Isolate-User-VLAN Technology White Paper

Keywords: Isolate-user-VLANs, secondary VLANs

Abstract: Isolate-user-VLAN adopts a two-tier VLAN structure: an upper level isolate-user-VLAN and multiple lower-level secondary VLANs. Because the upstream device is aware of only the isolate-user-VLAN but not the secondary VLANs, network configuration is simplified and VLAN resources are saved. This document mainly introduces the fundamentals and networking implementations of isolate-user-VLAN.

Acronyms:

Acronym

Full Spelling

VLAN

Virtual Local Area Network

ARP

Address Resolution Protocol

 



Overview

1.1  Background

In campus networks, to guarantee user information security and facilitate user management and traffic accounting, service providers require that users be isolated from each other on Layer 2. To achieve that, they can create a VLAN for each user. As shown in Figure 1 , Switch B and Switch C are each connected to three users. If the service provider creates a VLAN for each user, six VLANs must be created on Device A.

Figure 1  Flat networking diagram

As stipulated in IEEE 802.1Q, one device can support a maximum of 4094 VLANs. For a core device, if each user is configured with a different VLAN, 4094 VLANs are far from enough. To solve this problem, the isolate-user-VLAN technology was developed.

When the isolate-user-VLAN function is enabled, the customer VLANs (VLAN 10 to VLAN 15) in Figure 1  can be configured as secondary VLANs, while services VLANs VLAN 2 and VLAN 3 can be configured as isolate-user-VLANs, as shown in Figure 2 . In this way, only VLAN 2 and VLAN 3 need to be configured on Device A, saving four VLANs.

Figure 2  Network diagram for isolate-user-VLAN implementation

1.2  Benefits

Isolate-user-VLAN adopts a two-tier VLAN structure: an isolate-user-VLAN at the upper tier and multiple secondary VLANs at the lower tier. As upstream devices need to identify only isolate-user-VLANs but not the secondary VLANs, the VLAN resources on the upstream devices are saved. Meanwhile, because each user has an individual secondary VLAN, users are isolated on Layer 2.

The isolate-user-VLAN function is mainly used in campus or enterprise networks. It saves VLAN resources while achieving Layer-2 isolation.

Isolate-User-VLAN Implementation

2.1  Concepts

l            An isolate-user-VLAN is a VLAN of which the upstream device is aware. It is not the actual VLAN that an end station belongs to.

l            A secondary VLAN is the VLAN that an end station is actually assigned to.

l            An uplink port is a port that connects to and communicates with the upstream device. The isolate-user-VLAN must be configured as the default VLAN of the uplink port, or else the port will not be able to forward packets sent from the secondary VLANs.

l            A downlink port is a port that connects to and communicates with end stations. The default VLAN of a downlink port must be configured as the corresponding secondary VLAN, or else the port will not be able to forward packets received from the isolate-user-VLAN.

2.2  Isolate-User-VLAN Mechanism

To hide information about secondary VLANs and save VLAN resources, the isolate-user-VLAN technology requires that:

l            Packets from different secondary VLANs can be sent to the upstream device through uplink ports and carry no secondary VLAN information.

l            Packets from isolate-user-VLANs can be sent to end stations through downlink ports and carry no isolate-user-VLAN information.

As an isolate-user-VLAN and its secondary VLANs use different VLAN IDs and contain different ports, their packets are isolated on Layer 2. To achieve the two requirements described above, the following is required:

1)       Port reconfiguration and MAC address synchronization must be performed on the local device. For details, refer to Reconfiguring Ports and Synchronizing MAC Addresses.

2)       The following configurations must be made on the upstream device:

l            Creating a VLAN with the VLAN ID the same as that of the isolate-user-VLAN.

l            Configuring the incoming port to configure its link type as hybrid and the isolate-user-VLAN as the default VLAN of the port, and to allow packets from the default VLAN to pass through untagged.

2.2.1  Reconfiguring Ports

The system automatically reconfigures the ports in an isolate-user-VLAN and those in its secondary VLANs as follows:

l            Changing the link type of the uplink port(s) as hybrid, and configuring them to allow the packets from the secondary VLANs to pass through untagged. Because the isolate-user-VLAN has been manually configured as the default VLAN of the incoming port on the upstream device, the upstream device considers all the incoming packets as belonging to the isolate-user-VLAN and tags them with the isolate-user-VLAN tag. In this way, the secondary VLAN information is hidden from the upstream device.

l            Changing the link type of each downlink port to hybrid and allowing packets from the isolate-user-VLAN to pass through untagged.

As shown in Figure 3 , all the ports are access ports by default. Ports Ethernet 1/2, Ethernet 1/3, and Ethernet 1/5 belong to VLAN 2, VLAN 3, and VLAN 5 respectively. Related settings of the ports are shown in Table 1 .

Configure VLAN 5 as the isolate-user-VLAN and VLAN 2 to 4 as the secondary VLANs. After your configuration finishes, the settings of the ports are changed to those shown in Table 2 .

Figure 3  Network diagram for isolate-user-VLAN configuration synchronization

Table 1  Port settings before configuration synchronization

Port

Type

Default VLAN

Allowed VLAN(s)

Eth1/5

Access

5

VLAN 5

Eth1/2

Access

2

VLAN 2

Eth1/3

Access

3

VLAN 3

 

Table 2  Port settings after configuration synchronization

Port

Type

Default VLAN

VLAN role

Allowed VLAN(s)

Eth1/5

Hybrid

5

Isolate-user-VLAN

Allows the packets from VLAN 2, VLAN 3, and VLAN 5 to pass through untagged.

Eth1/2

Hybrid

2

Secondary VLAN

Allows the packets from VLAN 2 and VLAN 5 to pass through untagged.

Eth1/3

Hybrid

3

Secondary VLAN

Allows the packets from VLAN 3 and VLAN 5 to pass through untagged.

 

2.2.2  Synchronizing MAC Addresses

After port reconfiguration is completed, the packets from the secondary VLANs can be sent out the uplink ports untagged and those from the isolate-user-VLAN can be sent out the downlink ports untagged.

Normally, the outgoing ports for forwarding these packets are identified through MAC address learning. For example, the Switch in the network shown in Figure 3  creates and maintains a MAC address table shown in Table 3 . Assume the Device sends Host 2 a packet with the source MAC address as mac_a and the destination MAC address as mac_2. When port Ethernet 1/5 of the Switch receives the packet, Ethernet 1/5 tags the packet with VLAN 5 (the default VLAN of Ethernet 1/5), and then looks up the MAC address table for an entry matching mac_2 and VLAN 5. Failing in finding a match, the Switch broadcasts the packet in VLAN 5 out Ethernet 1/2 and Ethernet 1/3. Thus, the packet reaches its destination.

As the switch has to forward each packet (downstream or upstream) by broadcasting it, a large amount of broadcasts will be created if the isolate-user-VLAN and its secondary VLANs contain a large number of ports. This not only decreases bandwidth use efficiency but also causes data security problems because broadcast packets are easy to be intercepted. To resolve the problem, the MAC address synchronization mechanism is used.

 The MAC address synchronization mechanism includes two aspects:

l            Synchronizing the dynamic MAC addresses learned by the downlink ports in the secondary VLANs to the isolate-user-VLAN.

l            Synchronizing the dynamic MAC addresses learned by the uplink ports in the isolate-user-VLAN to the secondary VLANs.

However, when the isolate-user-VLAN is associated with too many secondary VLANs, the MAC address table can get excessively large after MAC address synchronization, affecting forwarding performance. In addition, considering downstream traffic is usually heavier than upstream traffic and must be unicast while upstream traffic can be broadcast, all H3C switches support synchronizing MAC addresses from secondary VLANs to isolate-user-VLANs, but only some support synchronizing MAC addresses from isolate-user-VLANs to secondary VLANs.

