This chapter covers these topics:
l
VLAN
Overview
l
Port-Based
VLAN
l
Protocol-Based
VLAN
1.1 VLAN Overview
The traditional Ethernet is a broadcast
network, where all hosts are in the same broadcast domain and connected with
each other through hubs or switches. Hubs and switches, which are the basic
network connection devices, have limited forwarding functions.
l
A hub is a physical layer device without the
switching function, so it forwards the received packet to all ports except the
inbound port of the packet.
l
A switch is a link layer device which can
forward a packet according to the MAC address of the packet. However, when the
switch receives a broadcast packet or an unknown unicast packet whose MAC
address is not included in the MAC address table of the switch, it will forward
the packet to all the ports except the inbound port of the packet.
The above scenarios could result in the
following network problems.
l
Large quantity of broadcast packets or unknown
unicast packets may exist in a network, wasting network resources.
l
A host in the network receives a lot of packets
whose destination is not the host itself, causing potential serious security
problems.
Isolating broadcast domains is the solution
for the above problems. The traditional way is to use routers, which forward
packets according to the destination IP address and does not forward broadcast packets
in the link layer. However, routers are expensive and provide few ports, so
they cannot split the network efficiently. Therefore, using routers to isolate
broadcast domains has many limitations.
The Virtual Local Area Network (VLAN)
technology is developed for switches to control broadcasts in LANs.
A VLAN can span multiple physical spaces.
This enables hosts in a VLAN to be located in different physical locations.
By creating VLANs in a physical LAN, you can
divide the LAN into multiple logical LANs, each of which has a broadcast domain
of its own. Hosts in the same VLAN communicate in the traditional Ethernet way.
However, hosts in different VLANs cannot communicate with each other directly
but need the help of network layer devices, such as routers and Layer 3
switches. Figure 1-1
illustrates a VLAN implementation.
Figure 1-1 A VLAN implementation
Compared with traditional Ethernet
technology, VLAN technology delivers the following benefits:
l
Confining broadcast traffic within individual
VLANs. This saves bandwidth and improves network performance.
l
Improving LAN security. By assigning user groups
to different VLANs, you can isolate them at Layer 2. To enable communication
between VLANs, routers or Layer 3 switches are required.
l
Flexible virtual workgroup creation. As users
from the same workgroup can be assigned to the same VLAN regardless of their
physical locations, network construction and maintenance is much easier and
more flexible.
I. VLAN tag
To enable a Layer-2 switch to identify
frames of different VLANs, a VLAN tag field is inserted into the data link
layer encapsulation.
The format of VLAN-tagged frames is defined
in IEEE 802.1Q issued by IEEE in 1999.
In the header of a traditional Ethernet data
frame, the field after the destination MAC address and the source MAC address (DA&SA)
is the Type field indicating the upper layer protocol type, as shown in Figure 1-2.
Figure 1-2 Encapsulation format of traditional Ethernet frames
IEEE 802.1Q inserts a four-byte VLAN tag after
the DA&SA field, as shown in Figure 1-3.
Figure 1-3 Format of VLAN tag
A VLAN tag comprises four fields: tag
protocol identifier (TPID), priority, canonical format indicator (CFI), and VLAN
ID.
l
The 16-bit TPID field with a value of 0x8100
indicates that the frame is VLAN tagged. On the H3C series Ethernet switches,
the default TPID is 0x8100.
l
The 3-bit priority field indicates the 802.1p
priority of the frame. Refer to the “QoS-QoS profile” part of this
manual for details.
l
The 1-bit CFI field specifies whether the MAC
addresses are encapsulated in the canonical format for the receiving device to
correctly interpret the MAC addresses. Value 0 indicates that the MAC addresses
are encapsulated in canonical format; value 1 indicates that the MAC addresses
are encapsulated in non-canonical format. The field is set to 0 by default.
l
The 12-bit VLAN ID field identifies the VLAN the
frame belongs to. The VLAN ID range is 0 to 4095. As 0 and 4095 are reserved by
the protocol, a VLAN ID actually ranges from 1 to 4094.
