This chapter covers these topics:
l
VLAN
Overview
l
Port-Based
VLAN
l
MAC-Based
VLAN
l
Protocol-Based
VLAN
1.1 VLAN
Overview
The traditional Ethernet is a broadcast
network, where all hosts are in the same broadcast domain and connected with
each other through hubs or switches. Hubs and switches, which are the basic
network connection devices, have limited forwarding functions.
l
A hub is a physical layer device without the
switching function, so it forwards the received packet to all ports except the
inbound port of the packet.
l
A switch is a link layer device which can
forward a packet according to the MAC address of the packet. However, when the
switch receives a broadcast packet or an unknown unicast packet whose MAC
address is not included in the MAC address table of the switch, it will forward
the packet to all the ports except the inbound port of the packet.
The above scenarios could result in the
following network problems.
l
Large quantity of broadcast packets or unknown
unicast packets may exist in a network, wasting network resources.
l
A host in the network receives a lot of packets
whose destination is not the host itself, causing potential serious security
problems.
Isolating broadcast domains is the solution
for the above problems. The traditional way is to use routers, which forward
packets according to the destination IP address and does not forward broadcast packets
in the link layer. However, routers are expensive and provide few ports, so
they cannot split the network efficiently. Therefore, using routers to isolate
broadcast domains has many limitations.
The Virtual Local Area Network (VLAN)
technology is developed for switches to control broadcasts in LANs.
A VLAN can span multiple physical spaces.
This enables hosts in a VLAN to be located in different physical locations.
By creating VLANs in a physical LAN, you can
divide the LAN into multiple logical LANs, each of which has a broadcast domain
of its own. Hosts in the same VLAN communicate in the traditional Ethernet way.
However, hosts in different VLANs cannot communicate with each other directly
but need the help of network layer devices, such as routers and Layer 3
switches. Figure 1-1
illustrates a VLAN implementation.
Figure 1-1 A VLAN implementation
Compared with traditional Ethernet
technology, VLAN technology delivers the following benefits:
l
Confining broadcast traffic within individual
VLANs. This saves bandwidth and improves network performance.
l
Improving LAN security. By assigning user groups
to different VLANs, you can isolate them at Layer 2. To enable communication
between VLANs, routers or Layer 3 switches are required.
l
Flexible virtual workgroup creation. As users
from the same workgroup can be assigned to the same VLAN regardless of their
physical locations, network construction and maintenance is much easier and
more flexible.
I. VLAN tag
To enable a Layer-2 switch to identify
frames of different VLANs, a VLAN tag field is inserted into the data link
layer encapsulation.
The format of VLAN-tagged frames is defined
in IEEE 802.1Q issued by IEEE in 1999.
In the header of a traditional Ethernet data
frame, the field after the destination MAC address and the source MAC address (DA&SA)
is the Type field indicating the upper layer protocol type, as shown in Figure 1-2.
Figure 1-2 Encapsulation format of traditional Ethernet frames
IEEE 802.1Q inserts a four-byte VLAN tag after
the DA&SA field, as shown in Figure 1-3.
Figure 1-3 Format of VLAN tag
A VLAN tag comprises four fields: tag
protocol identifier (TPID), priority, canonical format indicator (CFI), and VLAN
ID.
l
The 16-bit TPID field with a value of 0x8100
indicates that the frame is VLAN tagged. On the H3C series Ethernet switches,
the default TPID is 0x8100.
l
The 3-bit priority field indicates the 802.1p
priority of the frame. Refer to the “QoS” part of this manual for
details.
l
The 1-bit CFI field specifies whether the MAC
addresses are encapsulated in the canonical format for the receiving device to
correctly interpret the MAC addresses. Value 0 indicates that the MAC addresses
are encapsulated in canonical format; value 1 indicates that the MAC addresses
are encapsulated in non-canonical format. The field is set to 0 by default.
l
The 12-bit VLAN ID field identifies the VLAN the
frame belongs to. The VLAN ID range is 0 to 4095. As 0 and 4095 are reserved by
the protocol, a VLAN ID actually ranges from 1 to 4094.
The Ethernet II
encapsulation format is used here. Besides the Ethernet II encapsulation format,
other encapsulation formats such as 802.2 LLC and 802.2 SNAP are also supported
by Ethernet. The VLAN tag fields are also added to frames encapsulated in these
formats for VLAN identification. Refer to section Encapsulation Format of Ethernet
Data for 802.2/802.3 encapsulation format.
VLAN ID identifies the VLAN to which a
packet belongs. When a switch receives a packet carrying no VLAN tag, the
switch encapsulates a VLAN tag with the default VLAN ID of the inbound port for
the packet, and sends the packet to the default VLAN of the inbound port for
transmission. For the details about setting the default VLAN of a port, refer
to Configuring the Default VLAN
ID for a Port.
