Lecture 5.

0
Virtual LANs
Standard 802.1Q, 802.1v, 802.1s

Giuseppe Bianchi

Broadcast issues

Switches:

- did partition collision domains

- bud DID not partition broadcast domain

Giuseppe Bianchi

The obvious solution: IP subnets

Partition network into several subnets
Critical approach (especially in the past):
routers were slow
Need to replace switches with routers

No more a problem of efficiency, today

layer 3 switches = hardware-based routers, very
fast!

However
Giuseppe Bianchi

Cons of physical IP subnets

Floor
2

LAB 1
(telecom)

LAB 2
(nanotech)

One switch per lab!

 Even if all switches in a same floor
box, manual connection necessary

Different LAB rooms =
different subnets!
 Broadcast domain cannot extend
through routers  more complex
management needed

Floor
1

OFFICES

LAB 2
(telecom)

Giuseppe Bianchi

Physical Network Design vs

Logical Network Design

Standard design
for physical
network

Cablaggio orizzontale in rame

Armadio di
piano

Well before
network
partitioning needs
emerge from
customers of the
building!

Prese RJ45
Stanza

Stanza

Stanza

Canalina metallica forata

Canalina in PVC 
Armadio di
piano
Prese RJ45
Stanza

Stanza

Stanza

Tubo in PVC Cablaggio verticale in Fibra Ottica

Canalina metallica - Cablaggio verticale di backup in rame

Giuseppe Bianchi

Solution: Virtual LAN (VLAN)

VLAN = area which limits the broadcast domain

 Benefits
 Broadcast confinement solves scalability issues of large flat networks
 Isolation of failures and network impairments
 Security (more later)

Multiple VLANs may coexist over a same Switched LAN

Giuseppe Bianchi

VLAN Membership

Per Port
 THE typical VLAN approach
 The IEEE 802.1Q approach

Per User
 Via MAC address
 Via VLAN tag

 Results: anarchic VLAN

 but too easy to break into 

Per Protocol
 New feature in IEEE 802.1V

Combination (cross-layer)
 Supported as proprietary extensions
 Via IP subnet address
 .

 Classification hierarchy may be defined

 E.g. per IP subnet;
 if not IP  per protocol;
 if not in the set of classified protocols
 per MAC;
 if not in MAC list per port.

Giuseppe Bianchi

Per-Port + Per-Protocol Control

(example)

Default = tag with PVID (Port VLAN ID)

Giuseppe Bianchi

Physical vs logical view

(i.e. why VLANS instead of IP network)

Layer 3 subnets
ought to be
physically
separated

BUT many
VLANs may
overlap

on the same,
unique physical
network
structure!
 Robust, failureproof, single
managed
Giuseppe Bianchi

VLANs and IP subnets /1

1 VLAN = 1 IP subnet
 Routers are needed to move frames from different VLANs
 Even if STAs are in the same physical network

Inter-VLAN connectivity through router: improves security
 May apply packet filtering mechanisms such as ACL, etc
Giuseppe Bianchi

VLANs and IP subnets /2

160.80.81.0/24
160.80.80.0/24
160.80.80.100
160.80.81.100

Routers for VLAN interconnection may have as little

as just one physical interface
 Also called, in jargon, one-armed routers

Multiple IP addresses on the single interface
Giuseppe Bianchi

VLAN tagging

Giuseppe Bianchi

Port types
TRUNK port: transmits and receives tagged frames
i.e. with explicit VLAN membership indication

ACCESS port: transmits and receives untagged frames

i.e. with no VLAN membership indication
HYBRID ports: may handle both tagged and untagged frames
Giuseppe Bianchi

Access links

A link connected to an access port
 Typically the PC-to-switch link
 or small-hub-to-switch link

Access port

Connected STAs belong to only 1

VLAN
HUB

Connected STAs DO NOT NEED TO
KNOW they are on a VLAN
 They just assume to be on a dedicated IP
subnet
S3

S1

TX/RX frames:
 standard Ethernet (no QTAG prefix)

S2

Giuseppe Bianchi

Access links (legacy regions)

May be
switched LANs
themselves
Made up by
VLAN-unaware
switches

VLAN-aware
switch
Access port

VLAN-unaware
switch

VLAN-unaware
switch

S1

S3
S2

Giuseppe Bianchi

Trunk links

A link connected to a trunk port
 Typically switch-to-switch or switch-to-router links
 frequently server-to-switch link
 If PC-to-switch link:

Trunk port

 Anarchic VLANs considered

Support tagged Ethernet frames

 Explicit tagging mechanism to differentiate them

Does not belong to a VLAN but transport
VLAN frames
 Either from all VLANs
 Or just from selected VLANs

However, may belong to a VLAN
 Case of hybrid link
 Untagged frames assumed to belong to a VLAN
Giuseppe Bianchi

Hybrid links

Support both tagged and untagged Ethernet frames

 Untagged frames belong to the same VLAN (in the example, VLAN C)
 Modern understanding and implementations: all links are of hybrid type
Giuseppe Bianchi

Ethernet Frame format for VLAN

(802.3ac, 1998)

QTag type = 0x8100

QTag prefix = 4 bytes
Maximum frame: 1522 (!!)
> 1528 = baby giant
processed correctly
but might be recorded as error

Giuseppe Bianchi

User Priority (802.1p)

0 BE Best Effort (default)
1 BK Background
2 ---

Unspecified

3 EE Excellent Effort
4 CL Controlled Load
5 VI

Video < 100ms latency/jitter

6 VO Voice < 10 ms latecny/jitter

7 NC Network Control

Managed via separated output queues

- typically with priority queueing
- but more complex scheduling mechanisms can be used
Giuseppe Bianchi

Proprietary solutions
(e.g. CISCO ISL)

Cisco Inter Switch Link Protocol
ISL

Frame encapsulated in
ISL (26 bytes)

frame

FCS (4 bytes)

10 bits VLAN tag

Other space for proprietary usage

External tagging (encapsulation)

Giuseppe Bianchi

10

May a station belong to

more than 1 VLAN?
Access links

Access links
Trunk
link

Yes! (typical case: servers)

Giuseppe Bianchi

Switch operation with VLANs

Giuseppe Bianchi

11

VLAN and forwarding

Green
Blue,
Green

Red,
Green

Trunk ports may forward

only selected VLAN tags
Manual (static) configuration
Automatic (dynamic) configuration
via specially devised protocols
(GVRP: GARP VLAN Registration Protocol)
GARP = Generic Attribute Registr. Prot.
See clause 10, 802.1D 1998 version

No spanning tree considerations at the moment

Giuseppe Bianchi

VLAN switch: relay functions

Ingress function
 Classification of each received frame as belonging to one and only one
VLAN
Based on tag
Based on port (e.g.) for untagged frames

 Discard frame based on normal bridging rules PLUS VLAN classification

E.g. unallowed VLAN tag from port

 Ingress function = Access control using switches rather than routers!

Forward function
 Only on specific enabled ports for given VLAN

Egress function
 Add tag (or leave previous tag) if trunk link;
 Remove tag if access link

Giuseppe Bianchi

12

Learning

Learning process affected by VLAN
 MAC address is no more the only information to consider!
 VLAN Identifier is also necessary

Shared VLAN Learning (SVL)
 1 single filtering DB
 if individual MAC Address learned in one VLAN, learned information used
in forwarding decisions relative to all other VLANs

Independent VLAN Learning (IVL)
 1 filtering DB per each VLAN ID
 if individual MAC Address learned in one VLAN, learned information NOT
used in forwarding decisions relative to all other VLANs

General case (SVL/IVL)

 Many filtering DBs (each with a Filtering ID FID)
 Each FID may include more than 1 VLAN
Giuseppe Bianchi

Filtering DB - SVL
Dest MAC Address
----------------00-00-08-11-aa-01
00-b0-8d-13-1a-f1
a8-11-06-00-0b-b4
08-01-00-00-a7-64
00-ff-08-10-44-01

Ports
----1/1
1/7
2/3
2/4
2/6

Age
--1
4
0
1
5

vlan
12
43
12
1
12

Giuseppe Bianchi

13

Filtering DB - IVL
FID=12

Dest MAC Address

----------------00-00-08-11-aa-01
a8-11-06-00-0b-b4
00-ff-08-10-44-01

Ports
----1/1
2/3
2/6

Age
--1
0
5

FID=43

Dest MAC Address

----------------00-b0-8d-13-1a-f1

Ports
----1/7

Age
--4

FID=1

Dest MAC Address

----------------08-01-00-00-a7-64

Ports
----2/4

Age
--1

Distinct Filtering DBs (each assigned a Filtering ID)

Giuseppe Bianchi

SVL vs IVL

In most cases, no matter wthere IVL or SVL is used

However, in some particolar cases, IVL or SVL are
necessary

Notation used in what follows:

 Member set
Set of ports through which members of the VLAN can be reached

 Untagged set
Set of ports through which, if frames are to be transmitted, they shall
be transmitted without tag
Untagged set for a port may include multi VLANs (see SVL example
next)

 PVID (Port VLAN ID)

VLAN associated to the port
See 802.1Q-2003, Annex B for detailed explanation of following examples
Giuseppe Bianchi

14

Why IVL? /1
Note: is a bridge device!
Were it a router, no problems!

SVL would not work!! (A learned from both port 1 and 4)

(no STP in the example)
Giuseppe Bianchi

Why IVL? /2

SVL would not work!! (A learned from both port 1 and 3)

(STP enabled, VLAN-aware connector)
Giuseppe Bianchi

15

Why SVL?

VLAN unaware
server to be
shared among
VLANs
Must use untagged
access link

Asymmetric
VLANs!

Giuseppe Bianchi

Spanning Tree and VLANs

(just motivations MSTP details in 802.1Q, clause 13+14)

Giuseppe Bianchi

16

VLANs and Spanning Tree

Original 802.1Q
specification:
Common Spanning Tree (CTS)
One for all VLANs
Easy to maintain

No load balancing possible

Bridge priorities (or VLAN
trunking) must be carefully
selected
To guarantee connectivity for
ALL VLANs
Giuseppe Bianchi

Multiple Spanning Tree

Based on an early proprietary idea:
Per VLAN Spanning Tree
Problem: several VLANs  BPDU load!

Idea: aggregate VLANs

Giuseppe Bianchi

17

MSTP
(802.1s, 2002)

Based on RSTP

Hierarchical approach

One single spanning tree
connects regions
 Common Spanning Tree (CTS)
across regions
 Each region has at least an
Internal Spanning Tree (IST)
 Called Common IST (CIST)
 One region acts as a virtual
single bridge in terms of
spanning tree!

Multiple spanning tree
Details and new BPDU format
instances (MSTI) are
quite complex - Refer to standard
possible inside each
region

(and RFC 2014 for VLAN to MSTI crypted (HMAC-MD5) mapping)

Giuseppe Bianchi

CIST
+
MSTI

Giuseppe Bianchi

18