress process inserts a tag containing the PVID into the untagged frame. Each physical port has a default VID called PVID (Port VID). This PVID is assigned to untagged frames or priority tagged frames received on this port. > After the ingress process, all frames have a 4-bytes tag including VID information and the frames will go to the forwarding process.
3FL00250_A Ed 03
30
Forwarding process
Forwarding decision is based on the filtering database
Filtering database contains two tables.
- MAC table and VLAN table
First, check destination MAC address based on the MAC table Second, check the VLAN ID based on the VLAN table
MAC Table
Port 2 2 3 10 MAC Address 00:A0:C5:11:11:11 00:A0:C5:22:22:22 00:A0:C5:33:33:33 00:A0:C5:44:44:44 Aging 0 20 30 100
VLAN Table
VID 1 1 100 Egress Port 2 3 3 Register Static Static Static Egress frame type Untag Tag Untag
31
> The forwarding process decides to forward the received frames according to the filtering database. The filtering database contains two tables: a MAC table and a VLAN table. The frames coming from the ingress process will be bridged first according to the MAC table and then forwarded based on the VLAN table. The egress port of the VLAN table is the allowed outgoing member port of the VLAN. If you want to forward the tagged frames to any port, this port must be the egress port of this VID.
3FL00250_A Ed 03
31
Egress rule
32
> The egress process decides if the outgoing frames should be sent with tag or without tag. The egress rule refers to the egress tag control in the filtering database. If the value is tagged, the outgoing frame on the egress port is tagged. If the value is untagged, the tag will be removed before the frame leaves the egress port.
3FL00250_A Ed 03
32
33
> The bridging entity of a VLAN Bridge consists of a single Customer-VLAN aware Bridge component. > Each port is capable of connecting to an 802 LAN. > Adding/removing of Q/C-TAGs is supported on all ports.
3FL00250_A Ed 03
33
VLAN stacking
DA
SA
S-TAG
C-TAG
length type
PAYLOAD
FCS
> The number of VLAN identifiers is limited to 4K. Since the VLAN is a E-MAN wide identifier, we end up with a scalability issue : in case of one-to-one mapping (Cross-connect mode) there cannot be more than 4K end users connected to the whole E-MAN. To solve this issue, two VLANs are stacked and the cross-connection is then performed on the combination (S-VLAN, C-VLAN) allowing to theoretically reach up to 16M end users. > It is impossible to allocate the same VID to different customers. Theres no customer traffic segregation! VLANs of different customers with the same VID will be managed as the same VLAN in the carrier network. > IEEE 802.1ad does not only describe S-VLAN for use in VLAN stacking. IEEE802.1ad is an amendment to 802.1q > VLAN Bridge = Customer Bridge = 802.1Q Bridge A customer bridge = a VLAN-aware bridge as we used to know them before people started to talk about VLAN stacking. > A Provider Bridge (in provider networks) provides the same functionality as a Customer Bridge, but it uses a different tag: the S-TAG (instead of the C-TAG). comprising a single S-VLAN component If the customer is sending untagged Ethernet frames, these are sent toward the carrier network as a single S-VLAN tagged frames. A provider bridge cannot add a C-TAG to an untagged frame! > Provider Edge Bridge (new) A Provider Bridge can additionally contain a Customer VLAN aware Bridge component, which duplicates the functionality of a VLAN Bridge. comprising configuration of both C-VLAN and S-VLAN components. If the customer is sending C-VLAN tagged Ethernet frames, these are sent toward the carrier network as dual tagged frames
3FL00250_A Ed 03
34
Customer NW Port
Provider NW Port
Internal EISS
= S-VLAN tag
Incoming frame is forwarded according to forwarding information base associated with the S-VLAN. Outgoing frame may carry S-TAG or not (egress rule).
35
3FL00250_A Ed 03
35
Customer NW Port
An incoming frame on a provider edge port is forwarded internally depending on the C-TAG. This two-step approach enables a translation of C-VID to SVID. Incoming frame is forwarded according to forwarding information base associated with respectively the C-VLAN / SVLAN to which the frame belongs. Outgoing frame may carry S-TAG or not (egress rule)
36
3FL00250_A Ed 03
Provider NW Port
36
Internal EISS
DA
SA
TPID
TCI
P A Y L O A D (461500 Bytes)
FCS
C-Vlan
TPID TCI length type P A Y L O A D (461500 Bytes) FCS
37
> Depending on the application, a single VLAN-tag or double VLAN-tags (also called VLAN stacking) can be present or be absent on the Ethernet interface. In case of VLAN stacking, the first VLAN tag (the outer VLAN) is called S_VLAN (Service-Provider VLAN) tag and the second VLAN tag (the innermost VLAN) is called C_VLAN tag (Customer VLAN) .
3FL00250_A Ed 03
37
C-Vlan
length type P A Y L O A D (461500 Bytes) FCS
38
> "Q-in-Q" is really the same thing as VLAN stacking, using the same Ethertype for both tags. It has the advantage that existing .1Q bridges can be used as a "provider bridge". The Ethertype for S-TAG is still undefined, but it will most probably be different than the one for the C-TAG.
3FL00250_A Ed 03
38
= S-VLAN tag
Customer NW Port
A Provider Bridge ignores C-tags, except on Provider Edge Ports VLAN-stacking can occur even if the incoming frame is untagged (at provider edge port).
39
> VLAN-stacking occurs when a previously C-tagged frame enters the provider-owned portion of a network via a Provider Bridge, and receives an S-TAG. a previously untagged frame enters the provider-owned portion of a network via a Provider Edge Port on a Provider Bridge, receiving a C-TAG and then an S-TAG.
3FL00250_A Ed 03
Provider NW Port
39
Internal EISS
www.alcatel-lucent.com
40
3FL00250_A Ed 03
40