Switches forward packets according to the
destination MAC addresses of the packets. So that switches maintain a table
called MAC address forwarding table to record the source MAC addresses of the
received packets and the corresponding ports receiving the packets for
consequent packet forwarding. The process of recording is called MAC address
learning.
After VLANs are configured on a switch, the
MAC address learning of the switch has the following two modes.
l
Shared VLAN Learning (SVL): the switch records
all the MAC address entries learnt by ports in all VLANs to a shared MAC
address forwarding table. Packets received on any port of any VLAN are
forwarded according to this table.
l
Independent VLAN Learning (IVL): the switch
maintains an independent MAC address forwarding table for each VLAN. The source
MAC address of a packet received on a port of a VLAN is recorded to the MAC
address forwarding table of this VLAN only, and packets received on a port of a
VLAN are forwarded according to the VLAN’s own MAC address forwarding
table.
Currently, the H3C
S3100 series Ethernet switches adopt the IVL mode only. For more information
about the MAC address forwarding table, refer to the “MAC Address
Forwarding Table Management” part of the manual.
Hosts in different VLANs cannot communicate
with each other directly unless routers or Layer 3 switches are used to do Layer
3 forwarding. The S3100 series Ethernet switches support VLAN interfaces configuration
to forward packets in Layer 3.
VLAN interface is a virtual interface in
Layer 3 mode, used to realize the layer 3 communication between different
VLANs, and does not exist on a switch as a physical entity. Each VLAN has a
VLAN interface, which can forward packets of the local VLAN to the destination
IP addresses at the network layer. Normally, since VLANs can isolate broadcast
domains, each VLAN corresponds to an IP network segment. And a VLAN interface
serves as the gateway of the segment to forward packets in Layer 3 based on IP
addresses.
Depending on
how VLANs are established, VLANs fall into the following six categories.
l
Port-based VLANs
l
MAC address-based VLANs
l
Protocol-based VLANs
l
IP-subnet-based VLANs
l
Policy-based VLANs
l
Other types
At present, the S3100 series switches
support the port-based, MAC-based, and protocol-based VLANs.
Port-based VLAN technology introduces the
simplest way to classify VLANs. You can assign the ports on the device to
different VLANs. Thus packets received on a port will be transmitted through
the corresponding VLAN only, so as to isolate hosts to different broadcast
domains and divide them into different virtual workgroups.
Ports on Ethernet switches have the three
link types: access, trunk, and hybrid. For the three types of ports, the
process of being added into a VLAN and the way of forwarding packets are
different.
Port-based VLANs are easy to implement and
manage and applicable to hosts with relatively fixed positions.
The link type of an
Ethernet port on the S3100 series can be one of the following:
l
Access: An access port can belong to only one
VLAN, and is generally connected to a user PC.
l
Trunk: A trunk port can belong to more than one
VLAN. It can forward packets for multiple VLANs, and is generally connected to another
switch.
l
Hybrid: A hybrid port can belong to more than
one VLAN to forward packets for multiple VLANs. It can be connected to either a
switch or a user PC.
A hybrid port
allows the packets of multiple VLANs to be sent untagged, but a trunk port only
allows the packets of the default VLAN to be sent untagged.
The three types of ports can coexist on the
same device.
You can assign an Ethernet port to a VLAN
to forward packets for the VLAN, thus allowing the VLAN on the current switch to
communicate with the same VLAN on the peer switch.
An access port can be assigned to only one
VLAN, while a hybrid or trunk port can be assigned to multiple VLANs.
Before assigning an
access or hybrid port to a VLAN, create the VLAN first.
An access port can belong to only one VLAN.
Therefore, the VLAN an access port belongs to is also the default VLAN of the access
port. A hybrid/trunk port can belong to multiple VLANs, so you should configure
a default VLAN ID for the port.
After a port is added to a VLAN and
configured with a default VLAN, the port receives and sends packets in a way
related to its link type. For detailed description, refer to the following
tables:
Table 1-1
Packet processing of an access port
|
Processing of an incoming packet
|
Processing of an outgoing packet
|
|
For an untagged packet
|
For a tagged packet
|
|
Receive the packet and tag the packet
with the default VLAN tag.
|
l
If the VLAN ID is just the default VLAN ID,
receive the packet.
l If the VLAN ID is not the default VLAN ID, discard the packet.
|
Strip the tag from the packet and send
the packet.
|
Table 1-2
Packet processing of a trunk port
|
Processing of an incoming packet
|
Processing of an outgoing packet
|
|
For an untagged packet
|
For a tagged packet
|
|
l If the port has already been added to its default VLAN, tag the packet
with the default VLAN tag and then forward the packet.
l If the port has not been added to its default VLAN, discard the
packet.
|
l
If the VLAN ID is one of the VLAN IDs allowed
to pass through the port, receive the packet.
l If the VLAN ID is not one of the VLAN IDs allowed to pass through
the port, discard the packet.
|
l
If the VLAN ID is just the default VLAN ID, strip
off the tag and send the packet.
