Introduction

VLAN Aims and Benefits

• Without VLAN, the layer 2 switches/bridges will forward received broadcast and multicast frames to all ports. (頻寬浪費和安全問題)
  • Bandwidth wasting issue
  • Security issue
• Easy administration of logical group of stations. Also moves, adds, and changes in members of theses groups.
• Traffic between VLANs is firewalled. The propagation of multicast and broadcast traffic between VLANs is limited.

Overview of Virtual LAN

• Virtual LAN Services in Bridged LANs.
• Forwarding Process required to support VBLANs.
• Filtering Database needed to support VBLANs.
• Protocols and Procedures
  required to provide VLAN services and distribute the VLAN membership information.
• Management services and Operations required to configure and administer VBLANs.

Virtual LAN (VLAN) Architecture

Based on a 3-level model:

• Configuration
  • MIBs(管理資訊庫，Management Information Base)
• Distribution/Resolution
  • Declaration Protocols
  • Req/Resp Protocols
• Relay(傳播)
  • Ingress Rules(准許進入)
  • Forwarding Rules
  • Egress Rules(外出)

Configuration

The VLAN configuration is specified in the first place.

• Port-based VLAN
• MAC-based VLAN
• IP-subnet based VLAN
• Layer-3 Protocol based VLAN

Distribution

Distribute VLAN membership information for Bridges to determine on which VLAN a given packet should be forwarded.

• Declaration Protocols for distributing VLAN
  associations.
  • GARP (Generic Attributes Registration Protocol) is used to distribute membership information among Bridges.
• Request/Response protocols to request a specific VLAN association (SNMP).

Relay

The procedure to tag frames, modify tagged frames, and untag frames.

• Ingress rules: Mapping received frames to VLANs
• Forwarding rules: Where received frames should be forwarded
• Egress rules: Mapping frames for output ports and format (tagged or untagged):
• Ingress Rules/Egress Rules:
  • Each frame received is classified as belonging to exactly one VLAN by associating a VID with it.
  • The classification is achieved as follows:
    • Explicit(顯式) Tagging : the VID value it carries.
    • Implicit(隱式) Tagging : the PVID(Port VID) associated with the port it is received.
  • Frames shall be filtered if outgoing port is not present in the Member Set of the VLAN.

Port-based VLAN

• VLAN aware devices understand VLAN membership and VLAN frame format.
• VLAN unaware devices.
• An Access Link is a LAN segment used to multiplex one or more VLAN unaware devices into a port of a VLAN Bridge.
  • All frames on an access link are implicitly tagged.
  • No VLAN tagged frames on an access link.
  • Viewed as being on the edge of the network.
  • Can be attached to other 802.1D-conforment Bridges (BLAN).
• A Trunk Link is a LAN segment used to multiplex VLANs between VLAN Bridges.
  • All devices connect to a Trunk Link must be VLAN aware.
  • All frames (including end station frames) on a Trunk Link are explicitly tagged with a VLAN ID.
• A Hybrid Link is a LAN segment that has both VLAN aware and unaware devices.
  • There can be a mix of Tagged Frames and Untagged Frames but they must be from different VLANs.
  • For each VLAN, all frames traversing(橫貫) a particular hybrid link must be tagged the same way:
    • All implicitly tagged or
    • All carrying the same explicit tag.

Spanning Tree and VLAN

The Spanning Tree is to:

1. Eliminate(消除) loops in a bridged LAN.
2. Provide the routing path for any pair of nodes.

So For VLAN:

• All VLANs are aligned(排整齊) along the spanning tree.
• A VLAN is defined by a subset of the spanning tree.

Bridge Operation for VLAN

A Bridge filters frames to ensure that traffic destined for a given VLAN is forwarded only on segments (ports) that form a path to members of

For each VLAN, the bridge needs to keep:

• Member set (Port IDs)
• Untagged set (Port IDs)

Examples of Member set and Untagged set

VLAN Addressing Learning

• Shared VLAN Learning (SVL)
  • The addresses learned by each VLAN are
    shared for all VLANs.
• Independent VLAN Learning (IVL)
  • The addresses learned from each VLAN are NOT shared.
• In most cases, SVL or IVL produces the same result.
• But in some special cases, we need to specify the learning mode of bridge.

IVL Example – Multiple Independent VLANs

Considering:

• Server (Bridge-Router, or Connector) connecting multiple independent VLANs.
• Connector and stations are VLAN unaware (untag).
• Connector did not turn on spanning tree algorithm.

If SVL is used for this case:

The Filtering Databases for VLAN

• Static Filtering Entry

• Static VLAN Registration Entry

• Dynamic Filtering Entry

• Dynamic VLAN Registration Entry

VLAN Tag

VLAN Tag Structure

• Tag Protocol Identifier (TPID)
• Tag Control Information (TCI)
  • User-Priority
  • Canonical Format Indicator(規範格式指示器)
  • VID

Tag Format

• Ethernet

• TCI（For 12 bits VID, no more than 4096 VLANs)

• SNAP

• SNAP-encoded TPID

Summary

• VLAN is designed to logical group of stations.
• The members of a VLAN can be removed and added dynamically.
• Directly communications between different VLANs is not allowed. The communication should be directed to a router.
• IEEE 802.1Q defines port-based VLAN.
• Three-phase(階段) model:
  • VLAN configuration
  • Declaration/Distribution VLAN membership
  • Frame Relay
• VLAN ID is 12 bits (4096 VLANs).
• Three types of link:
  • Access Link: all frames are untagged.
  • Trunk Link: all frames are tagged.
  • Hybrid Link: a mix of tagged frames and untagged frames but they must be from different VLANs.
• For each VLAN, the bridge needs to keep:
  • Member set (Port IDs)
  • Untagged set (Port IDs)

想了解更多關於計算機網路架構與網路安全：計算機網路架構與網路安全專欄