Vlan-tunleling

8/3/2019 Vlan-tunleling

1/27

Virtual Links: VLANs and

Tunneling

CS 4251: Computer Networking IINick FeamsterSpring 2008


2/27

Why VLANs?

Layer 2: devices on one VLAN cannotcommunicate with users on another VLANwithout the use of routers and network layeraddresses

Advantages

Help control broadcasts (primarily MAC-layerbroadcasts)

Switch table entry scaling Improve network security

Help logically group network users

Key feature: Divorced from physical networktopology


3/27

VLAN basics

VLAN configuration issues: A switch creates a broadcast domain

VLANs help manage broadcast domains

VLANs can be defined on port groups, users or protocols

LAN switches and network management software provide amechanism to create VLANs

VLANs help control the size of broadcast domainsand localize traffic.

VLANs are associated with individual networks. Devices in different VLANs cannot directly

communicate without the intervention of a Layer 3routing device.


4/27

VLAN Trunking Protocol

VLAN trunking: many VLANs throughout anorganization by adding special tags to framesto identify the VLAN to which they belong.

This tagging allows many VLANs to becarried across a common backbone, or trunk.

IEEE 802.1Q trunking protocol is thestandard, widely implemented trunking

protocol


5/27

Trunking: History

An example of this in a communications networkis a backbone link between an MDF and an IDF

A backbone is composed of a number of trunks.


6/27

VLAN Trunking

Conserve ports when creating a link betweentwo devices implementing VLANs

Trunking will bundle multiple virtual links over

one physical link by allowing the traffic forseveral VLANs to travel over a single cablebetween the switches.


7/27

Trunking Operation

Manages the transfer of frames from differentVLANs on a single physical line

Trunking protocols establish agreement for the

distribution of frames to the associated ports atboth ends of the trunk

Two mechanisms

frame filtering frame tagging


8/27

Frame Filtering


9/27

Frame Tagging

A frame tagging mechanism assigns anidentifier, VLAN ID, to the frames

Easier management

Faster delivery of frames


10/27

Frame Tagging

Each frame sent on the link is tagged toidentify which VLAN it belongs to.

Different tagging schemes exist

Two common schemes for Ethernet frames 802.1Q:IEEE standard

Encapsulates packet in an additional 4-byteheader

ISLCisco proprietary Inter-Switch Link protocol

Tagging occurs within the frame itself


11/27

VLANs and trunking

VLAN frame tagging is an approach that has beenspecifically developed for switched communications.

Frame tagging places a unique identifier in theheader of each frame as it is forwarded throughoutthe network backbone.

The identifier is understood and examined by eachswitch before any broadcasts or transmissions aremade to other switches, routers, or end-stationdevices.

When the frame exits the network backbone, theswitch removes the identifier before the frame istransmitted to the target end station.

Frame tagging functions at Layer 2 and requires littleprocessing or administrative overhead.


12/27

Inter-VLAN Routing

If a VLAN spans across multiple devices atrunk is used to interconnect the devices.

A trunk carries traffic for multiple VLANs.

For example, a trunk can connect a switch toanother switch, a switch to the inter-VLANrouter, or a switch to a server with a specialNIC installed that supports trunking.

Remember that when a host on one VLANwants to communicate with a host on another,a router must be involved.


13/27

Inter-VLAN Issues and Solutions

Hosts on different VLANs must communicate

Logical connectivity: a single connection, ortrunk, from the switch to the router

That trunk can support multiple VLANs This topology is called a router on a stick because

there is a single connection to the router


14/27

Physical and logical interfaces

The primary advantage of using a trunk link is areduction in the number of router and switchports used.

Not only can this save money, it can also reduceconfiguration complexity.

Consequently, the trunk-connected routerapproach can scale to a much larger number ofVLANs than a one-link-per-VLAN design.


15/27

Why Tunnel?

Security E.g., VPNs

Flexibility Topology Protocol

Bypassing local network engineers Oppressive regimes: China, Pakistan, TS

Compatibility/Interoperability Dispersion/Logical grouping/Organization

Reliability Fast Reroute, Resilient Overlay Networks (Akamai SureRoute)

Stability (path pinning) E.g., for performance guarantees


16/27

MPLS Overview

Main idea: Virtual circuit

Packets forwarded based only on circuit identifier

Destination

Source 1

Source 2

Router can forward traffic to the same destination on

different interfaces/paths.


17/27

Circuit Abstraction: Label Swapping

Label-switched paths (LSPs):Paths are named by

the label at the paths entry point At each hop, label determines:

Outgoing interface

New label to attach

Label distribution protocol: responsible fordisseminating signalling information

A 1 2

3

A 2 D

Tag Out New

D


18/27

Layer 3 Virtual Private Networks

Private communications over a public network

A set of sites that are allowed to communicate with

each other

Defined by a set of administrative policies

determine both connectivity and QoS among sites

established by VPN customers

One way to implement: BGP/MPLS VPNmechanisms (RFC 2547)


19/27

Building Private Networks

Separate physical network Good security properties

Expensive!

Secure VPNs Encryption of entire network stack between endpoints

Layer 2 Tunneling Protocol (L2TP)

PPP over IP No encryption

Layer 3 VPNs

Privacy andinterconnectivity(not confidentiality,integrity, etc.)


20/27

Layer 2 vs. Layer 3 VPNs

Layer 2 VPNs can carry traffic for many differentprotocols, whereas Layer 3 is IP only

More complicated to provision a Layer 2 VPN

Layer 3 VPNs: potentially more flexibility, fewer

configuration headaches


21/27

Layer 3 BGP/MPLS VPNs

Isolation: Multiple logical networks over asingle, shared physical infrastructure

Tunneling:Keeping routes out of the core

VPN A/Site 1

VPN A/Site 2

VPN A/Site 3

VPN B/Site 2

VPN B/Site 1

VPN B/Site 3

CEA1

CEB3

CEA3

CEB2

CEA2CE1B1

CE2B1

PE1

PE2

PE3

P1

P2

P3

10.1/16

10.2/16

10.3/16

10.1/16

10.2/16

10.4/16

BGP to exchange routesMPLS to forward traffic


22/27

High-Level Overview of Operation

IP packets arrive at PE

Destination IP address is looked up in

forwarding table

Datagram sent to customers network using

tunneling (i.e., an MPLS label-switched path)


23/27

BGP/MPLS VPN key components

Forwarding in the core:MPLS

Distributing routes between PEs:BGP

Isolation:Keeping different VPNs from routingtraffic over one another Constrained distribution of routing information

Multiple virtual forwarding tables

Unique addresses: VPN-IP4 Address extension


24/27

Virtual Routing and Forwarding

Separate tables per customer at each router

10.0.1.0/24RD: Green

10.0.1.0/24

RD: Blue

10.0.1.0/24

10.0.1.0/24

Customer 1

Customer 2

Customer 1

Customer 2


25/27

Routing: Constraining Distribution

Performed by Service Provider using route filtering basedon BGP Extended Community attribute

BGP Community is attached by ingress PE route filteringbased on BGP Community is performed by egress PE

Site 1

Site 2

Site 3

Static route,RIP, etc.

RD:10.0.1.0/24

Route target: GreenNext-hop: A

A

10.0.1.0/24

BGP


26/27

Forwarding PE and P routers have BGP next-hop reachability

through the backbone IGP

Labels are distributed through LDP (hop-by-hop)corresponding to BGP Next-Hops

Two-Label Stack is used for packet forwarding

Top label indicates Next-Hop (interior label)

Second level label indicates outgoing interface or

VRF (exterior label)

IP DatagramLabel

2

Label

1

Layer 2

Header

Corresponds to LSP ofBGP next-hop (PE)

Corresponds toVRF/interface at exit


27/27

Forwarding in BGP/MPLS VPNs

Step 1: Packet arrives at incoming interface

Site VRF determines BGP next-hop and Label #2

IP DatagramLabel

2

Step 2: BGP next-hop lookup, addcorresponding LSP (also at site VRF)

IP DatagramLabel2

Label1

Documents

Vlan-tunleling