l If the VLAN ID is not the default VLAN ID, keep the original tag
unchanged and send the packet.
|
Table 1-3
Packet processing of a hybrid port
|
Processing of an incoming packet
|
Processing of an outgoing packet
|
|
For an untagged packet
|
For a tagged packet
|
|
l If the port has already been added to its default VLAN, tag the
packet with the default VLAN tag and then forward the packet.
l If the port has not been added to its default VLAN, discard the
packet.
|
l
If the VLAN ID is one of the VLAN IDs allowed
to pass through the port, receive the packet.
l If the VLAN ID is not one of the VLAN IDs allowed to pass through
the port, discard the packet.
|
Send the packet if the VLAN ID is allowed
to pass through the port. Use the port hybrid vlan command to
configure whether the port keeps or strips off the tags when sending packets of
a VLAN (including the default VLAN).
|
MAC-based VLANs group VLAN members based on
MAC addresses. Frames sourced from a particular MAC address can be transmitted
only within the VLAN mapped to the MAC address. MAC-based VLANs are often used
in conjunction with security technologies such as 802.1x to provide secure, flexible
network access for end stations.
On a port configured with MAC-based VLANs,
a received frame is processed as follows:
l
If the frame is VLAN untagged, it is matched
against the MAC-to-VLAN mappings on the port based on its MAC address. If a
match is found, the port forwards the frame based on the matching VLAN ID and
frame priority. If no match is found, the port transmits the frame in its
default VLAN.
l
If the frame is VLAN tagged, the frame is
processed as with port-based VLANs: If the VLAN ID carried in the frame is
allowed on the port, the frame is forwarded normally; if not, the frame is
dropped.
Protocol-based VLAN is also known as
protocol VLAN, which is another way to classify VLANs. Through the
protocol-based VLANs, the switch can analyze the received packets carrying no
VLAN tag on the port and match the packets with the user-defined protocol
template automatically according to different encapsulation formats and the values
of specific fields. If a packet is matched, the switch will add a corresponding
VLAN tag to it automatically. Thus, data of specific protocol is assigned
automatically to the corresponding VLAN for transmission.
This feature is used for binding the ToS
provided in the network to VLAN to facilitate management and maintenance.
This section introduces the common
encapsulation formats of Ethernet data for you to understand the procedure for
the switch to identify the packet protocols.
I. Ethernet II and 802.2/802.3
encapsulation
There are two encapsulation types of
Ethernet packets: Ethernet II defined by RFC 894 and 802.2/802.3 defined by RFC
1042. The two encapsulation formats are described in the following figures.
Ethernet II packet:
Figure 1-4 Ethernet II encapsulation
format
802.2/802.3 packet:
Figure 1-5 802.2/802.3 encapsulation
format
In the two figures, DA and SA refer to the
destination MAC address and source MAC address of the packet respectively. The
number in the bracket indicates the field length in bytes.
The maximum length of an Ethernet packet is
1500 bytes, that is, 0x05DC in hexadecimal, so the length field in 802.2/802.3
encapsulation is in the range of 0x0000 to 0x05DC.
Whereas, the type field in Ethernet II
encapsulation is in the range of 0x0600 to 0xFFFF.
Packets with the value of the type or
length field being in the range 0x05DD to 0x05FF are regarded as illegal
packets and thus discarded directly.
The switch identifies whether a packet is an
Ethernet II packet or an 802.2/802.3 packet according to the ranges of the two
fields.
Table 1-4 lists the encapsulation
formats supported by some protocols. In brackets are type values of these
protocols.
Table 1-4 Encapsulation formats
|
Encapsulation (left)
|
Ethernet II
|
802.3 raw
|
802.2 LLC
|
802.2 SNAP
|
|
Protocol (down)
|
|
IP (0x0800)
|
Supported
|
Not
supported
|
Not
supported
|
Supported
|
|
IPX (0x8137)
|
Supported
|
Supported
|
Supported
|
Supported
|
|
AppleTalk
(0x809B)
|
Supported
|
Not
supported
|
Not
supported
|
Supported
|
S3100 series
Ethernet switches assign the packet to the specific VLAN by matching the packet
with the protocol template.
The protocol
template is the standard to determine the protocol to which a packet belongs.
Protocol templates include standard templates and user-defined templates:
l
The standard template adopts the RFC-defined packet
encapsulation formats and values of some specific fields as the matching criteria.
l
The user-defined template adopts the
user-defined encapsulation formats and values of some specific fields as the
matching criteria.
After configuring the protocol template,
you must add a port to the protocol-based VLAN and associate this port with the
protocol template. This port will add VLAN tags to the packets based on
protocol types. The port in the protocol-based VLAN must be connected to a
client. However, a common client cannot process VLAN-tagged packets. In order
that the client can process the packets out of this port, you must configure
the port in the protocol-based VLAN as a hybrid port and configure the port to
remove VLAN tags when forwarding packets of all VLANs.
Caution: