03 PO_SP2001_E01_0 L2 Technology_VLAN.pdf

PO_SP01_E1 L2 Protocols

Course Objective:

Master VLAN/PVLAN theory

Understand STP principle

Master Trunking technology

Reference:

DSLAM Technique Manual

Contents

Chapter 1 ......................................................................... 1

Layer 2 technology .......................................................... 1

VLAN .............................................................................. 1

VLAN Protocol ........................................................................ 1

PVLAN................................................................................... 7

QinQ VLAN ............................................................................ 7

VLAN Stacking ....................................................................... 8

MVLAN .................................................................................. 8

Spanning-Tree Protocol .................................................... 9

Operating principle of the transparent bridge ............................. 9

STP Overview ........................................................................ 9

Operating Principle of STP ..................................................... 10

Status of STP port ................................................................ 11

Trunking ....................................................................... 12

Confidential and Proprietary Information of ZTE CORPORATION 1

C h a p t e r 1

Layer 2 technology

VLAN The VLAN (Virtual LAN) is a group of equipments on one or more

LANs, which are configured such through the management

software that they can communicate as if attached on one line.

However, they actually are located on different LAN segments.

The VLAN is based on the logical connection, rather than

physical connection, which makes it very flexible.

VLAN Protocol

Before you learn the VLAN, let us look at two concepts: Collision

domain and broadcast domain. The collision domain is the

network area occupied by a packet (regardless of its type

(unicast or broadcast)) sent from a host. While, the broadcast

domain is the network area occupied by a broadcast packet sent

from a host.

The VLAN is a logical broadcast domain, which may cross

multiple physical LAN segments. A VLAN can be created by

function, project group or application, regardless of the physical

location of the subscribers. The ports of a switch can only belong

to a VLAN. The ports of a VLAN can share broadcast, while ports

of different VLANs cannot share broadcast. This can improve the

performance and security of the network.

On the switching network, the VLAN provides segmentation and flexibility. The VLAN technology allows you to put subscribers (coordination personnel in a department, or product

group) into a group by putting the corresponding ports in a

group, to share some network application programs.

A VLAN may be on a separate switch or on multiple switches

interconnected. A VLAN can include all the sites in a building or

the sites in multiple buildings, or even sites crossing the WAN.


2 Confidential and Proprietary Information of ZTE CORPORATION

Operation of VLAN

Firstly, the switch operates similarly to a traditional bridge. Each VLAN can perform address learning, data forwarding and filtering. The switch is more advanced in that it has the VLAN function, which can confine data forwarding to the ports on

the VLAN same as the port where the data is from. Such

stipulation applies to all packets, whether unicast, multicast, or

broadcast.

Division of VLAN

A VLAN is logical sub-net or network segment, while the

members on the network segment are defined by the subscriber.

The members of a VLAN are usually based on ports. However,

you can also divide VLANs by MAC addresses.

The most common method to divide VLANs is by geographic

location, known as local VLAN.

An End-to-End VLAN is a method to divide VLANs in the whole

switching area. This method allows a VLAN to cross several

switches or buildings. Such method is usually related to a work

group (for example, a department and a project team).

The following methods are available to divide VLAN members:

Static VLAN: It is the method to put ports into a VLAN, whose

members are divided based on ports.

Dynamic VLAN: It is the method to put a group of MAC

addresses into a VLAN through the NMS software. When an

equipment enters the network, the VLAN it belongs to is

determined based on its MAC address. This method is often

referred to as MAC based division. See FIGURE 1.

FIGURE 1 TY P E S O F VL AN S

Chapter 1 Layer 2 technology


Characteristics of VLAN

FIGURE 2 FL A T NE T W O R K

As shown in FIGURE 2, there is a network with no VLAN divided

(referred to as a flat network). This network has the following

problems:

If the HUB is used, the structure is in a collision domain, where every device on the network can see the data

transmitted on the network. (1) If the switch is used, the

structure is in a broadcast domain, where every device on

the network can transmit data to each other.

Security problem: In the layer 2 environment, there is not a convenient means for providing security. Every PC can

access any other devices.

Management of multiple paths: The layer 2 switching cannot provide a redundant path to a destination. Therefore, it

cannot provide load sharing function.

However, the introduction of the VLAN provides a solution to

large scale layer 2 network.

All the members on a VLAN is in a broadcast domain. When a

workstation sends a broadcast packet, all the members of

the VLAN can receive the broadcast packet. However, the

broadcast packet will be filtered by those ports and

equipment not on the same VLAN.



FIGURE 3 A VL AN I S A B R O AD C AS T D O M AI N

Because a VLAN is defined with a broadcast domain, as shown in

FIGURE 3, many layer 2 problems can be solved:

Efficient bandwidth utilization. The VLAN provides a solution to the limitation of a large scale flat network in expansion.

By dividing the whole network into several broadcast

domains, that is, sub-nets, the VLAN confines all data,

including broadcast and multicast, within a sub-net. However,

to implement inter-VLAN interconnection, layer 3 routing

should be used.

Security. The security function of layer 3 routing can be used to implement access control between VLANs.

Load balancing. The VLAN also uses the load balancing function of layer 3 routing to implement load balancing

between VLANs.

Fault isolation. Any other important reason that the VLAN is used is that it enables fault isolation. On a large flat network,

the fault of an equipment may result in the breakdown or

fault of the whole network. A good solution to this problem is

to divide a flat network into several network segments by

routers, so that when fault occurs on a network segment, the

fault will be isolated by the routers, with other network

segments unaffected.



Link types of switches

FIGURE 4 L I N K TY P E

Access link: An access link is one that only belongs to a VLAN,

for example, the link between a PC and a switch.

Tagged link: An tagged link is one that can carry multiple

VLANs, for example, the link between two switches. (Certainly,

not all inter-switch links are tagged links.) Please note, the

packets transmitted on a tagged link are different from those on

an access link. The packets on a tagged link comply with the

IEEE 802.1Q protocol.

FIGURE 5 S C H E M AT I C D I A G R AM F O R L I N K S



IEEE 802.1Q protocol

FIGURE 6 IEEE 802.1Q PR O TO C O L

When frames are transmitted on the network, there should be a

means to identify the VLAN to which a frame belongs, so that

the switch can send the frame only to the VLAN it belongs to,

rather than to all ports as usual. The means is to add VLAN tags.

To add VLAN tags to the data when the switch receives data

from workstations to indicate the source of the data, the 802.1Q

protocol should be enabled.

The IEEE 802.1Q protocol provides a standard method for

bearing the data of multiple VLANs over one cable. In an IEEE

802.1Q packet, four bytes are added after the old address of an

ordinary Ethernet frame, which are:

TPID (Tag protocol identifier): This part is 2 bytes, constantly 0x8100. The value indicates that the frame carries tag

information of 802.1Q.

TCI (Tag control information): Including subscriber priority, CFI and VLAN ID.

The 3-bit subscriber priority is in a scale of 8, where 0 is the

lowest and 7 the highest.

The 1-bit standard format indication indicates whether the

MAC address in the MAC data domain is a standard format,

where CFI=0 indicates standard format, while CFI=1

indicates non-standard formats.

The 12-bit VLAN ID is the VLAN ID. There can be up to

4095(212-1) VLANs, and 0 indicates that there is no VLAN ID.



PVLAN

In the MAC+VLAN forwarding mode, a VLAN constitutes a

broadcast domain. Broadcast packets belongs to a VLAN and

unknown unicast packets will be broadcasted to all ports of this

VLAN. In general, VLAN division relates to IP address allocation

mode. To make efficient use of IP addresses, a divided VLAN is

expected to of certain size. However, from the viewpoint of user

access data flow and data security, the number of users in a

broadcast domain shall be minimal, or even each user has an

independent broadcast domain to ensure full isolation of users.

To achieve the above two objectives, a VLAN must have two

roles: Network side interface, located in the same broadcast

domain as all subscribers; subscriber side interface, only located

in the same broadcast domain as the network side interface and

isolated from other ports.

Private VLAN (PVLAN) has two types of ports: One is normal

VLAN port and the other is PVLAN port. A normal port can

interwork with all ports in the same VLAN, but a PVLAN port

cannot interwork with other PVLAN ports.

PVLAN port refers to the port that cannot interwork in the PVLAN

but can interwork with normal ports. In actual application, it is

often served as a subscriber side port. A normal port refers to

the port that can interwork with all other ports in the PVLAN. In

actual application, a normal port is often served as a uplink port.