The Ethernet II
encapsulation format is used here. Besides the Ethernet II encapsulation format,
other encapsulation formats such as 802.2 LLC and 802.2 SNAP are also supported
by Ethernet. The VLAN tag fields are also added to frames encapsulated in these
formats for VLAN identification. Refer to section Encapsulation Format of Ethernet
Data for 802.2/802.3 encapsulation format.
VLAN ID identifies the VLAN to which a
packet belongs. When a switch receives a packet carrying no VLAN tag, the
switch encapsulates a VLAN tag with the default VLAN ID of the inbound port for
the packet, and sends the packet to the default VLAN of the inbound port for
transmission. For the details about setting the default VLAN of a port, refer
to Configuring the Default VLAN
ID for a Port.
Switches forward packets according to the
destination MAC addresses of the packets. So that switches maintain a table
called MAC address forwarding table to record the source MAC addresses of the
received packets and the corresponding ports receiving the packets for
consequent packet forwarding. The process of recording is called MAC address
learning.
After VLANs are configured on a switch, the
MAC address learning of the switch has the following two modes.
l
Shared VLAN Learning (SVL): the switch records
all the MAC address entries learnt by ports in all VLANs to a shared MAC
address forwarding table. Packets received on any port of any VLAN are
forwarded according to this table.
l
Independent VLAN Learning (IVL): the switch
maintains an independent MAC address forwarding table for each VLAN. The source
MAC address of a packet received on a port of a VLAN is recorded to the MAC
address forwarding table of this VLAN only, and packets received on a port of a
VLAN are forwarded according to the VLAN’s own MAC address forwarding
table.
Currently, the H3C S5600
series Ethernet switches adopt the IVL mode only. For more information about
the MAC address forwarding table, refer to the “MAC Address Forwarding
Table Management” part of the manual.
Hosts in different VLANs cannot communicate
with each other directly unless routers or Layer 3 switches are used to do
Layer 3 forwarding. The S5600 series Ethernet switches support VLAN interfaces configuration
to forward packets in Layer 3.
VLAN interface is a virtual interface in
Layer 3 mode, used to realize the layer 3 communication between different
VLANs, and does not exist on a switch as a physical entity. Each VLAN has a
VLAN interface, which can forward packets of the local VLAN to the destination
IP addresses at the network layer. Normally, since VLANs can isolate broadcast
domains, each VLAN corresponds to an IP network segment. And a VLAN interface
serves as the gateway of the segment to forward packets in Layer 3 based on IP
addresses.
Depending on
how VLANs are established, VLANs fall into the following six categories.
l
Port-based VLANs
l
MAC address-based VLANs
l
Protocol-based VLANs
l
IP-subnet-based VLANs
l
Policy-based VLANs
l
Other types
At present, the S5600 series switches
support the port-based and protocol-based VLANs.
Port-based VLAN technology introduces the
simplest way to classify VLANs. You can assign the ports on the device to
different VLANs. Thus packets received on a port will be transmitted through
the corresponding VLAN only, so as to isolate hosts to different broadcast
domains and divide them into different virtual workgroups.
Ports on Ethernet switches have the three
link types: access, trunk, and hybrid. For the three types of ports, the
process of being added into a VLAN and the way of forwarding packets are
different.
Port-based VLANs are easy to implement and
manage and applicable to hosts with relatively fixed positions.
The link type of an
Ethernet port on the S5600 series can be one of the following:
l
Access: An access port can belong to only one
VLAN, and is generally connected to a user PC.
l
Trunk: A trunk port can belong to more than one
VLAN. It can forward packets for multiple VLANs, and is generally connected to another
switch.
l
Hybrid: A hybrid port can belong to more than
one VLAN to forward packets for multiple VLANs. It can be connected to either a
switch or a user PC.
A hybrid port
allows the packets of multiple VLANs to be sent untagged, but a trunk port only
allows the packets of the default VLAN to be sent untagged.
The three types of ports can coexist on the
same device.
