Tecnologie e Protocolli per Internet 1 Prof. Stefano Salsano e-mail: stefano.salsano@uniroma2.it AA2011/12 Blocco 4 v2 Virtual LANs
Broadcast issues Switches: - did partition collision domains - bud DID not partition broadcast domain The obvious solution: : IP subnets Partition network into several subnets Critical approach (especially in the past): routers were slow Need to replace switches with routers No more a problem of efficiency, today layer 3 switches = hardware-based routers, very fast! However
Cons of physical IP subnets Floor 2 LAB 1 (telecom) LAB 2 (nanotech) OFFICES One switch per lab! Even if all switches in a same floor box, manual connection necessary Different LAB rooms = different subnets! Broadcast domain cannot extend through routers more complex management needed Floor 1 LAB 2 (telecom) Physical Network Design vs Logical Network Design Standard design for physical network Well before network partitioning needs emerge from customers of the building! Armadio di piano Armadio di piano Cablaggio orizzontale in rame Prese RJ45 Stanza Stanza Stanza Canalina metallica forata Canalina in PVC Prese RJ45 Stanza Stanza Stanza Tubo in PVC Cablaggio verticale in Fibra Ottica Canalina metallica - Cablaggio verticale di backup in rame
Solution: Virtual LAN (VLAN) VLAN = area which limits the broadcast domain Benefits Broadcast confinement solves scalability issues of large flat networks Isolation of failures and network impairments Security (more later) Multiple VLANs may coexist over a same Switched LAN VLAN Membership Per Port THE typical VLAN approach The IEEE 802.1Q approach Per User Via MAC address Via VLAN tag Results: anarchic VLAN but too easy to break into Per Protocol New feature in IEEE 802.1v Combination (cross-layer) Supported as proprietary extensions Via IP subnet address. Classification hierarchy may be defined E.g. per IP subnet; if not IP per protocol; if not in the set of classified protocols per MAC; if not in MAC list per port.
Physical vs logical view (i.e. why VLANS instead of IP network) Layer 3 subnets ought to be physically separated BUT many VLANs may overlap on the same, unique physical network structure! Robust, failureproof, single managed VLANs and IP subnets /1 1 VLAN = 1 IP subnet Routers are needed to move frames from different VLANs Even if STAs are in the same physical network Inter-VLAN connectivity through router: improves security May apply packet filtering mechanisms such as ACL, etc
VLANs and IP subnets /2 160.80.81.0/24 160.80.80.0/24 Routers for VLAN interconnection may have as little as just one physical interface Also called, in jargon, one-armed routers Multiple IP addresses on the single interface 160.80.80.100 160.80.81.100 VLAN tagging
Port types TRUNK port: transmits and receives tagged frames i.e. with explicit VLAN membership indication ACCESS port: transmits and receives untagged frames i.e. with no VLAN membership indication HYBRID ports: may handle both tagged and untagged frames Access links A link connected to an access port Typically the PC-to-switch link or small-hub-to-switch link Access port Connected STAs belong to only 1 VLAN Connected STAs DO NOT NEED TO KNOW they are on a VLAN They just assume to be on a dedicated IP subnet TX/RX frames: standard Ethernet (no QTAG prefix) S1 S2 S3 HUB
Access links (legacy regions) May be switched LANs themselves Made up by VLAN-unaware switches VLAN-aware switch Access port VLAN-unaware switch VLAN-unaware switch S3 S1 S2 Trunk links A link connected to a trunk port Typically switch-to-switch or switch-to-router links frequently server-to-switch link If PC-to-switch link: Anarchic VLANs considered Trunk port Support tagged Ethernet frames Explicit tagging mechanism to differentiate them Does not belong to a VLAN but transport VLAN frames Either from all VLANs Or just from selected VLANs However, may belong to a VLAN Case of hybrid link Untagged frames assumed to belong to a VLAN
Hybrid links Support both tagged and untagged Ethernet frames Untagged frames belong to the same VLAN (in the example, VLAN C) Modern understanding and implementations: all links are of hybrid type Ethernet Frame format for VLAN (802.3ac, 1998) QTag type = 0x8100 QTag prefix = 4 bytes Maximum frame: 1522 (!!) > 1518 = baby giant
User Priority (802.1p) 0 1 2 3 4 5 6 7 BE BK --- EE CL VI VO NC Best Effort (default) Background Unspecified Excellent Effort Controlled Load Video < 100ms latency/jitter Voice < 10 ms latecny/jitter Network Control Managed via separated output queues - typically with priority queueing - but more complex scheduling mechanisms can be used May a station belong to more than 1 VLAN? Access links Access links Trunk link Yes! (typical case: servers)
Switch operation with VLANs VLAN and forwarding Green Blue, Green Trunk ports may forward only selected VLAN tags Manual (static) configuration Red, Green Automatic (dynamic) configuration via specially devised protocols (GVRP: GARP VLAN Registration Protocol) GARP = Generic Attribute Registr. Prot. See clause 10, 802.1D 1998 version No spanning tree considerations at the moment
VLAN switch: relay functions Ingress function Classification of each received frame as belonging to one and only one VLAN Based on tag Based on port (e.g.) for untagged frames Discard frame based on normal bridging rules PLUS VLAN classification E.g. unallowed VLAN tag from port Ingress function = Access control using switches rather than routers! Forward function Only on specific enabled ports for given VLAN Egress function Add tag (or leave previous tag) if trunk link; Remove tag if access link Learning Learning process affected by VLAN MAC address is no more the only information to consider! VLAN Identifier is also necessary Shared VLAN Learning (SVL) 1 single filtering DB if individual MAC Address learned in one VLAN, learned information used in forwarding decisions relative to all other VLANs Independent VLAN Learning (IVL) 1 filtering DB per each VLAN ID if individual MAC Address learned in one VLAN, learned information NOT used in forwarding decisions relative to all other VLANs General case (SVL/IVL) Many filtering DBs (each with a Filtering ID FID) Each FID may include more than 1 VLAN
Filtering DB Shared VLAN Learning (SVL) Dest MAC Address Ports Age vlan ----------------- ----- --- 00-00-08-11-aa-01 1/1 1 12 00-b0-8d-13-1a-f1 1/7 4 43 a8-11-06-00-0b-b4 2/3 0 12 08-01-00-00-a7-64 2/4 1 1 00-ff-08-10-44-01 2/6 5 12 Filtering DB Independent VLAN Learning (IVL) FID=12 Dest MAC Address Ports Age ----------------- ----- --- 00-00-08-11-aa-01 1/1 1 a8-11-06-00-0b-b4 2/3 0 00-ff-08-10-44-01 2/6 5 FID=43 Dest MAC Address Ports Age ----------------- ----- --- 00-b0-8d-13-1a-f1 1/7 4 FID=1 Dest MAC Address Ports Age ----------------- ----- --- 08-01-00-00-a7-64 2/4 1 Distinct Filtering DBs (each assigned a Filtering ID)
Filtering DB Independent VLAN Learning (IVL) In most cases, no matter wthere IVL or SVL is used However, in some particolar cases, IVL or SVL are necessary Notation used in what follows: Member set Set of ports through which members of the VLAN can be reached Untagged set Set of ports through which, if frames are to be transmitted, they shall be transmitted without tag» Untagged set for a port may include multi VLANs (see SVL example next) PVID (Port VLAN ID) VLAN associated to the port See 802.1Q-2003, Annex B (pag. 245-252) for detailed explanation of following examples Nella larga maggioranza dei casi, utilizzare il meccanismo IVL o quello SVL è equivalente. Vi sono casi particolari in cui questo non è vero e bisogna utilizzare uno dei due meccanismi. Nel primo esempio ( Why IVL? ) si considera l utilizzo di dispositivi ibridi detti Connector (vedi anche http://en.wikipedia.org/wiki/bridge_router) che operano in modalità intermedia tra livello 2 e 3 In pratica possono effettuare l inoltro di una trama da una VLAN all altra in modalità switched se NON riconoscono il protocollo di livello superiore, oppure lavorare a livello 3 se riconoscono il protocollo di livello superiore (quindi operano come router per IP). Nel secondo esempio ( Why SVL? ) si mostra come è possibile far lavorare un server legacy (cioè che non sia progettato per operare sulle VLAN ma su una LAN tradizionale) in modo da interoperare contemporaneamente con dispositivi su diverse VLAN.
Why IVL? /1 Note: it is (also) a bridge device! Were it a router, no problems! SVL would not work!! (A learned from both port 1 and 4) (no STP in the example ) Relativamente alla slide precedente, si assuma che A invia una trama con indirizzo MAC di destinazione B, appartenente ad un protocollo di livello superiore NON noto, quindi il connector inoltrerà questa trama dalla porta X alla porta Y (assumendo che aveva già imparato l indirizzo di B) Il bridge VLAN-aware impara l indirizzo di A sulla porta 4. Se qualcuno invia al bridge VLAN-aware una trama destinata ad A, appartenente alla VLAN rossa, il brigde VLAN-aware deve inoltrarla sulla porta 1 e non sulla porta 4! Nella slide seguente il problema è lo stesso, solo che il connector opera come un dispositivo VLAN aware e quindi ha una sola porta di tipo trunk su cui invia e riceve trame VLAN tagged.
Why IVL? /2 SVL would not work!! (A learned from both port 1 and 3) (STP enabled, VLAN-aware connector) Why SVL? VLAN unaware server to be shared among VLANs Must use untagged access link Asymmetric VLANs!