QinQ VLAN

The feature of QinQ VLAN is to implement the directly

transparent transmission of VLAN service to the opposite. The

principle of QinQ VLAN is that L2 equipment receives the packet

with VLAN tag from the lower level network and assigns VLAN ID

of the public network to the packet, then, forwards it to the

upper level network. The packet is forwarded through the core

network of MAN. When the packet reaches to the other side of

the core network, the VLAN tag of public network is pelt off and

the packet is resumed. Then, the resumed packet is forwarded

to the user-side device. The packet forwarded in the core

network has two 802.1q tags: the public network tag and the

private network tag. In this way, the private VLAN can

transparently forwarded to the opposite directly. The VLAN ID

resource of the public network is greatly saved.



VLAN Stacking

VLAN Stacking meets the user demands of VLAN expansion and

dedicated line batch service. The dedicated line batch service

indicates that multiple ISPs probably exits in a Layer 2 switching

MAN. Users utilize the outer-layer VLAN of VLAN Stacking to

identify the users ISP. The VLAN Stacking principle is described below. The system assigns an inner-layer tag (Customer VLAN)

to the port which wan to implement Stacking service for

identifying the user. Then, it tags the outer-layer VLAN (SP

VLAN) to the port. On the network, the service is forwarded

upon the outer-layer VLAN, which is pelted off when the service

reaches to BAS device. At the BAS device, the system identifies

the user upon the inner-layer tag. VLAN Stacking functions to

locate the port.

MVLAN

MVLAN has two meanings. MVLAN corresponds to the basic VLAN for multicast service. In addition, MVLAN is a logical entity

under the management of DSLAM multicast. MVLAN contains

three management parameters: management group set,

multicast source port set and multicast receiver port set. The

proper configuration of the three parameters is fundamental for

a MVLAN to perform correct multicast management.

Management group set: The management group set is an IP

address list of a multicast group MVLAN manages. If the

requested multicast address is not in the management group set,

the user can not obtain the relevant services the multicast

address provides. The management group set of different

MVLANs can not be overlapped.

Multicast source port: A multicast source port is a port used for

uplink multicast router or for multicast service cascade in a

MVLAN. Essentially, the multicast source port is a special port

performing the above functions in the basic VLAN. One MVLAN can have multiple multicast source ports and one source port

can belong to multiple MVLANs.

Multicast receiver port: A multicast receiver port is such a port

which authorizes a user port with the qualification of asking for

multicast service. If the user port is not the receiver port of one

MVLAN, any broadcast request of its will be refused. In addition,

the receiver port can be used for cascade. Therefore, MVLAN

enables DSLAM to supports two services: forwarding broadcast

service directly to DSLAM and DSLAM dynamically requesting

broadcast service from the uplink broadcast device.



Spanning-Tree Protocol Before learning the spanning tree protocol, let us first look at the

operating principle of the transparent bridge.

Operating principle of the transparent bridge

As its name implies, a transparent bridge is one that is

transparent to the equipment on the network, with no settings

needed on the terminal workstation. In a bridge environment

with no redundant links, the transparent bridge can operate

normally. However, once there is any redundant link, the

transparent bridge will have problem.

The bridge does not change the frames to be forwarded.

A bridge learns the MAC address by listening to the source address of the equipment. IF a source MAC address appears

at a port, the bridge will assume that it can find the source

MAC address through the port. Therefore, the bridge will

create a table, to indicate the relation between the MAC

address and the port. A bridge is always listening and learning.

For broadcast, the bridge forwards the packets to all ports. (except the port that receives the broadcast packets. }

For a unknown destination address (also called unknown unicast), the bridge will also forward the packets to all the

ports. (except the port that receives the packets. )

STP Overview

The Spanning-Tree Protocol is a protocol used to eliminate loops

on the network.

It ensures that only the path of one route is connected to the

ADSL port on the network and other bridge equipment (including

switches, bridges and routers) with other networks, for

connecting different networks. If any unnecessary path or loop is

detected, the corresponding ports will be blocked (prohibit data

transmission) to shield the unnecessary paths. However, if one

or more paths are damaged on the network topology, it will

select a good port from the ports blocked according to the

setting for data transmission, to ensure smoothness of the

network.



Operating Principle of STP

To detect and eliminate loops, the STP defines a tree crossing all

switches. The STP forcedly sets a redundant link as standby or

closed. When a network segment on the tree is unreachable, the

STP will recalculate the topology of the tree, and enable the

standby paths to set up connections again.

All interconnected switches with STP enabled will exchange some

data information with other switches. Such data information is

called BPDU (bridge protocol data units).

Exchange of BPDU is used for:

Election of the root switch

Election of the DS (Designated Switch) for each segment

Setting the ports of redundant paths to the standby status, to eliminate loops.

BPDU is sent from all ports once every two seconds, to ensure

firm and stable network topology and free from loops.

The root is the reference point used by all switches on the

network to determine loops. When a switch boots, it takes itself

as the root, and sets the root ID as the bridge ID. To create a

spanning tree free from loops, the first step is electing the root.

The bridge ID is composed of two parts:

2-byte priority. By default, this value of every switch is set to a same value.

6-byte MAC address. It is the MAC address of the switch.

These two parts combine to determine who is the root. The

smaller the number, the more probable the root. By exchanging

BPDU, it can determine who is the root. If all the switches have

the same priority, whos the root depends on the MAC address. The switch with the smallest MAC address will become the root.

After the root is elected, every switch will establish relation with

the root. The switch does this by listening to the BPDU from the

ports (all ports).

To select the port for forwarding data and the port to be closed,

a switch should view the following two parts in the BPDU:

path cost

port priority

The switch first views the path cost, to select the port with the

smallest cost. This value is calculated based on the rate of the

line and the number of the lines. The port with the smallest cost



will be set to the forwarding status, while all other ports will be

set to the blocking status.

If one or more ports have the same path cost, the switch will

evaluate the port priority. The port with the smallest port ID will

be set to the forwarding status, while all other ports will be set

to the blocking status.

Thus, by election of the root and determination of the forwarding

port, the STP determines a tree crossing all switches, forcedly

setting a redundant line to standby or closed status to eliminate

loops.

Status of STP port

The spanning tree changes the ports among different statuses.

They are:

Blocking: The initial statuses of all the ports are blocking, for preventing loops. If the spanning tree determines that

there is a better path, all these ports will be at blocking status.

Listening: The listening status is changed from the blocking status. During this period, a port tries to learn whether any

better route is available to reach the root. At this status, the

port can hear data frames but cannot receive or transmit

data. In addition, the port is not allowed to put any

information heard to the address table of the switch. The

listening status is actually used to indicate that a port is

preparing to transmit data, but it still has to wait for a while,

to ensure that there is no loop. This while, or the listening period, is called forward delay.

Learning: The learning status is very similar to the listening status, with the only difference that the port at the learning

status will add the address information learned into the

address table of the switch. However, it still cannot receive

or transmit data. The duration of this status is also called

forward delay.

Forwarding: At the forwarding status, the port starts to receive/transmit data. A port will not be set to forwarding

status, unless there is no redundant link, or the port itself is

on the best path.

Disable: The port is not connected or is disabled by the administrator.

Among all statuses, listening and learning are temporary.

Ultimately, they will be changed to blocking or forwarding

status.



Trunking The trunking function is the Link Aggregation technology. It

makes one or more connections form a link aggregation set

through aggregation. For MAC Client at the upper layer, link

aggregation is a logical link, but the communication capacity of

this link increases a lot. The trunking technology is used to

connect two switches. If there is no fault, the bandwidth

between two switches may increase as the physical links in the

trunk increase, but the information flows are evenly distributed

to the physical links in the trunk. When a physical link fails, it

will automatically be disabled and transmission of information to

it will be stopped. In addition, the switch will no longer allocate

information flows to the port connected with this failed link. The

failure of one or more physical links in the trunk does not affect

the connectivity between two switches, but link bandwidth will

decrease as disabled links increase. Therefore, the trunking

technology can effectively improve network bandwidth and error

tolerance. The trunking technology complies with the 802.3ad

protocol.

When link aggregation is used, pay attention to the following:

Before setting the port trunking, please remove the network connection cables of the ports to be set. Otherwise, loops will

be generated.

When disabling aggregation of a port in the aggregated ports, please first remove the network connection cable, so that the

data transmission at this port can be automatically taken

over by another port, to avoid data loss.

Documents

03 PO_SP2001_E01_0 L2 Technology_VLAN.pdf