Virtual Networks
Read this section for a deeper look at how VLANs are implemented in networks and how switches react when they receive frames with a particular VLAN tag. How do switches direct frames based on VLAN tag, dropping or forwarding depending on VLAN members on a particular VLAN?
Review: What is a LAN?
- A LAN is A broadcast (or flood) domain. In other words, it is a section of the network within whose boundaries any data link layer broadcast traffic is delivered to all end-stations. Beyond those boundaries, broadcast traffic does not flow
- Boundaries determined by cabling. Bridges receive and forward broadcast traffic. Routers do not.
- Devices on different LANs can’t see each other unless a device with ports in each LAN helps (i.e., a router)
- All host in the network shown in Figure 1 and 2 see the same broadcast traffic. There is only one Broadcast Domain.
- Figure 3 shows a network with two Broadcast Domains separated by routers. Broadcast traffic remains local to the particular Domain.
Figure 1: A LAN is a Shared Network. It is one single broadcast domain where all traffic is seen by all hosts.
Figure 2: Bridged LAN with single broadcast domain. L2 switch is VLAN-unaware, so all broadcast traffic is seen by all hosts on both sides.
Virtual LANs
- A VLAN is:
- An administratively-configured broadcast domain
- Network administrator determines which end-stations are in which broadcast domain
- Could be configured in a variety of types including:
- Port-based VLANs (Layer-1 VLAN)
- MAC-based VLANs (Layer-2 VLAN)
- IP subnet VLANs (Layer-3 VLAN)
- Figure 3 below, shows hosts split into two port-based broadcast domains (VLANs).
- Broadcast traffic for VLAN1 remains local to VLAN1 and is not seen by any host on VLAN2.
- The principle can be expanded to any number of VLANs as shown is Figure 4. Maximum number is manufacturer dependent. 5
Figure 3: Two Broadcast Domains equal 2 VLANs
Figure 4: Multiple VLANs in one switch separated by port. 4 Broadcast Domains.
Higher Layer VLANs
- Different VLANs for different applications
- FTP
- Multimedia
- Service based VLANs, e.g., all workstations using Email server are on the Email VLAN
- IP Multicast address based VLANs
- General policy based: VLAN membership can be based on a combination of incoming port, MAC address, subnet or higher layer info.
Advantages of VLANs
- At this point, it should be obvious that VLANs produce great advantages in:
- Performance
- Formation of Virtual Workgroups
- Simplified Administration
- Reduced Cost
- Security
Problems with old VLAN techniques as described above
- VLANs can only be defined in one switch
- To connect a VLAN to another network, each one needs a router port
Solutions to these problems
- Implement a VLAN registration protocol. Frames are now labeled with the VLAN to which they belong.
- Propagate VLAN registration across the network
- Tag incoming frames with a VLAN ID
- Un-tag outgoing frames if needed
- Send tagged frames between VLANs switches
IEEE 802.1Q/p and 802.3ac Specifications
- The IEEE 802.1Q standard establishes a method for tagging Ethernet frames with VLAN membership information
- The IEEE 802.1p is a layer 2 standard for prioritizing network traffic at the data link/MAC layer.
- The IEEE 802.3ac standard defines a new frame format that implements the 802.1p priority and 802.1Q VLAN information fields.
802.1p
- Provides for Traffic Class Expediting:
- Multiple queues – one for each priority or “class” of traffic
- Higher priority traffic gets through faster
- Lower priority frames dropped if too many higher priority frames exist.
802.1q
- Defines a method for establishing VLANs
- Establishes new frame type: Tagged Frames
- Provides a way for maintaining priority information across LANs.
VLAN Terminology
- Tagged Frames: frames with VLAN tag inserted
- Trunk Links: links that allow for more than one VLAN frames through it
- Access Links: reside at the edge of the network where legacy devices attach
- Hybrid Links: carry tagged and un-tagged traffic
Trunk Link
- Attaches two VLAN aware switches
- Carries tagged frames
Access Link
- Access links are un-tagged for VLAN unaware devices
- VLAN aware switches add tag to received frames and removes them before transmitting
Hybrid Links
- All VLAN-unaware hosts are in the same VLAN. In this example, traffic generated by VLAN B is seeing by stations in VLAN C.
802.3ac Frame Format
- 802.3 Frame before 802.1 p/Q
- 802.3 Frame format including 802.1p/Q
802.3ac Fields
Label |
Field Name |
Size |
Description |
PRE |
Preamble |
7 bytes |
Used for synchronization |
SF |
Start Frame Del. |
1 byte |
Marks beginning of header |
DA |
Destination Add. |
6 bytes |
MAC address of destination |
SA |
Source Add. |
6 bytes |
MAC address of source |
TCI |
Tag Control Info |
2 bytes |
When set to 8100 indicates a frame with 801.p and Q tags |
P |
Priority |
3 bits |
Indicates 802.1p priority level 0-7 |
C |
Canonical Indicator |
1 bit |
Indicates if MAC addresses are in canonical format (standard, least significant bit first) – Ethernet uses 0 |
VID |
VLAN Identifier |
12 bits |
Indicates which VLAN this frame belongs to (2- 4094) |
T/L |
Type/Length Field |
2 bytes |
Ethernet II type or 802.3 length information |
Payload |
Payload |
Up to 1500 |
User data or higher layer protocols |
FCS |
Frame Check Sequence |
4 bytes |
Error Checking |
Communication Between VLANs
- Routers
- 1-armed VLAN-aware router
- VLAN-aware switches can route between VLANs
- Can be placed in the core, in the edges, or everywhere
VLAN Port Configurations
- Clear Port: Similar to “access ports” in previous figures.
- Will accept clear frames
- Will accept tagged frames belonging to the “native VLAN” or VLANs “statically” configured to the port.
- All other frames will be dropped.
- Will remove any configured tag before transmitting frames.
- 802.1q Port: Same as “trunk” port.
- Will transmit traffic with any configured tag,
- Will only accept “clear” (non-tagged) frames, or tagged frames belonging to native VLAN or VLANs statically bound to the port.
Port Binding
- Native VLAN: VLAN whose VLAN tag will be inserted to non- tagged traffic received in the port. MAC addresses are learned as belonging to “native VLAN” of the port only.
- Static binding: Port is configured to accept traffic with a VLAN tag different to the native VLAN. Multiple VLANs can be statically configured to a port. Port will forward traffic belonging to the statically configured VLANs and drop any traffic with a different tag.
- Switch specific configurations: This is manufacturer specific
- Bind to configured: Port gets statically bound to all VLANs configured in the switch. It will accept traffic with tags corresponding to any VLAN that has been configured in the switch and will drop everything else.
- Bind to all: Port gets statically bound and accepts all traffic regardless of the VLAN tag.
Port Configurations, Example 1
- Incoming traffic: Clear
- Outgoing traffic:
- Tagged with VLAN 20
- Incoming traffic: Tagged with VLAN 40
- Outgoing traffic:
- Tagged with VLAN 40
- Incoming traffic: Tagged with VLAN 50
- Outgoing traffic:
- Dropped
Port Configurations, Example 2
- Incoming traffic: Clear
- Outgoing traffic:
- Tagged with VLAN 20
- Incoming traffic: Tagged with VLAN 40
- Outgoing traffic:
- Dropped
- Incoming traffic: Tagged with VLAN 42
- Outgoing traffic:
- Tagged with VLAN 42
Port Configurations, Example 3
- Incoming traffic: Clear with destination of MAC 01
- Outgoing traffic: Arrives to SW2 with tag of 20, will flood both ports 4 and 5 on switch 2.
- Incoming traffic: Tagged with ID 40 with destination of MAC 01
- Outgoing traffic: Arrives to SW2 with tag of 40, will be sent directly to port 4
- Incoming traffic: Tagged with ID 50 with destination of MAC 02
- Outgoing traffic: Dropped
- Incoming traffic: Tagged with ID 60 with destination of MAC02
- Outgoing traffic: Arrives to SW2 with tag of 60 and is dropped by SW2
Source: Eladio R. Cortes Ramos
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 License.