You can assign an Ethernet port to a VLAN
to forward packets for the VLAN, thus allowing the VLAN on the current switch to
communicate with the same VLAN on the peer switch.
An access port can be assigned to only one
VLAN, while a hybrid or trunk port can be assigned to multiple VLANs.
Before assigning an
access or hybrid port to a VLAN, create the VLAN first.
An access port can belong to only one VLAN.
Therefore, the VLAN an access port belongs to is also the default VLAN of the access
port. A hybrid/trunk port can belong to multiple VLANs, so you should configure
a default VLAN ID for the port.
After a port is added to a VLAN and
configured with a default VLAN, the port receives and sends packets in a way
related to its link type. For detailed description, refer to the following
tables:
Table 1-1
Packet processing of an access port
|
Processing of an incoming packet
|
Processing of an outgoing packet
|
|
For an untagged packet
|
For a tagged packet
|
|
Receive the packet and tag the packet
with the default VLAN tag.
|
l
If the VLAN ID is just the default VLAN ID,
receive the packet.
l If the VLAN ID is not the default VLAN ID, discard the packet.
|
Strip the tag from the packet and send
the packet.
|
Table 1-2
Packet processing of a trunk port
|
Processing of an incoming packet
|
Processing of an outgoing packet
|
|
For an untagged packet
|
For a tagged packet
|
|
l If the port has already been added to its default VLAN, tag the
packet with the default VLAN tag and then forward the packet.
l If the port has not been added to its default VLAN, discard the
packet.
|
l
If the VLAN ID is one of the VLAN IDs allowed
to pass through the port, receive the packet.
l If the VLAN ID is not one of the VLAN IDs allowed to pass through
the port, discard the packet.
|
l
If the VLAN ID is just the default VLAN ID, strip
off the tag and send the packet.
l If the VLAN ID is not the default VLAN ID, keep the original tag
unchanged and send the packet.
|
Table 1-3
Packet processing of a hybrid port
|
Processing of an incoming packet
|
Processing of an outgoing packet
|
|
For an untagged packet
|
For a tagged packet
|
|
l If the port has already been added to its default VLAN, tag the
packet with the default VLAN tag and then forward the packet.
l If the port has not been added to its default VLAN, discard the
packet.
|
l
If the VLAN ID is one of the VLAN IDs allowed
to pass through the port, receive the packet.
l If the VLAN ID is not one of the VLAN IDs allowed to pass through
the port, discard the packet.
|
Send the packet if the VLAN ID is allowed
to pass through the port. Use the port hybrid vlan command to
configure whether the port keeps or strips off the tags when sending packets of
a VLAN (including the default VLAN).
|
Protocol-based VLAN is also known as
protocol VLAN, which is another way to classify VLANs. Through the
protocol-based VLANs, the switch can analyze the received packets carrying no
VLAN tag on the port and match the packets with the user-defined protocol template
automatically according to different encapsulation formats and the values of specific
fields. If a packet is matched, the switch will add a corresponding VLAN tag to
it automatically. Thus, data of specific protocol is assigned automatically to
the corresponding VLAN for transmission.
This feature is used for binding the ToS
provided in the network to VLAN to facilitate management and maintenance.
This section introduces the common
encapsulation formats of Ethernet data for you to understand the procedure for
the switch to identify the packet protocols.
I. Ethernet II and 802.2/802.3
encapsulation
There are two encapsulation types of
Ethernet packets: Ethernet II defined by RFC 894 and 802.2/802.3 defined by RFC
1042. The two encapsulation formats are described in the following figures.
Ethernet II packet:
Figure 1-4 Ethernet II encapsulation
format
802.2/802.3 packet:
Figure 1-5 802.2/802.3 encapsulation
format
In the two figures, DA and SA refer to the
destination MAC address and source MAC address of the packet respectively. The
number in the bracket indicates the field length in bytes.
The maximum length of an Ethernet packet is
1500 bytes, that is, 0x05DC in hexadecimal, so the length field in 802.2/802.3
encapsulation is in the range of 0x0000 to 0x05DC.
