1. 程式人生 > >IEEE 802.1Q 虛擬區域網 (Virtual LAN)

IEEE 802.1Q 虛擬區域網 (Virtual LAN)

Introduction

VLAN Aims and Benefits

  • Without VLAN, the layer 2 switches/bridges will forward received broadcast and multicast frames to all ports. (頻寬浪費和安全問題)
    • Bandwidth wasting issue
    • Security issue
  • Easy administration of logical group of stations. Also moves, adds, and changes in members of theses groups.
  • Traffic between VLANs is firewalled. The propagation of multicast and broadcast traffic between VLANs is limited.

Overview of Virtual LAN

  • Virtual LAN Services in Bridged LANs.
  • Forwarding Process required to support VBLANs.
  • Filtering Database needed to support VBLANs.
  • Protocols and Procedures
    required to provide VLAN services and distribute the VLAN membership information.
  • Management services and Operations required to configure and administer VBLANs.

Virtual LAN (VLAN) Architecture

Based on a 3-level model:

  • Configuration
    • MIBs(管理資訊庫,Management Information Base)
  • Distribution/Resolution
    • Declaration Protocols
    • Req/Resp Protocols
  • Relay(傳播)
    • Ingress Rules(准許進入)
    • Forwarding Rules
    • Egress Rules(外出)

Configuration

The VLAN configuration is specified in the first place.

  • Port-based VLAN
  • MAC-based VLAN
  • IP-subnet based VLAN
  • Layer-3 Protocol based VLAN

Distribution

Distribute VLAN membership information for Bridges to determine on which VLAN a given packet should be forwarded.

  • Declaration Protocols for distributing VLAN
    associations.
    • GARP (Generic Attributes Registration Protocol) is used to distribute membership information among Bridges.
  • Request/Response protocols to request a specific VLAN association (SNMP).

Relay

The procedure to tag frames, modify tagged frames, and untag frames.

  • Ingress rules: Mapping received frames to VLANs
  • Forwarding rules: Where received frames should be forwarded
  • Egress rules: Mapping frames for output ports and format (tagged or untagged):
  • Ingress Rules/Egress Rules:
    • Each frame received is classified as belonging to exactly one VLAN by associating a VID with it.
    • The classification is achieved as follows:
      • Explicit(顯式) Tagging : the VID value it carries.
      • Implicit(隱式) Tagging : the PVID(Port VID) associated with the port it is received.
    • Frames shall be filtered if outgoing port is not present in the Member Set of the VLAN.

Port-based VLAN

  • VLAN aware devices understand VLAN membership and VLAN frame format.
  • VLAN unaware devices.
  • An Access Link is a LAN segment used to multiplex one or more VLAN unaware devices into a port of a VLAN Bridge.
    • All frames on an access link are implicitly tagged.
    • No VLAN tagged frames on an access link.
    • Viewed as being on the edge of the network.
    • Can be attached to other 802.1D-conforment Bridges (BLAN).
  • A Trunk Link is a LAN segment used to multiplex VLANs between VLAN Bridges.
    • All devices connect to a Trunk Link must be VLAN aware.
    • All frames (including end station frames) on a Trunk Link are explicitly tagged with a VLAN ID.
  • A Hybrid Link is a LAN segment that has both VLAN aware and unaware devices.
    • There can be a mix of Tagged Frames and Untagged Frames but they must be from different VLANs.
    • For each VLAN, all frames traversing(橫貫) a particular hybrid link must be tagged the same way:
      • All implicitly tagged or
      • All carrying the same explicit tag.

在這裡插入圖片描述

Spanning Tree and VLAN

The Spanning Tree is to:

  1. Eliminate(消除) loops in a bridged LAN.
  2. Provide the routing path for any pair of nodes.

So For VLAN:

  • All VLANs are aligned(排整齊) along the spanning tree.
  • A VLAN is defined by a subset of the spanning tree.

Bridge Operation for VLAN

A Bridge filters frames to ensure that traffic destined for a given VLAN is forwarded only on segments (ports) that form a path to members of

For each VLAN, the bridge needs to keep:

  • Member set (Port IDs)
  • Untagged set (Port IDs)

Examples of Member set and Untagged set

VLAN Addressing Learning

  • Shared VLAN Learning (SVL)
    • The addresses learned by each VLAN are
      shared for all VLANs.
  • Independent VLAN Learning (IVL)
    • The addresses learned from each VLAN are NOT shared.
  • In most cases, SVL or IVL produces the same result.
  • But in some special cases, we need to specify the learning mode of bridge.

IVL Example – Multiple Independent VLANs

Considering:

  • Server (Bridge-Router, or Connector) connecting multiple independent VLANs.
  • Connector and stations are VLAN unaware (untag).
  • Connector did not turn on spanning tree algorithm.

在這裡插入圖片描述

If SVL is used for this case:

在這裡插入圖片描述

The Filtering Databases for VLAN

  • Static Filtering Entry

在這裡插入圖片描述

  • Static VLAN Registration Entry

在這裡插入圖片描述

  • Dynamic Filtering Entry

在這裡插入圖片描述

  • Dynamic VLAN Registration Entry

在這裡插入圖片描述


VLAN Tag

VLAN Tag Structure

  • Tag Protocol Identifier (TPID)
  • Tag Control Information (TCI)
    • User-Priority
    • Canonical Format Indicator(規範格式指示器)
    • VID

Tag Format

  • Ethernet
Ethernet-encoded TPID TCI 單位
2 2 bytes
  • TCI(For 12 bits VID, no more than 4096 VLANs)
User-Priority Canonical Format Indicator VID 單位
3 1 12 bits
  • SNAP
SNAP-encoded TPID TCI 單位
2 2 bytes
  • SNAP-encoded TPID
SNAP Header(AA-AA-03) SNAP PID(00-00-00) Tag Type(81-00) 單位
3 3 2 bytes

Summary

  • VLAN is designed to logical group of stations.
  • The members of a VLAN can be removed and added dynamically.
  • Directly communications between different VLANs is not allowed. The communication should be directed to a router.
  • IEEE 802.1Q defines port-based VLAN.
  • Three-phase(階段) model:
    • VLAN configuration
    • Declaration/Distribution VLAN membership
    • Frame Relay
  • VLAN ID is 12 bits (4096 VLANs).
  • Three types of link:
    • Access Link: all frames are untagged.
    • Trunk Link: all frames are tagged.
    • Hybrid Link: a mix of tagged frames and untagged frames but they must be from different VLANs.
  • For each VLAN, the bridge needs to keep:
    • Member set (Port IDs)
    • Untagged set (Port IDs)

想了解更多關於計算機網路架構與網路安全:計算機網路架構與網路安全專欄