You are on page 1of 40

University

Ethernet framing & VLAN technology

Alcatel-Lucent University Antwerp

Alcatel-Lucent University Antwerp 1

During class please switch off your mobile, pager or other that may interrupt. Entry level requirements:

3FL00250_A Ed 03

2008 Alcatel-Lucent., All rights reserved

Table of contents
Ethernet framing. . . . . . . . p. 3 p.13

Virtual Local Area Networks .

3FL00250_A Ed 03

2008 Alcatel-Lucent., All rights reserved

University
Ethernet framing

Alcatel-Lucent University Antwerp

3FL00250_A Ed 03

2008 Alcatel-Lucent., All rights reserved

Ethernet-,Ethernet and Ethernet


IEEE-802.3 protocol: based on Xerox Network Standard (XNS) IEEE-802.3 protocol: commonly called Ethernet. 3 different versions exist:
IEEE 802.3 frame with Type field and any protocol in payload IEEE 802.3 frame with Length field and LLC header IEEE 802.3 frame with Length field and LLC/SNAP header

Ethernet v2 is a valid IEEE 802.3 frame. used in Local Area Networks uses CSMA/CD

LAN

> When somebody says that they are running Ethernet on their network, inevitably you have to ask: "Which Ethernet?". Currently, there are many versions of the Ethernet Frame Format in the commercial marketplace, all subtly different and not necessarily compatible with each other. > The explanation for the many types of Ethernet Frame Formats currently on the marketplace lies in Ethernet's history. > In 1972, work on the original version of Ethernet, Ethernet Version 1, began at the Xerox Palo Alto Research Center. Version 1 Ethernet as released in 1980 by a consortium of companies comprising DEC, Intel, and Xerox. In the same year, the IEEE meetings on Ethernet began. In 1982, the DIX (DEC/Intel/Xerox) consortium released Version II Ethernet and since then it has almost completely replaced Version I in the marketplace. In 1983 Novell NetWare '86 was released, with a proprietary frame format based on a preliminary release of the 802.3 spec. Two years later, when the final version of the 802.3 spec was released, it had been modified to include the 802.2 LLC Header, making NetWare's proprietary format incompatible. Finally, the 802.3 SNAP format was created to address backwards compatibility issues between Version 2 and 802.3 Ethernet. > As you can see, the large number of players in the Ethernet world has created a number of different choices. The bottom line is this: either a particular driver supports a particular frame format, or it doesn't. Typically, Novell stations can support any of the frame formats, while TCP/IP stations will support only one although there are no hard and fast rules in Networking. > CSMA/CD: Carrier Sense Multiple Access with Collision Detection

3FL00250_A Ed 03

2008 Alcatel-Lucent., All rights reserved

Common fields in the different flavors" of Ethernet

7B 1B 6B 6B preamble SFD DA SA

4B

XXX

FCS

Frame Check Sequence, CRC

Source MAC address Destination MAC address Fixed sequence to alert the receiver
5

> In the following slides we will outline the specific fields in the different types of Ethernet frames. But first lets look at the fields that are common for each type of Ethernet frame. > The Preamble and SFD (Start Frame delimiter) Regardless of the frame type being used, the means of digital signal encoding on an Ethernet network is the same. While a discussion of Manchester Encoding is beyond the scope of this course, it is sufficient to say that on an idle Ethernet network, there is no signal. Because each station has its own oscillating clock, the communicating stations have to have some way to "synch up" their clocks and thereby agree on how long one bit time is. The preamble facilitates this. The preamble with SFD consists of 8 bytes of alternating ones and zeros, ending in 11. > A station on an Ethernet network detects the change in voltage that occurs when another station begins to transmit and uses the preamble to "lock on" to the sending station's clock signal. Because it takes some time for a station to "lock on", it doesn't know how many bits of the preamble have gone by. For this reason, we say that the preamble is "lost" in the "synching up" process. No part of the preamble ever enters the adapter's memory buffer. Once locked on, the receiving station waits for the 11 that signals that the Ethernet frame follows. > The Destination MAC address and Source MAC address fields are 6-bytes in length The first three bytes of the MAC Address are assigned by the IEEE to the vendor of the adapter are specific to the vendor. > FCS = Frame Check Sequence

3FL00250_A Ed 03

2008 Alcatel-Lucent., All rights reserved

IEEE 802.3 Ethernet frame interpretation


Based on type or length field
Frame size : Min 64 bytes , Max 1518 bytes
6B 6B 2B 4B

DA

SA

Length or Type

XXX

FCS

Data Link Header

Frame length (<=1500) or type information (>=1536)

> In the case of IEEE 802.3 Ethernet Frame, frame interpretation is based on the Type of Length field in the frame. If the type or length field is less than or equal to 1500 (decimal value) (1500 = 05-DC hex.), then the field is interpreted as length field. If the value is greater than 1500 then it is interpreted as type field.

3FL00250_A Ed 03

2008 Alcatel-Lucent., All rights reserved

IEEE 802.3 frame with type field


Commonly called Ethernet v2 Frame
Frame size : Min 64 bytes , Max 1518 bytes
6B 6B 2B 4B

DA

SA

Type

P A Y L O A D (461500 Bytes)

FCS

Data Link Header

0800
TYPE >= 1536
0x0800=IP 0x0806 = ARP 0x8035 = RARP 0x888E = 802.1X 0x8863=PPPoE Control frames 0x8864 = PPPoE Data frames

IP Datagram (461500 Bytes)

0806

ARP Req ARP Reply (28 Bytes)

PAD
(18 Bytes)

8035
7

RARP Req RARP Reply (28 Bytes)

PAD
(18 Bytes)

> The 802.3 specifications include the possibility to have a frame with type field and any protocol in the payload. This way the Ethernet II frame defined by DIX (DEC, Intel, and Xerox) is also a valid 802.3 frame. > Like the 802.3 spec (see later), the Version II spec defines a Data Link Header consisting of 14 bytes (6+6+2) of information, but the Version II spec does not specify an LLC header. > The Type field is 2-bytes and contains the value that defines the protocol that is being encapsulated in the data payload. This Ethertype is expressed in hexadecimal (all these values are greater than 1500 (decimal)) > At the physical layer, the DST MAC field could be preceded by a 7-byte preamble and 1-byte start of frame delimiter. > At the end of the Data field is a 4-byte FCS.. > The minimum frame size for Ethernet media without the preamble is 64 bytes and the maximum frame size without the preamble is 1518 bytes. Hence the minimum frame size on Ethernet with the preamble is 72 bytes and the maximum is 1526 bytes > Note: Preamble and SFD are not shown on the slide.

3FL00250_A Ed 03

2008 Alcatel-Lucent., All rights reserved

IEEE 802.3 frame with 802.2 LLC header


Defining Service Access Points (SAPs) SAPs ensure that the same Network Layer protocol is used at the source and at the destination.
TCP/IP talks to TCP/IP, IPX/SPX talks to IPX/SPX, Destination SAP/Source SAP
Frame size : Min 64 bytes , Max 1518 bytes

DA

SA

length

DSAP SSAP CONTR P A Y L O A D (431497 Bytes) 1B 1B 1B


802.2 LLC
02 = Individual LLC Sublayer Management Function 03 = Group LLC Sublayer Management Function 04 = IBM SNA Path Control (individual) 05 = IBM SNA Path Control (group) 06 = ARPANET Internet Protocol (IP) AA = SubNetwork Access Protocl (SNAP) E0 = Novell NetWare F0 = IBM NetBIOS

FCS

Data Link Header

Frame length (<=1500)


8

> The following describes the LLC frame format. The Destination MAC address and Source MAC-address fields are 6-bytes in length. > The length field is 2-bytes and contains the length of the frame, not including the preamble, 32 bit CRC, Datalink connection addresses, or the Length field itself. An Ethernet frame can be no shorter than 64 bytes total length, and no longer than 1518 bytes total length > The DSAP and SSAP fields are used to identify the type of the protocol that is encapsulated in the payload. > The DSAP, or Destination Service Access Point, is a 1 byte field that simply acts as a pointer to a memory buffer in the receiving station. It tells the receiving network interface card in which buffer to put this information. This functionality is crucial in situations where users are running multiple protocol stacks, etc... > The SSAP, or Source Service Access Point is analogous to the DSAP and specifies the Source of the sending process. > Following the SAPs is a one byte control field that specifies the type of LLC frame that this is.

3FL00250_A Ed 03

2008 Alcatel-Lucent., All rights reserved

IIEE 802.3 SNAP header


Due to growing number of applications using the IEEE LLC 802.2 header, an extension was made.
Introduction of the IEEE 802.3 Sub Network Access Protocol (SNAP) header

SSAP=HAA, DSAP=HAA indicates that a SNAP-header is used

AA
1B

AA
1B

03
1B

00-00-00 TYPE
3B 2B

LLC

SNAP

> While the original 802.3 specification worked well, the IEEE realized that some upper layer protocols required an Ethertype to work properly. For example, TCP/IP uses the Ethertype to differentiate between ARP packets and normal IP data frames. In order to provide this backwards compatibility with the Version II frame type, the 802.3 SNAP (SubNetwork Access Protocol) format was created. > The SNAP Frame Format consists of a normal 802.3 Data Link Header followed by a 802.2 LLC Header and then a 5 byte SNAP field, followed by the normal user data and FCS. > The Sub-Network Access Protocol (SNAP) Header The first 3 bytes of the SNAP header is the vendor code, generally the same as the first three bytes of the source address although it is sometimes set to zero. Following the Vendor Code is a 2 byte field that typically contains an Ethertype for the frame. This is where the backwards compatibility with Version II Ethernet is implemented.

3FL00250_A Ed 03

2008 Alcatel-Lucent., All rights reserved

IEEE 802.3 frame with 802.2 LLC/ 802.3 SNAP header


Type field provides backwards compatibility with Ethernet v2 frame
Frame size : Min 64 bytes , Max 1518 bytes length

DA

SA

AA
1B

AA
1B

03 00.00.00 Type P A Y L O A D
1B 3B 2B

(381492 Bytes)

FCS

Data Link Header 802.2 LLC 802.2 SNAP


TYPE
0x0800=IP 0x0806 = ARP 0x8035 = RARP 0x888E = 802.1X 0x8863=PPPoE Control frames 0x8864 = PPPoE Data frames

10

> The following describes the SNAP frame format. The Destination MAC address and Source MAC address fields are 6-bytes in length. The length field is 2-bytes and contains the length of the frame. The DSAP and SSAP fields are used to identify the type of the protocol that is encapsulated in the payload. In this case the value remains as constant and is 0xAA. The header that follows the LLC header is called the SNAP header. This contains a 2-byte type field that contains the value that defines the protocol that is being encapsulated in the data payload.

3FL00250_A Ed 03

10

2008 Alcatel-Lucent., All rights reserved

Ethernet frames - summary

Ethernet version 2 (Xerox) MAC frame


has Ethertype field
indicates which protocol is inside the data section Value always > 05-DC hex.

802.3 has a Length or Type field


if < 05-DC if >= 05-DC IEEE802.3 Length field IEEE802.3 Type field

Type field gives a protocol identification (same as Ethertype)

802.3 incorporates aspects of Ethernet version 2 and will replace it for high-speed Ethernet networks
Ethernet v2 is a valid 802.3 frame

11

3FL00250_A Ed 03

11

2008 Alcatel-Lucent., All rights reserved

IP over Ethernet/IEEE 802 example

Destination Source Preamble Address Address (8 bytes) (6 bytes) (6 bytes) ETHERNET II

0800

IP datagram

FCS (4)

Destination Source Preamble Address Address (8 bytes) (6 bytes) (6 bytes)

Length (2 bytes)

06 06
LSAP

IP datagram

FCS (4)

IEEE 802.3/ IEEE 802.2 LLC

Destination Source Preamble Address Address (8 bytes) (6 bytes) (6 bytes)

IP FCS Length AA AA 03 00.00.00 08.00 datagram (4) (2 bytes) LSAP


3 Byte

IEEE 802.3/ IEEE 802.2 LLC/SNAP


12

SNAP
5 Byte

3FL00250_A Ed 03

12

2008 Alcatel-Lucent., All rights reserved

University

Virtual Local Area Networks - VLAN

Alcatel-Lucent University Antwerp

13

3FL00250_A Ed 03

13

2008 Alcatel-Lucent., All rights reserved

What is a LAN?

Local Area Network (LAN)


Single Broadcast domain
Same Subnet

Everyone can communicate with each other on the LAN

No routing between members of a LAN Routing required between LANs


Corporate LAN

14

> To understand VLAN, you need to understand LAN first. A Local Area Network (LAN) can generally be defined as a broadcast domain. Hubs, bridges or switches in the same physical segment connect all end node devices. End nodes can communicate with each other without the need for a router. However communications with devices on different LAN segments requires the use of a router.

3FL00250_A Ed 03

14

2008 Alcatel-Lucent., All rights reserved

What is VLAN?

Virtual Local Area Network VLAN


Used to separate the physical LAN into logical LANs
Logical broadcast / multicast domain Virtual

Inter-VLAN communication: only via higher-layer devices (e.g. IP routers) LAN membership defined by the network manager
Virtual
15

Corporate LAN

Marketing LAN Engineering LAN Administration LAN

> VLAN allows a network manager to logically segment a LAN into different broadcast domains. Since this is a logical segmentation but not a physical one, workstations do not have to be physically located together. Users on different floors of the same building, or even in different buildings can now belong to the same LAN. > VLAN also allows broadcast domains to be defined without using routers. Bridging software is used instead to define which workstations are included in the broadcast domain. Routers would only have to be used to communicate between two VLANs. > Communication between nodes that are attached to a single physical LAN infrastructure is only possible if they are member of the same VLAN. Inter-VLAN communication requires a higher layer packet forwarder like a router to forward packets packets between the VLANs it belongs to. > A router that only routes packets and does not bridge frames is said to terminate the VLAN. This means that a router uses VLANs to partition a single Ethernet interface in a number of logical sub-interfaces, one for each VLAN. Such a logical interface is called a VLAN terminated (sub-)interface.

3FL00250_A Ed 03

15

2008 Alcatel-Lucent., All rights reserved

VLAN benefits
Performance
VLANs free up bandwidth by limiting traffic.

Formation of Virtual Workgroups


Users and resources that communicate frequently with each other can be grouped into a VLAN, regardless of physical location.

Simplified Administration
Adding or moving nodes => can be dealt with quickly and conveniently from the management console rather than the wiring closet

Reduced Cost
Use of VLANs can eliminate the need for expensive routers With a VLAN-enabled adapter, a server can be a member of multiple VLANs.

Security
VLANs create virtual boundaries that can only be crossed through a router.

16

> VLAN's offer a number of advantages over traditional LAN's. They are: > 1) Performance In networks where traffic consists of a high percentage of broadcasts and multicasts, VLANs can reduce the need to send such traffic to unnecessary destinations. E.g., in a broadcast domain consisting of 10 users, if the broadcast traffic is intended only for 5 of the users, then placing those 5 users on a separate VLAN can reduce traffic Compared to switches, routers require more processing of incoming traffic. As the volume of traffic passing through the routers increases, so does the latency in the routers, which results in reduced performance. The use of VLANs reduces the number of routers needed, since VLANs create broadcast domains using switches instead of routers. > 2) Formation of Virtual Workgroups Nowadays, it is common to find cross-functional product development teams with members from different departments such as marketing, sales, accounting, and research. These workgroups are usually formed for a short period of time. During this period, communication between members of the workgroup will be high. To contain broadcasts and multicasts within the workgroup, a VLAN can be set up for them. Each group's traffic is largely contained within the VLAN. With VLANs it is easier to place members of a workgroup together. Without VLANs, the only way this would be possible is to physically move all the members of the workgroup closer together. > 3) Simplified Administration Seventy percent of network costs are a result of adds, moves, and changes of users in the network. Every time a user is moved in a LAN, recabling, new station addressing, and reconfiguration of hubs and routers becomes necessary. Some of these tasks can be simplified with the use of VLAN's. If a user is moved within a VLAN, reconfiguration of routers is unnecessary. In addition, depending on the type of VLAN, other administrative work can be reduced or eliminated. > 4) Reduced Cost VLAN's can be used to create broadcast domains which eliminate the need for expensive routers. With a VLAN-enabled adapter, a server can be a member of multiple VLANs. This reduces the need to route traffic to and from the server.
3FL00250_A Ed 03 16 2008 Alcatel-Lucent., All rights reserved

5) Security

How VLANs work


VLAN can be distinguished by the method used to indicate membership when a packet travels between switches.
Implicit Explicit

VLAN membership can be classified by


Port, Protocol type MAC address IP address

IEEE 802.1Q
Explicit
802.1Q tag

Implicit
Port based Port and Protocol based

17

> In order to understand how VLANs work, we need to look at the types of VLANs, the types of connections between devices on VLANs, the filtering database which is used to send traffic to the correct VLAN, and tagging, a process used to identify the VLAN originating the data. > A first and important distinction between VLAN implementations is the method used to indicate membership when a packet travels between switches. Two methods exist implicit and explicit. > When a LAN bridge receives data from a workstation, it tags the data with a VLAN identifier indicating the VLAN from which the data came. This is called explicit tagging. A tag is added to the packet to indicate VLAN membership. The IEEE 802.1q VLAN specifications use this method. Tagging can be based on the port from which it came, the source Media Access Control (MAC) field, the source network address, or some other field or combination of fields. VLANs are classified based on the method used. > It is also possible to determine to which VLAN the data received belongs using implicit tagging. In implicit tagging the data is not tagged, but the VLAN from which the data came is determined based on information like the port on which the data arrived or VLAN membership is indicated by the MAC address. In this case, all switches that support a particular VLAN must share a table of member MAC addresses. > VLAN classification according to IEEE 802.1Q is done based on the tag (explicit), the port (implicit), or port-and-protocol (implicit). Other criteria ( such as MAC address, IP address) are non-standard

3FL00250_A Ed 03

17

2008 Alcatel-Lucent., All rights reserved

Layer 1 VLAN: Membership by port


Membership in a VLAN is defined based on the ports that belong to the VLAN.
Also refered to as Port switching

Does not allow user mobility Does not allow multiple VLANs to include the same physical segment (or switch port)
PORT 1 2 5 7
18

VLAN
1 2 3 4 5 6 7 8 9

> In this implementation, the administrator assigns each port of a switch to a VLAN. > The switch determines the VLAN membership of each packet by noting the port on which it arrives. > The primary limitation of defining VLANs by port is that the network manager must reconfigure VLAN membership when a user moves from one port to another. He needs to reassign the new port to the users old VLAN. The network change is then completely transparent to the user, and the administrator saves a trip to the wiring closet. > Another significant drawback is in case of a repeater attached to a port on the switch. In that case, all of the users connected to that repeater must be members of the same VLAN

3FL00250_A Ed 03

18

2008 Alcatel-Lucent., All rights reserved

Layer 2 VLAN: Memberschip by MAC address


Membership in a VLAN is based on the MAC address of the workstation.
The switch tracks the MAC addresses which belong to each VLAN

Provides full user movement


Clients and server always on the same LAN regardless of location

Disadvantages
Too many addresses need to be entered and managed Notebook PCs change docking stations
MAC@ MAC@A MAC@B MAC@C MAC@D
19

VLAN

MAC@D

MAC@A

MAC@B

MAC@C

> The VLAN membership of a packet in this case is determined by its source or destination MAC address. Each switch maintains a table of MAC addresses and their corresponding VLAN memberships. > A key advantage of this method is that the switch doesnt need to be reconfigured when a user moves to a different port. However, assigning VLAN membership to each MAC address can be a time consuming task. Also, a single MAC address cannot easily be a member of multiple VLANs. This can be a significant limitation, making it difficult to share server resources between more than one VLAN. > The main problem with this method is that VLAN membership must be assigned initially. In networks with thousands of users, this is no easy task. Also, in environments where notebook PCs are used, the MAC address is associated with the docking station and not with the notebook PC. Consequently, when a notebook PC is moved to a different docking station, its VLAN membership must be reconfigured.

3FL00250_A Ed 03

19

2008 Alcatel-Lucent., All rights reserved

Layer 3 VLAN: Membership by protocol type


Membership implied by MAC protocol type field This is the most flexible method and provides the most logical grouping of users

preamble SFD

DA SA

Length or Type

P A Y L O A D (461500 Bytes) FCS

PROTOCOL IP IPX
20

VLAN 1 2

> VLANs based on layer 3 information take into account protocol type (if multiple protocols are supported) and possibly network-layer address (e.g., subnet address for TCP/IP networks) in determining VLAN membership. An IP subnet or an IPX network, for example, can each be assigned their own VLAN. > Although these VLANs are based on layer 3 information, this does not constitute a routing function and should not be confused with network-layer routing. > When the VLAN membership is based only on the protocol type field found in the Layer 2 header we talk abouth protocol-based VLANs

3FL00250_A Ed 03

20

2008 Alcatel-Lucent., All rights reserved

Layer 3 VLAN: Membership by IP subnet address


The network IP subnet address (layer 3 header) can be used to classify VLAN membership

SUBNET /MASK 138.22.24.0/24 138.21.35.0/24

VLAN

IP@: 138.22.24.5
21

IP@: 138.21.35.47

IP@: 138.21.35.58

IP@: 138.22.24.10

> In this method, IP addresses are used only as a mapping to determine membership in VLAN's. No other processing of IP addresses is done. No route calculation is undertaken, RIP or OSPF protocols are not employed, and frames traversing the switch are usually bridged according to implementation of the Spanning Tree Algorithm. Therefore, from the point of view of a switch employing layer 3based VLANs, connectivity within any given VLAN is still seen as a flat, bridged topology.. > Having made the distinction between VLANs based on layer 3 information and routing, it should be noted that some vendors are incorporating varying amounts of layer 3 intelligence into their switches, enabling functions normally associated with routing. > Nevertheless, a key point remains: no matter where it is located in a VLAN solution, routing is necessary to provide connectivity between distinct VLANs. There are several advantages to defining VLANs at layer 3. First, it enables partitioning by protocol type. This may be an attractive option for network managers who are dedicated to a service- or application-based VLAN strategy. Secondly, users can physically move their workstations without having to reconfigure each workstations network addressa benefit primarily for TCP/IP users. > One of the disadvantages of defining VLANs at layer 3 (vs. MAC- or port-based VLANs) can be performance. Inspecting layer 3 addresses in packets is more time consuming than looking at MAC addresses in frames.

3FL00250_A Ed 03

21

2008 Alcatel-Lucent., All rights reserved

VLAN types - Glossary/Terminology


Port based VLAN classification
VID based on port of arrival Frame receives Port VLAN identifier PVID

Default VID
Not standardized within 802.1Q
Interpretation according to context Often equals PVID

Port-and-protocol-based VLAN classification


VID based on port of arrival and the protocol identifier of the frame Multiple VLAN-Ids associated with port of the bridge VID set

22

> A VLAN bridge supports port-based VLAN classification, and may, in addition, support portand-protocol-based VLAN classification > In port-based VLAN classification within a bridge, the VLAN-ID associated with an untagged or priority tagged frame is determined based on the port of arrival of the frame into the bridge. This classification mechanism requires the association of a specific Port VLAN Identifier, or PVID, with each of the bridges ports. In this case, the PVID for a given port provides the VLANID for untagged and priority tagged frames received through that port. > For bridges that implement port-and-protocol-based VLAN classification, the VLAN-ID associated with an untagged or priority-tagged frame is determined based on the port of arrival of the frame into the bridge and on the protocol identifier of the frame. For port-and-protocol based tagging, the VLAN bridge will have to look at the Ethertype, the SSAP, or the SNAP-type of the incoming frames. When the protocol is identified, the VID associated with the protocol group to which the protocol belongs will be assigned to the frame. This classification mechanism requires the association of multiple VLAN-IDs with each of the ports of the bridge; this is known as the VID Set for that port.

3FL00250_A Ed 03

22

2008 Alcatel-Lucent., All rights reserved

Access Link
access link
a link between a computer (PC/SUN/) and a switch most typically carries traffic of VLAN unaware devices and as such, the frames on access link are untagged
VLAN aware Bridge

Access Link

VLAN unaware workstation

23

> Inside the world of VLANs there are three types of interfaces / links. These links allow us to connect multiple switches together or just simple network devices e.g PC, that will access the VLAN network. Depending on their configuration, they are called Access Links, Trunk Links or Hybrid Links. > The division is based on whether the connected devices are VLAN-aware or VLAN-unaware. Recall that a VLAN-aware device is one which understands VLAN memberships (i.e. which users belong to a VLAN) and VLAN formats. > The type of link, where only traffic for a single VLAN is passed, is referred to as an "Access Link". > When configuring ports on a switch to act as Access Links, we configure only one VLAN per port, that is, the VLAN our device will be allowed to access. An access link is a link that belongs to one, and only one VLAN. The port is not capable of receiving information from another VLAN unless the information has been routed. The port is not capable of sending information to another VLAN unless the port has access to a router. > The access link connects a VLAN-unaware device to the port of a VLAN-aware bridge. Any device connected to an Access Link (port) is totally unaware of the VLAN assigned to the port. The device simply assumes it is part of a single broadcast domain, just as it happens with any normal switch. During data transfers, any VLAN information or data from other VLANs is removed so the recipient has no information about them > All frames on access links must be implicitly tagged (untagged). The VLAN-unaware device can be a LAN segment with VLAN-unaware workstations or it can be a number of LAN segments containing VLAN-unaware devices (legacy LAN).

3FL00250_A Ed 03

23

2008 Alcatel-Lucent., All rights reserved

Trunk Link
trunk link
a link between switches, most typically carrying traffic on multiple VLANs, so the VLANS span over all network switches

VLAN aware workstation

VLAN aware Bridge Trunk Link Acess Link

VLAN aware Bridge

24

> What we've seen so far is a switch port configured to carry only one VLAN, that is, an Access Link port. Another type of port configuration is the Trunk port. > While an access link does the job for a single VLAN environment, multiple access links would be required if you wanted traffic from multiple VLANs to be passed between switches. Having multiple access links between the same pair of switches would be a big waste of switch ports. Obviously another solution is required when traffic for multiple VLANs needs to be transferred across a single trunk link. The solution for this comes through the use of VLAN tagging. > When you want traffic from multiple VLANs to be able to traverse a link that interconnects two switches, you need to configure a VLAN tagging (explicit tagging) method on the ports that supply the link. A trunk link is capable of transferring frames from many different VLANs through the use of technologies like 802.1q. > A Trunk Link, or 'Trunk' is a port configured to carry packets for any VLAN. These type of ports are usually found in connections between switches. These links require the ability to carry packets from all available VLANs because VLANs span over multiple switches. > All the devices connected to a trunk link, including workstations, must be VLAN-aware. All frames on a trunk link must have a special header attached (tagged frames).

3FL00250_A Ed 03

24

2008 Alcatel-Lucent., All rights reserved

Hybrid Link
hybrid link
a link which carries tagged as well as untagged traffic, for VLAN aware as well as VLAN unaware devices
(all frames for a specific VLAN are tagged or untagged)

VLAN aware Bridge Trunk Link Acess Link

VLAN aware Bridge

Acess Link

VLAN aware workstation

VLAN unaware workstation

25

> The Hybrid Link is a combination of the previous two links. This is a link where both VLANaware and VLAN-unaware devices are attached. A hybrid link can have both tagged and untagged frames, but all the frames for a specific VLAN must be either tagged or untagged

3FL00250_A Ed 03

25

2008 Alcatel-Lucent., All rights reserved

Q-VLAN tag (IEEE 802.1Q)


Also referred to as C-VLAN tag
Customer VLAN tag

VLAN Bridge
Q-VLAN aware bridge
comprising a single Q-VLAN component
Frame size : Min 68 bytes , Max 1522 bytes
length type

preamble

SFD

DA

SA

TPID

TCI

P A Y L O A D (461500 Bytes)

FCS

2 bytes 802.1Q tag-type (value 81 00)

2 bytes Tag Control Information

Tag protocol Identifier

3 bits

CFI

12 bits Vlan_ID Q-TAG (802.1Q) # 4096

26

Priority p-bits (802.1p) #8

> We saw that when frames are sent across the network, there needs to be a way of indicating to which VLAN the frame belongs, so that the bridge will forward the frames only to those ports that belong to that VLAN, instead of to all output ports as would normally have been done. This information is added to the frame in the form of a tag header and there are different ways to determine VLAN membership > Tagging of an Ethernet frame consists in adding a 4-byte tag that allows to specify the VLAN-ID and the priority. Since a VLAN tag is 4 bytes for a frame that is tagged, the frame size ranges between 68 and 1522 bytes. When padding has to be used to reach minimum frame size, tagged frames can be of 64 bytes. > TPID is the tag protocol identifier which indicates that a tag header is following. TPID has a defined value of 8100 in hex. When a frame has the Ethertype equal to 8100, this frame carries the tag IEEE 802.1Q / 802.1P. > The TCI (Tag Control Information) contains three parts. the user priority, canonical format indicator (CFI), and the VLAN ID. > User priority is a 3 bit field which allows priority information to be encoded in the frame. Eight levels of priority are allowed, where zero is the lowest priority and seven is the highest priority. How this field is used is described in the supplement 802.1p. > The CFI bit is used to indicate that all MAC addresses present in the MAC data field are in canonical format. This field is interpreted differently depending on whether it is an Ethernetencoded tag header or a SNAP-encoded tag header.. > The VID field is used to uniquely identify the VLAN to which the frame belongs. There can be a maximum of 2^12-2 = 4094 VLANs! Zero is used to indicate no VLAN ID, and FFF is reserved. Zero is used to indicate no VLAN ID, but that user priority information is present. This allows priority to be encoded in non-priority LANs.

3FL00250_A Ed 03

26

2008 Alcatel-Lucent., All rights reserved

802.1Q Tag-based- Glossary/Terminology


Untagged frame
A frame doesnt contain a tag header

Priority-tagged frame
A frame with tag header carries priority but no VLAN ID (VID=0)

VLAN-tagged frame
A frame with Q-tag header carries both priority and VID.

802.1Q Tag VLAN


Each VLAN group has unique VID Each member of VLAN group can talk to each other

VLAN-aware
The device can recognize and support VLAN-tagged frame

VLAN-unaware
The device can't recognize VLAN-tagged frame

27

> Untagged frame: An untagged frame is a frame that does not contain a tag header immediately following the Source MAC Address field of the frame or, if the frame contained a Routing Information field, immediately following the Routing Information field. > Priority-tagged frame : A tagged frame whose tag header carries priority information, but carries no VLAN identification information. > VLAN-tagged frame : A tagged frame whose tag header carries both VLAN identification and priority information. > An untagged frame or a priority-tagged frame does not carry any identification of the VLAN to which it belongs. Such frames are classified as belonging to a particular VLAN based on parameters associated with the receiving port, or, through proprietary extensions to this standard, based on the data content of the frame (e.g., MAC Address, layer 3 protocol ID, etc.implicit tagging). > Priority tagged frames, which, by definition, carry no VLAN identification information, are treated the same as untagged frames. > A VLAN-tagged frame carries an explicit identification of the VLAN to which it belongs; i.e., it carries a tag header that carries a non-null VID. Such a frame is classified as belonging to a particular VLAN based on the value of the VID that is included in the tag header. > Each VLAN group has unique VID and the ports with the same VID can communicate with each other. It is important for a LAN bridge (switch) to determine what devices are VLAN-aware or VLAN-unaware. VLAN-aware device can recognize and support VLAN-tagged frame but VLAN-unaware device can't. So it can decide whether to forward a tagged packets (to a VLAN-aware device) or first strip the tag from a packet and then forward it (to a VLAN-unaware device)

3FL00250_A Ed 03

27

2008 Alcatel-Lucent., All rights reserved

Forwarding engine - Glossary/Terminology

Ingress
Towards the forwarding Engine

Egress
Out of the forwarding engine
Ingress Egress

Ethernet port

Forwarding engine

End-user End-user

Upstream
From user to network

Downstream Upstream

Downstream
From network to user

28

3FL00250_A Ed 03

28

2008 Alcatel-Lucent., All rights reserved

The 802.1Q process


Ingress Rule
Classify the received frames belonging to a VLAN

Forwarding Process
Decide to filter or forward the frame

Egress Rule
Decide if the frames must be sent tagged or untagged Packet Receive Filtering Database Packet Transmit

Ingress Rule

Forwarding Process

Egress Rule

29

> When the bridge receives the data/Ethernet frames, it determines to which VLAN the data belongs either by implicit or explicit tagging. In explicit tagging a tag header is added to the data. > According to the VID information the switch forwards and filters the frames among ports . The bridge keeps track of VLAN members in a filtering database which it uses to determine where the data is to be sent. > The ports with the same VID can communicate with each other. > IEEE 802.1Q VLAN function contains the following three tasks, ingress process, forwarding process and egress process. > While a frame goes to the tag VLAN switch, the ingress process classifies the received frame first and then passes the frame to the forwarding process. After the forwarding process, it goes to the egress process where it will be decided how the frame will leave the switch (tagged or not).

3FL00250_A Ed 03

29

2008 Alcatel-Lucent., All rights reserved

Ingress rule
VLAN-aware switch can accept tagged and untagged frames Tagged frame:
is directly sent to the forwarding engine

Untagged frame:
A tag is added onto this untagged frame (with the PVID) Then the tagged frame is sent to the forwarding engine

PVID
Default Port VLAN ID for incoming untagged frames Tagged frame VID Untagged frame Ingress Rule Tagged frame VID Tagged frame PVID

Towards Forwarding Process

30

> Each port is capable of passing tagged or untagged frames. The ingress process identifies if the incoming frames contain a tag, and classifies the incoming frames belonging to a VLAN. Each port has its own ingress rule. If the ingress rule accepts tagged frames only, the switch port will drop all incoming untagged frames. If the ingress rule accepts all frame types, the switch port simultaneously allows incoming tagged and untagged frames : When a tagged frame is received on a port, it carries a tag header that has a explicit VID. The ingress process directly passes the tagged frame to the forwarding process. An untagged frame does not carry any VID to which it belongs. When a untagged frame is received, the ingress process inserts a tag containing the PVID into the untagged frame. Each physical port has a default VID called PVID (Port VID). This PVID is assigned to untagged frames or priority tagged frames received on this port. > After the ingress process, all frames have a 4-bytes tag including VID information and the frames will go to the forwarding process.

3FL00250_A Ed 03

30

2008 Alcatel-Lucent., All rights reserved

Forwarding process
Forwarding decision is based on the filtering database
Filtering database contains two tables.
- MAC table and VLAN table

First, check destination MAC address based on the MAC table Second, check the VLAN ID based on the VLAN table

Egress port is the allowed outgoing member port of VLAN


Filtering Database

MAC Table
Port 2 2 3 10 MAC Address 00:A0:C5:11:11:11 00:A0:C5:22:22:22 00:A0:C5:33:33:33 00:A0:C5:44:44:44 Aging 0 20 30 100

VLAN Table
VID 1 1 100 Egress Port 2 3 3 Register Static Static Static Egress frame type Untag Tag Untag

31

> The forwarding process decides to forward the received frames according to the filtering database. The filtering database contains two tables: a MAC table and a VLAN table. The frames coming from the ingress process will be bridged first according to the MAC table and then forwarded based on the VLAN table. The egress port of the VLAN table is the allowed outgoing member port of the VLAN. If you want to forward the tagged frames to any port, this port must be the egress port of this VID.

3FL00250_A Ed 03

31

2008 Alcatel-Lucent., All rights reserved

Egress rule

Tagged frame VID Tagged frame VID Egress Rule

Tagged frame VID Untagged frame

32

> The egress process decides if the outgoing frames should be sent with tag or without tag. The egress rule refers to the egress tag control in the filtering database. If the value is tagged, the outgoing frame on the egress port is tagged. If the value is untagged, the tag will be removed before the frame leaves the egress port.

3FL00250_A Ed 03

32

2008 Alcatel-Lucent., All rights reserved

Principles of operation in a VLAN bridge


= Q/C-VLAN tag VLAN tag added by CPE

C-VID of incoming frames is determined:


If TAG is present, C-VLAN ID is taken from tag (no translation!) If TAG is not present,
* port and protocol are used for VLAN ID classification. * else, the default VLAN ID for that port is used (PVID);

Outgoing frame may carry C-TAG or not, depending on egress rule.

33

> The bridging entity of a VLAN Bridge consists of a single Customer-VLAN aware Bridge component. > Each port is capable of connecting to an 802 LAN. > Adding/removing of Q/C-TAGs is supported on all ports.

3FL00250_A Ed 03

33

2008 Alcatel-Lucent., All rights reserved

VLAN stacking

DA

SA

S-TAG

C-TAG

length type

PAYLOAD

FCS

Service Provider Bridge: S-tag treatment

Customer Bridge: C-tag treatment

Provider Edge Bridge: C-tag & S-tag treatment

Single VLAN tag:


Only 4094 VIDs Scalability issue

Inroduction of second VLAN tag (IEEE 802.1ad):


Servider Provider tag: S-TAG
34

> The number of VLAN identifiers is limited to 4K. Since the VLAN is a E-MAN wide identifier, we end up with a scalability issue : in case of one-to-one mapping (Cross-connect mode) there cannot be more than 4K end users connected to the whole E-MAN. To solve this issue, two VLANs are stacked and the cross-connection is then performed on the combination (S-VLAN, C-VLAN) allowing to theoretically reach up to 16M end users. > It is impossible to allocate the same VID to different customers. Theres no customer traffic segregation! VLANs of different customers with the same VID will be managed as the same VLAN in the carrier network. > IEEE 802.1ad does not only describe S-VLAN for use in VLAN stacking. IEEE802.1ad is an amendment to 802.1q > VLAN Bridge = Customer Bridge = 802.1Q Bridge A customer bridge = a VLAN-aware bridge as we used to know them before people started to talk about VLAN stacking. > A Provider Bridge (in provider networks) provides the same functionality as a Customer Bridge, but it uses a different tag: the S-TAG (instead of the C-TAG). comprising a single S-VLAN component If the customer is sending untagged Ethernet frames, these are sent toward the carrier network as a single S-VLAN tagged frames. A provider bridge cannot add a C-TAG to an untagged frame! > Provider Edge Bridge (new) A Provider Bridge can additionally contain a Customer VLAN aware Bridge component, which duplicates the functionality of a VLAN Bridge. comprising configuration of both C-VLAN and S-VLAN components. If the customer is sending C-VLAN tagged Ethernet frames, these are sent toward the carrier network as dual tagged frames

3FL00250_A Ed 03

34

2008 Alcatel-Lucent., All rights reserved

Operation in a provider edge bridge: single tag


Customer NW Port

S-VLAN aware Bridge

C-VLAN aware Bridge

Customer NW Port

Provider NW Port

Internal EISS

Provider Edge Port

= S-VLAN tag

S-VID of incoming frames is defined:


If S-TAG is present, S-VID is taken from tag If S-TAG is not present,
Same rules as for C-TAG in VLAN bridge.

Incoming frame is forwarded according to forwarding information base associated with the S-VLAN. Outgoing frame may carry S-TAG or not (egress rule).
35

3FL00250_A Ed 03

35

2008 Alcatel-Lucent., All rights reserved

Operation in a provider edge bridge: single tag


Customer NW Port

= Q/C-VLAN tag = S-VLAN tag

e.g. Outgoing port supports only tagged

S-VLAN aware bridge

C-VLAN aware bridge

Customer NW Port

An incoming frame on a provider edge port is forwarded internally depending on the C-TAG. This two-step approach enables a translation of C-VID to SVID. Incoming frame is forwarded according to forwarding information base associated with respectively the C-VLAN / SVLAN to which the frame belongs. Outgoing frame may carry S-TAG or not (egress rule)
36

3FL00250_A Ed 03

Provider NW Port

36

Internal EISS

2008 Alcatel-Lucent., All rights reserved

Provider Edge Port

Dual VLANs VLAN stacking


IEEE 802.1ad
Certain vendors apply today 1Q-in-Q VLAN Tag
like Alcatel, Single VLAN tag
Frame size : Min 68 bytes , Max 1522 bytes
preSFD amble length type

DA

SA

TPID

TCI

P A Y L O A D (461500 Bytes)

FCS

Dual VLAN tag (Vlan stacking)

Frame size : Min 72 bytes , Max TBD


S-Vlan
preSFD amble DA SA TPID TCI

C-Vlan
TPID TCI length type P A Y L O A D (461500 Bytes) FCS

2 bytes tag-type (TBD)

2 bytes Tag Control Information (TBD)

37

> Depending on the application, a single VLAN-tag or double VLAN-tags (also called VLAN stacking) can be present or be absent on the Ethernet interface. In case of VLAN stacking, the first VLAN tag (the outer VLAN) is called S_VLAN (Service-Provider VLAN) tag and the second VLAN tag (the innermost VLAN) is called C_VLAN tag (Customer VLAN) .

3FL00250_A Ed 03

37

2008 Alcatel-Lucent., All rights reserved

Dual VLANs VLAN stacking


Q-in-Q VLAN
Not standardized The second VLAN tag protocol identifier is 802.1Q tag type just like in Single VLAN tagged frames
Dual VLAN tag (Vlan stacking)
Frame size : Min 72 bytes , Max 1526 bytes
S-Vlan
preSFD amble DA SA

C-Vlan
length type P A Y L O A D (461500 Bytes) FCS

TPID TCI TPID TCI

2 bytes tag-type (value 81 00)

2 bytes Tag Control Information

Tag protocol Identifier 3 bits


CFI

12 bits Vlan_ID Q-TAG (802.1Q) # 4096

Priority p-bits (802.1p) #8

38

> "Q-in-Q" is really the same thing as VLAN stacking, using the same Ethertype for both tags. It has the advantage that existing .1Q bridges can be used as a "provider bridge". The Ethertype for S-TAG is still undefined, but it will most probably be different than the one for the C-TAG.

3FL00250_A Ed 03

38

2008 Alcatel-Lucent., All rights reserved

Operation in a provider bridge: VLAN stacking


= Q/C-VLAN tag
S-VLAN aware bridge Customer NW Port

= S-VLAN tag

C-VLAN aware bridge

Customer NW Port

We now have two tags


The S-TAG may be added and removed independently of the C-tag.

A Provider Bridge ignores C-tags, except on Provider Edge Ports VLAN-stacking can occur even if the incoming frame is untagged (at provider edge port).

39

> VLAN-stacking occurs when a previously C-tagged frame enters the provider-owned portion of a network via a Provider Bridge, and receives an S-TAG. a previously untagged frame enters the provider-owned portion of a network via a Provider Edge Port on a Provider Bridge, receiving a C-TAG and then an S-TAG.

3FL00250_A Ed 03

Provider NW Port

39

Internal EISS

2008 Alcatel-Lucent., All rights reserved

Provider Edge Port

www.alcatel-lucent.com

40

3FL00250_A Ed 03

40

2008 Alcatel-Lucent., All rights reserved