After MAC address synchronization, the MAC address table on the Switch in Figure 3  changes to the one shown in Table 4 .

Table 3  MAC address table before the synchronization

Destination MAC

VLAN

Outgoing port

mac_2

2

Ethernet 1/2

mac_3

3

Ethernet 1/3

mac_a

5

Ethernet 1/5

 

Table 4  MAC address table after the synchronization

Destination MAC

VLAN

Outgoing port

mac_2

2

Ethernet 1/2

mac_2

5

Ethernet 1/2

mac_3

3

Ethernet 1/3

mac_3

5

Ethernet 1/3

mac_a

5

Ethernet 1/5

mac_a

2

Ethernet 1/5

mac_a

3

Ethernet 1/5

 

2.3  Isolate-User-VLAN Packet Forwarding

This section takes the traffic transmission for Host 2 in Figure 3  as an example to illustrate the isolate-user-VLAN implementation.

1)       Host 2 sends out its first upstream unicast packet. The packet is untagged, with the source MAC address being mac_2 and the destination MAC address being mac_a.

2)       When the downlink port Ethernet 1/2 on the Switch receives the packet, it tags the packet with the default VLAN ID 2, and learns the source MAC address in the default VLAN. As a result, the MAC address entry mac_2 + VLAN 2 + Ethernet 1/2 is created, indicating that the outgoing port for the traffic with destination MAC address mac_2 and VLAN ID 2 is Ethernet 1/2.

3)       According to the MAC address synchronization mechanism, this MAC address is synchronized to VLAN 5 at the same time and the Switch creates the MAC address entry mac_2 + VLAN 5 + Ethernet 1/2.

4)       Because the Switch does not have the MAC address entry for mac_a yet, it broadcasts this packet in VLAN 2.

5)       As the Switch has performed port reconfiguration for the isolate-user-VLAN implementation, Ethernet 1/5 allows the traffic from VLAN 2 to pass through untagged. Thus, the packet is sent out Ethernet 1/5 with its tag removed.

6)       Device A responds to the packet after receiving it.

7)       When the Switch receives the response packet on uplink port Ethernet1/5, it tags the packet with the default port VLAN ID 5 and learns the source MAC address in the default VLAN to create the MAC address entry mac_a + VLAN 5 + Ethernet 1/5. Through the MAC address synchronization mechanism, two more MAC address entries mac_a + VLAN 2 + Ethernet 1/5 and mac_a + VLAN 3 + Ethernet 1/5 are created.

8)       The Switch looks up the MAC address table based on the destination MAC address and VLAN ID of the response packet (that is, mac_2 and VLAN 5), and finds out that the outgoing port is Ethernet 1/2. Thus, the Switch removes the tag of the response packet and forwards it out Ethernet 1/2 to Host 2.

Thus, bidirectional communication between Host 2 and the Device is achieved.

2.4  Restrictions

For secondary VLANs to communicate with each other, you need to configure local ARP proxy on the upstream device, which will increase the load on layer 3 devices considerably.

Application Scenario

The following figure illustrates a typical isolate-user-VLAN application scenario.

Figure 4  Isolate-user-VLAN network diagram

The network contains a large number of users who support different types of services, such as video, audio, and data. To guarantee user information security and differentiate service traffic, the VLAN technology is used to isolate layer 2 packets. To save limited VLAN resources on the upstream device, you can configure the isolate-user-VLAN function on the switch. In the mean time, you can configure multiple ports as the uplink ports of the isolate-user-VLAN. By configuring ACLs and QoS, you can have different uplink ports transmit different types of traffic, thus simplifying network management.

 

 

Copyright ©2008 Hangzhou H3C Technologies Co., Ltd. All rights reserved.

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.

The information in this document is subject to change without notice.