1

Giuseppe Bianchi

Lecture 5.0Lecture 5.0

Virtual LANsVirtual LANs

Standard 802.1Q, 802.1v, 802.1s

Giuseppe Bianchi

BroadcastBroadcast issuesissues

Switches: - did partition collision domains

- bud DID not partition broadcast domain

2

Giuseppe Bianchi

The “The “obviousobvious” ” solutionsolution: IP : IP subnetssubnets

�Partition network into several subnets

�Critical approach (especially in the past):

�routers were slow

�Need to replace switches with routers

�No more a problem of efficiency, today

�layer 3 switches = hardware-based routers, very

fast!

�However…

Giuseppe Bianchi

ConsCons of of physicalphysical IP IP subnetssubnets

LAB 1

(telecom)

LAB 2

(nanotech)OFFICES

Floor

2

� One switch per lab!

� Even if all switches in a same floorbox, manual connection necessary

� Different LAB rooms = different subnets!

� Broadcast domain cannot extendthrough routers� more complexmanagement needed

LAB 2

(telecom)Floor

1

3

Giuseppe Bianchi

PhysicalPhysical Network Design Network Design vsvs

LogicalLogical Network DesignNetwork Design

� Standard design for physicalnetwork

� Well before network partitioning needsemerge fromcustomers of the building!

Canalina metallica forata

Prese RJ45

Cablaggio orizzontale in rame

Armadio di

pianoPrese RJ45

Stanza Stanza Stanza

StanzaStanzaStanza

Armadio di

piano

Tubo in PVC – Cablaggio verticale in Fibra Ottica

Canalina metallica - Cablaggio verticale di backup in rame

Canalina in PVC �

Giuseppe Bianchi

SolutionSolution: : VirtualVirtual LAN (VLAN)LAN (VLAN)

� VLAN = area which limits the broadcast domain

� Benefits� Broadcast confinement – solves scalability issues of large flat networks

� Isolation of failures and network impairments

� Security (more later)

� Multiple VLANs may coexist over a same Switched LAN

4

Giuseppe Bianchi

VLAN VLAN MembershipMembership� Per Port

� THE typical VLAN approach

� The IEEE 802.1Q approach

� Per User�Via MAC address

�Via VLAN tag

� Results: anarchic VLAN� but too easy to break into �

� Per Protocol

� New feature in IEEE 802.1V

� Combination (cross-layer)

� Supported as proprietary extensions�Via IP subnet address

�….

� Classification hierarchy may be defined�E.g. per IP subnet;

� if not IP � per protocol;

� if not in the set of classified protocols� per MAC;

� if not in MAC list per port.

Giuseppe Bianchi

PerPer--PortPort + + PerPer--ProtocolProtocol ControlControl

((exampleexample))

Default = tag with PVID (Port VLAN ID)

5

Giuseppe Bianchi

PhysicalPhysical vsvs logicallogical viewview

(i.e. (i.e. whywhy VLANS VLANS insteadinstead of IP network)of IP network)

� Layer 3 subnetsought to bephysicallyseparated

� BUT manyVLANs mayoverlap

� on the same, unique physical network structure!

� Robust, failure-proof, single managed

Giuseppe Bianchi

VLANsVLANs and IP and IP subnetssubnets /1/1

� 1 VLAN = 1 IP subnet

� Routers are needed to move frames from different VLANs

� Even if STAs are in the same physical network

� Inter-VLAN connectivity through router: improves security

� May apply packet filtering mechanisms such as ACL, etc

6

Giuseppe Bianchi

VLANsVLANs and IP and IP subnetssubnets /2/2

� Routers for VLAN interconnection may have as little as just one physical interface

� Also called, in jargon, “one-armed routers”

� Multiple IP addresses on the single interface

160.80.80.0/24

160.80.81.0/24

160.80.80.100

160.80.81.100

Giuseppe Bianchi

VLAN taggingVLAN tagging

7

Giuseppe Bianchi

PortPort typestypes

ACCESS port: transmits and receives untagged frames

i.e. with no VLAN membership indication

TRUNK port: transmits and receives tagged frames

i.e. with explicit VLAN membership indication

HYBRID ports: may handle both tagged and untagged frames

Giuseppe Bianchi

Access Access linkslinks

� A link connected to an access port

� Typically the PC-to-switch link

� or small-hub-to-switch link

� Connected STAs belong to only 1 VLAN

� Connected STAs DO NOT NEED TO KNOW they are on a VLAN

� They just assume to be on a dedicated IP subnet

� TX/RX frames:

� standard Ethernet (no QTAG prefix)

S1

S2

S3

HUB

Access port

8

Giuseppe Bianchi

Access Access linkslinks ((legacylegacy regionsregions))

�May beswitched LANsthemselves

�Made up byVLAN-unawareswitches

S2

S3

VLAN-unaware

switch

Access port

VLAN-aware

switch

VLAN-unaware

switch

S1

Giuseppe Bianchi

TrunkTrunk linkslinks� A link connected to a trunk port

� Typically switch-to-switch or switch-to-router links

� frequently server-to-switch link

� If PC-to-switch link:�Anarchic VLANs considered

� Support tagged Ethernet frames

� Explicit tagging mechanism to differentiate them

� Does not belong to a VLAN but transportVLAN frames

� Either from all VLANs

� Or just from selected VLANs

� However, may belong to a VLAN

� Case of hybrid link

� Untagged frames assumed to belong to a VLAN

Trunk port

9

Giuseppe Bianchi

HybridHybrid linkslinks

� Support both tagged and untagged Ethernet frames

� Untagged frames belong to the same VLAN (in the example, VLAN C)

� Modern understanding and implementations: all links are of hybrid type…

Giuseppe Bianchi

EthernetEthernet FrameFrame format format forfor VLANVLAN

(802.3ac, 1998)(802.3ac, 1998)

QTag type = 0x8100

QTag prefix = 4 bytes

Maximum frame: 1522 (!!)> 1528 = baby giant

processed correctly

but might be recorded as error

10

Giuseppe Bianchi

UserUser PriorityPriority (802.1p)(802.1p)

Network ControlNC7

Voice < 10 ms latecny/jitterVO6

Video < 100ms latency/jitterVI5

Controlled LoadCL4

Excellent EffortEE3

Unspecified---2

BackgroundBK1

Best Effort (default)BE0

Managed via separated output queues

- typically with priority queueing

- but more complex scheduling mechanisms can be used

Giuseppe Bianchi

ProprietaryProprietary solutionssolutions

(e.g. CISCO ISL)(e.g. CISCO ISL)

�Cisco Inter Switch Link Protocol

�ISL

�Frame encapsulated in

�External tagging (encapsulation)

frameISL (26 bytes) FCS (4 bytes)

10 bits VLAN tag

Other space for proprietary usage

11

Giuseppe Bianchi

MayMay a station a station belongbelong toto

more more thanthan 1 VLAN?1 VLAN?

Access links Access links

Trunk

link

Yes! (typical case: servers)

Giuseppe Bianchi

Switch operation with Switch operation with VLANsVLANs

12

Giuseppe Bianchi

VLAN and VLAN and forwardingforwarding

Red,Green

Green

Blue,

Green

No spanning tree considerations at the moment…

Trunk ports may forwardonly selected VLAN tags

Manual (static) configuration

Automatic (dynamic) configurationvia specially devised protocols

(GVRP: GARP VLAN Registration Protocol)GARP = Generic Attribute Registr. Prot.See clause 10, 802.1D 1998 version

Giuseppe Bianchi

VLAN VLAN switchswitch: : relayrelay functionsfunctions

� Ingress function

� Classification of each received frame as belonging to one and only one VLAN�Based on tag

�Based on port (e.g.) for untagged frames

� Discard frame based on normal bridging rules PLUS VLAN classification�E.g. unallowed VLAN tag from port

� Ingress function = Access control using switches rather than routers!

� Forward function

� Only on specific enabled ports for given VLAN

� Egress function

� Add tag (or leave previous tag) if trunk link;

� Remove tag if access link

13

Giuseppe Bianchi

LearningLearning

� Learning process affected by VLAN

� MAC address is no more the only information to consider!

� VLAN Identifier is also necessary

� Shared VLAN Learning (SVL)

� 1 single filtering DB

� if individual MAC Address learned in one VLAN, learned information used in forwarding decisions relative to all other VLANs

� Independent VLAN Learning (IVL)

� 1 filtering DB per each VLAN ID

� if individual MAC Address learned in one VLAN, learned information NOT used in forwarding decisions relative to all other VLANs

� General case (SVL/IVL)

� Many filtering DBs (each with a Filtering ID – FID)

� Each FID may include more than 1 VLAN

Giuseppe Bianchi

FilteringFiltering DB DB -- SVLSVL

Dest MAC Address Ports Age vlan

----------------- ----- ---

00-00-08-11-aa-01 1/1 1 12

00-b0-8d-13-1a-f1 1/7 4 43

a8-11-06-00-0b-b4 2/3 0 12

08-01-00-00-a7-64 2/4 1 1

00-ff-08-10-44-01 2/6 5 12

14

Giuseppe Bianchi

FilteringFiltering DB DB -- IVLIVL

FID=12 Dest MAC Address Ports Age

----------------- ----- ---

00-00-08-11-aa-01 1/1 1

a8-11-06-00-0b-b4 2/3 0

00-ff-08-10-44-01 2/6 5

FID=43 Dest MAC Address Ports Age

----------------- ----- ---

00-b0-8d-13-1a-f1 1/7 4

FID=1 Dest MAC Address Ports Age

----------------- ----- ---

08-01-00-00-a7-64 2/4 1

Distinct Filtering DBs (each assigned a Filtering ID)

Giuseppe Bianchi

SVL SVL vsvs IVLIVL

� In most cases, no matter wthere IVL or SVL is used

� However, in some particolar cases, IVL or SVL are necessary

� Notation used in what follows:

� Member set�Set of ports through which members of the VLAN can be reached

� Untagged set�Set of ports through which, if frames are to be transmitted, they shall

be transmitted without tag» Untagged set for a port may include multi VLANs (see SVL example

next)

� PVID (Port VLAN ID)�VLAN associated to the port

See 802.1Q-2003, Annex B for detailed explanation of following examples

15

Giuseppe Bianchi

WhyWhy IVL? /1IVL? /1

SVL would not work!! (A learned from both port 1 and 4)

(no STP in the example…)

Note: is a bridge device!

Were it a router, no problems!

Giuseppe Bianchi

WhyWhy IVL? /2IVL? /2

SVL would not work!! (A learned from both port 1 and 3)

(STP enabled, VLAN-aware connector)

16

Giuseppe Bianchi

WhyWhy SVL?SVL?

�VLAN unawareserver to beshared amongVLANs

�Must use untaggedaccess link

�AsymmetricVLANs!

Giuseppe Bianchi

Spanning Tree and Spanning Tree and VLANsVLANs

(just motivations (just motivations –– MSTP details in 802.1Q, clause 13+14)MSTP details in 802.1Q, clause 13+14)

17

Giuseppe Bianchi

VLANsVLANs and and SpanningSpanning TreeTree

�Original 802.1Q specification:

�Common Spanning Tree (CTS)

�One for all VLANs�Easy to maintain

�No load balancing possible

�Bridge priorities (or VLAN trunking) must be carefullyselected�To guarantee connectivity for

ALL VLANs

Giuseppe Bianchi

Multiple Multiple SpanningSpanning TreeTree

�Based on an early proprietary idea:

�Per VLAN Spanning Tree�Problem: several VLANs � BPDU load!

�Idea: aggregate VLANs

18

Giuseppe Bianchi

MSTP MSTP (802.1s, 2002)(802.1s, 2002)

� Based on RSTP

� Hierarchical approach

� One single spanning tree connects regions

� Common Spanning Tree (CTS) across regions

� Each region has at least an Internal Spanning Tree (IST)

� Called Common IST (CIST)

� One region acts as a “virtual” single bridge in terms of spanning tree!

� Multiple spanning treeinstances (MSTI) are possible inside each region

Details and new BPDU format

quite complex - Refer to standard

(and RFC 2014 for VLAN to MSTI crypted (HMAC-MD5) mapping)

Giuseppe Bianchi

CIST CIST

+ +

MSTIMSTI