Whereas, the type field in Ethernet II
encapsulation is in the range of 0x0600 to 0xFFFF.
Packets with the value of the type or
length field being in the range 0x05DD to 0x05FF are regarded as illegal
packets and thus discarded directly.
The switch identifies whether a packet is an
Ethernet II packet or an 802.2/802.3 packet according to the ranges of the two
fields.
The H3C S5600
series switches recognize packets with the value of the type field being in the
range 0x05DD to 0x05FF as 802.2/802.3 encapsulated packets.
II. Extended encapsulation formats
of 802.2/802.3 packets
802.2/802.3 packets have the following
three extended encapsulation formats:
l
802.3 raw encapsulation: only the length field
is encapsulated after the source and destination address field, followed by the
upper layer data. No other fields are included.
Figure 1-6 802.3 raw encapsulation
format
Currently, only IPX supports 802.3 raw
encapsulation, featuring with the value of the two bytes after the length field
being 0xFFFF.
l
802.2 Logical Link Control (LLC) encapsulation: the
length field, the destination service access point (DSAP) field, the source
service access point (SSAP) field and the control field are encapsulated after
the source and destination address field. The value of the control field is
always 3.
Figure 1-7 802.2 LLC encapsulation
format
The DSAP field and the SSAP field in the 802.2
LLC encapsulation are used to identify the upper layer protocol. For example, if
the two fields are both 0xE0, the upper layer protocol is IPX protocol.
l
802.2 Sub-Network Access Protocol (SNAP)
encapsulation: encapsulates packets according to the 802.3 standard packet
format, including the length, DSAP, SSAP, control, organizationally unique
identifier (OUI), and protocol-ID (PID) fields.
Figure 1-8 802.2 SNAP encapsulation
format
In 802.2 SNAP encapsulation format, the values
of the DSAP field and the SSAP field are always 0xAA, and the value of the
control field is always 3.
The switch differentiates between 802.2 LLC
encapsulation and 802.2 SNAP encapsulation according to the values of the DSAP field
and the SSAP field.
When the OUI is
00-00-00 in 802.2 SNAP encapsulation, the PID field has the same meaning as the
type field in Ethernet II encapsulation, which both refer to globally unique
protocol number. Such encapsulation is also known as SNAP RFC 1042
encapsulation, which is standard SNAP encapsulation. The SNAP encapsulation
mentioned in this chapter refers to SNAP RFC 1042 encapsulation.
Figure 1-9 Protocol identification
procedure
Table 1-4 lists the encapsulation
formats supported by some protocols. In brackets are type values of these
protocols.
Table 1-4 Encapsulation formats
|
Encapsulation (left)
|
Ethernet II
|
802.3 raw
|
802.2 LLC
|
802.2 SNAP
|
|
Protocol (down)
|
|
IP (0x0800)
|
Supported
|
Not
supported
|
Not
supported
|
Supported
|
|
IPX (0x8137)
|
Supported
|
Supported
|
Supported
|
Supported
|
|
AppleTalk
(0x809B)
|
Supported
|
Not
supported
|
Not
supported
|
Supported
|
S5600 series
Ethernet switches assign the packet to the specific VLAN by matching the packet
with the protocol template.
The protocol
template is the standard to determine the protocol to which a packet belongs.
Protocol templates include standard templates and user-defined templates:
l
The standard template adopts the RFC-defined packet
encapsulation formats and values of some specific fields as the matching criteria.
l
The user-defined template adopts the
user-defined encapsulation formats and values of some specific fields as the
matching criteria.
After configuring the protocol template,
you must add a port to the protocol-based VLAN and associate this port with the
protocol template. This port will add VLAN tags to the packets based on
protocol types. The port in the protocol-based VLAN must be connected to a
client. However, a common client cannot process VLAN-tagged packets. In order
that the client can process the packets out of this port, you must configure
the port in the protocol-based VLAN as a hybrid port and configure the port to
remove VLAN tags when forwarding packets of all VLANs.
Caution: