5_vlans
description
Transcript of 5_vlans
-
1Giuseppe Bianchi
Lecture 5.0Lecture 5.0
Virtual LANsVirtual LANs
Standard 802.1Q, 802.1v, 802.1s
Giuseppe Bianchi
BroadcastBroadcast issuesissues
Switches: - did partition collision domains
- bud DID not partition broadcast domain
-
2Giuseppe Bianchi
The The obviousobvious solutionsolution: IP : IP subnetssubnets
Partition network into several subnets
Critical approach (especially in the past):
routers were slowNeed to replace switches with routers
No more a problem of efficiency, today
layer 3 switches = hardware-based routers, very fast!
However
Giuseppe Bianchi
ConsCons of of physicalphysical IP IP subnetssubnets
LAB 1
(telecom)
LAB 2
(nanotech)OFFICES
Floor
2
One switch per lab!
Even if all switches in a same floorbox, manual connection necessary
Different LAB rooms = different subnets!
Broadcast domain cannot extendthrough routers more complexmanagement needed
LAB 2
(telecom)Floor
1
-
3Giuseppe Bianchi
PhysicalPhysical Network Design Network Design vsvs
LogicalLogical Network DesignNetwork Design
Standard design for physicalnetwork
Well before network partitioning needsemerge fromcustomers of the building!
Canalina metallica forata
Prese RJ45
Cablaggio orizzontale in rame
Armadio di
pianoPrese RJ45
Stanza Stanza Stanza
StanzaStanzaStanza
Armadio di
piano
Tubo in PVC Cablaggio verticale in Fibra Ottica
Canalina metallica - Cablaggio verticale di backup in rame
Canalina in PVC
Giuseppe Bianchi
SolutionSolution: : VirtualVirtual LAN (VLAN)LAN (VLAN)
VLAN = area which limits the broadcast domain
Benefits Broadcast confinement solves scalability issues of large flat networks Isolation of failures and network impairments Security (more later)
Multiple VLANs may coexist over a same Switched LAN
-
4Giuseppe Bianchi
VLAN VLAN MembershipMembership Per Port
THE typical VLAN approach
The IEEE 802.1Q approach
Per UserVia MAC addressVia VLAN tag
Results: anarchic VLAN but too easy to break into
Per Protocol
New feature in IEEE 802.1V
Combination (cross-layer)
Supported as proprietary extensionsVia IP subnet address.
Classification hierarchy may be definedE.g. per IP subnet; if not IP per protocol; if not in the set of classified protocols per MAC;
if not in MAC list per port.
Giuseppe Bianchi
PerPer--PortPort + + PerPer--ProtocolProtocol ControlControl
((exampleexample))
Default = tag with PVID (Port VLAN ID)
-
5Giuseppe Bianchi
PhysicalPhysical vsvs logicallogical viewview
(i.e. (i.e. whywhy VLANS VLANS insteadinstead of IP network)of IP network)
Layer 3 subnetsought to bephysicallyseparated
BUT manyVLANs mayoverlap
on the same, unique physical network structure!
Robust, failure-proof, single managed
Giuseppe Bianchi
VLANsVLANs and IP and IP subnetssubnets /1/1
1 VLAN = 1 IP subnet
Routers are needed to move frames from different VLANs
Even if STAs are in the same physical network
Inter-VLAN connectivity through router: improves security
May apply packet filtering mechanisms such as ACL, etc
-
6Giuseppe Bianchi
VLANsVLANs and IP and IP subnetssubnets /2/2
Routers for VLAN interconnection may have as little as just one physical interface
Also called, in jargon, one-armed routers
Multiple IP addresses on the single interface
160.80.80.0/24
160.80.81.0/24
160.80.80.100
160.80.81.100
Giuseppe Bianchi
VLAN taggingVLAN tagging
-
7Giuseppe Bianchi
PortPort typestypes
ACCESS port: transmits and receives untagged frames
i.e. with no VLAN membership indication
TRUNK port: transmits and receives tagged frames
i.e. with explicit VLAN membership indication
HYBRID ports: may handle both tagged and untagged frames
Giuseppe Bianchi
Access Access linkslinks
A link connected to an access port
Typically the PC-to-switch link
or small-hub-to-switch link
Connected STAs belong to only 1 VLAN
Connected STAs DO NOT NEED TO KNOW they are on a VLAN
They just assume to be on a dedicated IP subnet
TX/RX frames:
standard Ethernet (no QTAG prefix)
S1
S2
S3
HUB
Access port
-
8Giuseppe Bianchi
Access Access linkslinks ((legacylegacy regionsregions))
May beswitched LANsthemselves
Made up byVLAN-unawareswitches
S2
S3
VLAN-unaware
switch
Access port
VLAN-aware
switch
VLAN-unaware
switch
S1
Giuseppe Bianchi
TrunkTrunk linkslinks A link connected to a trunk port
Typically switch-to-switch or switch-to-router links
frequently server-to-switch link
If PC-to-switch link:Anarchic VLANs considered
Support tagged Ethernet frames
Explicit tagging mechanism to differentiate them
Does not belong to a VLAN but transportVLAN frames
Either from all VLANs
Or just from selected VLANs
However, may belong to a VLAN
Case of hybrid link
Untagged frames assumed to belong to a VLAN
Trunk port
-
9Giuseppe Bianchi
HybridHybrid linkslinks
Support both tagged and untagged Ethernet frames
Untagged frames belong to the same VLAN (in the example, VLAN C)
Modern understanding and implementations: all links are of hybrid type
Giuseppe Bianchi
EthernetEthernet FrameFrame format format forfor VLANVLAN
(802.3ac, 1998)(802.3ac, 1998)
QTag type = 0x8100
QTag prefix = 4 bytes
Maximum frame: 1522 (!!)> 1528 = baby giant
processed correctly
but might be recorded as error
-
10
Giuseppe Bianchi
UserUser PriorityPriority (802.1p)(802.1p)
Network ControlNC7
Voice < 10 ms latecny/jitterVO6Video < 100ms latency/jitterVI5Controlled LoadCL4
Excellent EffortEE3
Unspecified---2
BackgroundBK1
Best Effort (default)BE0
Managed via separated output queues
- typically with priority queueing
- but more complex scheduling mechanisms can be used
Giuseppe Bianchi
ProprietaryProprietary solutionssolutions
(e.g. CISCO ISL)(e.g. CISCO ISL)
Cisco Inter Switch Link Protocol
ISL
Frame encapsulated in
External tagging (encapsulation)
frameISL (26 bytes) FCS (4 bytes)
10 bits VLAN tag
Other space for proprietary usage
-
11
Giuseppe Bianchi
MayMay a station a station belongbelong toto
more more thanthan 1 VLAN?1 VLAN?
Access links Access links
Trunk
link
Yes! (typical case: servers)
Giuseppe Bianchi
Switch operation with Switch operation with VLANsVLANs
-
12
Giuseppe Bianchi
VLAN and VLAN and forwardingforwarding
Red,Green
GreenBlue,Green
No spanning tree considerations at the moment
Trunk ports may forwardonly selected VLAN tags
Manual (static) configuration
Automatic (dynamic) configurationvia specially devised protocols(GVRP: GARP VLAN Registration Protocol)
GARP = Generic Attribute Registr. Prot.See clause 10, 802.1D 1998 version
Giuseppe Bianchi
VLAN VLAN switchswitch: : relayrelay functionsfunctions
Ingress function
Classification of each received frame as belonging to one and only one VLANBased on tagBased on port (e.g.) for untagged frames
Discard frame based on normal bridging rules PLUS VLAN classificationE.g. unallowed VLAN tag from port
Ingress function = Access control using switches rather than routers!
Forward function
Only on specific enabled ports for given VLAN
Egress function
Add tag (or leave previous tag) if trunk link;
Remove tag if access link
-
13
Giuseppe Bianchi
LearningLearning
Learning process affected by VLAN
MAC address is no more the only information to consider!
VLAN Identifier is also necessary
Shared VLAN Learning (SVL)
1 single filtering DB
if individual MAC Address learned in one VLAN, learned information used in forwarding decisions relative to all other VLANs
Independent VLAN Learning (IVL)
1 filtering DB per each VLAN ID
if individual MAC Address learned in one VLAN, learned information NOT used in forwarding decisions relative to all other VLANs
General case (SVL/IVL)
Many filtering DBs (each with a Filtering ID FID)
Each FID may include more than 1 VLAN
Giuseppe Bianchi
FilteringFiltering DB DB -- SVLSVL
Dest MAC Address Ports Age vlan----------------- ----- ---
00-00-08-11-aa-01 1/1 1 1200-b0-8d-13-1a-f1 1/7 4 43a8-11-06-00-0b-b4 2/3 0 1208-01-00-00-a7-64 2/4 1 100-ff-08-10-44-01 2/6 5 12
-
14
Giuseppe Bianchi
FilteringFiltering DB DB -- IVLIVL
FID=12 Dest MAC Address Ports Age----------------- ----- ---
00-00-08-11-aa-01 1/1 1a8-11-06-00-0b-b4 2/3 000-ff-08-10-44-01 2/6 5
FID=43 Dest MAC Address Ports Age----------------- ----- ---
00-b0-8d-13-1a-f1 1/7 4
FID=1 Dest MAC Address Ports Age----------------- ----- ---
08-01-00-00-a7-64 2/4 1
Distinct Filtering DBs (each assigned a Filtering ID)
Giuseppe Bianchi
SVL SVL vsvs IVLIVL
In most cases, no matter wthere IVL or SVL is used
However, in some particolar cases, IVL or SVL are necessary
Notation used in what follows:
Member setSet of ports through which members of the VLAN can be reached
Untagged setSet of ports through which, if frames are to be transmitted, they shall
be transmitted without tag Untagged set for a port may include multi VLANs (see SVL example
next) PVID (Port VLAN ID)
VLAN associated to the port
See 802.1Q-2003, Annex B for detailed explanation of following examples
-
15
Giuseppe Bianchi
WhyWhy IVL? /1IVL? /1
SVL would not work!! (A learned from both port 1 and 4)
(no STP in the example)
Note: is a bridge device!
Were it a router, no problems!
Giuseppe Bianchi
WhyWhy IVL? /2IVL? /2
SVL would not work!! (A learned from both port 1 and 3)
(STP enabled, VLAN-aware connector)
-
16
Giuseppe Bianchi
WhyWhy SVL?SVL?
VLAN unawareserver to beshared amongVLANs
Must use untaggedaccess link
AsymmetricVLANs!
Giuseppe Bianchi
Spanning Tree and Spanning Tree and VLANsVLANs
(just motivations (just motivations MSTP details in 802.1Q, clause 13+14)MSTP details in 802.1Q, clause 13+14)
-
17
Giuseppe Bianchi
VLANsVLANs and and SpanningSpanning TreeTree
Original 802.1Q specification:
Common Spanning Tree (CTS)
One for all VLANsEasy to maintain
No load balancing possible
Bridge priorities (or VLAN trunking) must be carefullyselectedTo guarantee connectivity for
ALL VLANs
Giuseppe Bianchi
Multiple Multiple SpanningSpanning TreeTree
Based on an early proprietary idea:
Per VLAN Spanning TreeProblem: several VLANs BPDU load!
Idea: aggregate VLANs
-
18
Giuseppe Bianchi
MSTP MSTP (802.1s, 2002)(802.1s, 2002)
Based on RSTP
Hierarchical approach
One single spanning tree connects regions
Common Spanning Tree (CTS) across regions
Each region has at least an Internal Spanning Tree (IST)
Called Common IST (CIST)
One region acts as a virtual single bridge in terms of spanning tree!
Multiple spanning treeinstances (MSTI) are possible inside each region
Details and new BPDU format
quite complex - Refer to standard
(and RFC 2014 for VLAN to MSTI crypted (HMAC-MD5) mapping)
Giuseppe Bianchi
CIST CIST
+ +
MSTIMSTI