Document Details
Uploaded by ProdigiousQuantum
null
Tags
Full Transcript
JTO Phase-II DNIT Switching VLAN QinQ STP 5 SWITCHING, VLAN, QINQ, STP 5.1 LEARNING OBJECTIVE This chapter will make you understand about concepts of switching, vlan, QinQ and Spanning Tree Protocol and their importance and method of w...
JTO Phase-II DNIT Switching VLAN QinQ STP 5 SWITCHING, VLAN, QINQ, STP 5.1 LEARNING OBJECTIVE This chapter will make you understand about concepts of switching, vlan, QinQ and Spanning Tree Protocol and their importance and method of working in field of data networkimg. 5.2 SWITCHING Switching play a vital role in most modern Ethernet local area networks (LANs). Mid-to-large sized LANs contain a number of linked managed switches. Small office/home office (SOHO) applications typically use a single switch, or an all-purpose device such as a residential gateway to access small office/home broadband services such as DSL or cable Internet. In most of these cases, the end-user device contains a router and components that interface to the particular physical broadband technology. User devices may also include a telephone interface for Voice over IP Switches manage the flow of data across a network by transmitting a received data frame, only to the one or more devices for which the frame is intended. A switch is a device in a computer network that connects other devices together. Multiple data cables are plugged into a switch to enable communication between different networked devices. A switch is more smarter than an Ethernet hub, which simply retransmits packets out of every port of the hub except the port on which the packet was received, and is unable to distinguish different recipients. An Etherenet hub lowers the overall network efficiency while a switch doesn‘t. Hub operates at layer 1 and an Ethernet switch operates at the data link layer (layer 2) and it creates a separate collision domain for each switch port. Segmentation involves the use of a switch to split a larger collision domain into smaller ones in order to reduce collision probability and to improve overall network throughput. The communication between the subscribers of a telephone company is established with the help of digital switching. Digital switches can be of different types based on the number of lines they handle and the included features. Digital switches are much faster in performance compared to analog switches. The main function of these switches is to manage digital signals generated or passed through a telephone exchange and then forward it to the telephone company's back-end network. TYPES OF SWITCHES Unmanaged switches: This switches don‘t have interface for configuration purpose.They have no configuration interface or options. They are plug and play. They are typically the least expensive switches, and therefore often used in a small office/home office environment. Unmanaged switches can be desktop or rack mounted. Managed/Manageable switches: This have one or more methods to modify the operation of the switch. Common management methods include: a command-line interface (CLI) accessed via serial JTO Phase-II Version 3.0 June 2021 Page 46 of 103 For Restricted Circulation JTO Phase-II DNIT Switching VLAN QinQ STP console, telnet or Secure Shell, an embedded Simple Network Management Protocol (SNMP) agent allowing management from a remote console or management station, or a web interface for management from a web browser. Examples of configuration changes that one can do from a managed switch include: enabling features such as Spanning Tree Protocol, setting port bandwidth, creating or modifying virtual LANs (VLANs), etc. 5.3 VLAN A virtual LAN (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2). LAN is the abbreviation for local area network and in this context virtual refers to a physical object recreated and altered by additional logic. VLANs work by applying tags to network frames and handling these tags in networking systems – creating the appearance and functionality of network traffic that is physically on a single network but acts as if it is split between separate networks. In this way, VLANs can keep network applications separate despite being connected to the same physical network, and without requiring multiple sets of cabling and networking devices to be deployed. VLANs allow network administrators to group hosts together even if the hosts are not directly connected to the same network switch. Because VLAN membership can be configured through software, this can greatly simplify network design and deployment. Without VLANs, grouping hosts according to their resource needs the labor of relocating nodes or rewiring data links. VLANs allow devices that must be kept separate to share the cabling of a physical network and yet be prevented from directly interacting with one another. This managed sharing yields gains in simplicity, security, traffic management, and economy. For example, a VLAN can be used to separate traffic within a business based on individual users or groups of users or their roles (e.g. network administrators), or based on traffic characteristics (e.g. low-priority traffic prevented from impinging on the rest of the network's functioning). Many Internet hosting services use VLANs to separate customers' private zones from one other, allowing each customer's servers to be grouped in a single network segment no matter where the individual servers are located in the data center. Some precautions are needed to prevent traffic "escaping" from a given VLAN, an exploit known as VLAN hopping. To subdivide a network into VLANs, one configures network equipment. Simpler equipment might partition only each physical port (if even that), in which case each VLAN runs over a dedicated network cable. More sophisticated devices can mark frames through VLAN tagging, so that a single interconnect (trunk) may be used to transport data for multiple VLANs. Since VLANs share bandwidth, a VLAN trunk can use link aggregation, quality-of-service prioritization, or both to route data efficiently. VLANs address issues such as scalability, security, and network management. Network architects set up VLANs to provide network segmentation. Routers between VLANs filter broadcast traffic, enhance network security, perform address summarization, and mitigate network congestion. In a network utilizing broadcasts for service discovery, address assignment and resolution and other services, as the number of peers on a network grows, the frequency of broadcasts also increases. VLANs can help manage JTO Phase-II Version 3.0 June 2021 Page 47 of 103 For Restricted Circulation JTO Phase-II DNIT Switching VLAN QinQ STP broadcast traffic by forming multiple broadcast domains. Breaking up a large network into smaller independent segments reduces the amount of broadcast traffic each network device and network segment has to bear. Switches may not bridge network traffic between VLANs, as doing so would violate the integrity of the VLAN broadcast domain. VLANs can also help create multiple layer 3 networks on a single physical infrastructure. VLANs are data link layer (OSI layer 2) constructs, analogous to Internet Protocol (IP) subnets, which are network layer (OSI layer 3) constructs. In an environment employing VLANs, a one-to-one relationship often exists between VLANs and IP subnets, although it is possible to have multiple subnets on one VLAN. Without VLAN capability, users are assigned to networks based on geography and are limited by physical topologies and distances. VLANs can logically group networks to decouple the users' network location from their physical location. By using VLANs, one can control traffic patterns and react quickly to employee or equipment relocations. VLANs provide the flexibility to adapt to changes in network requirements and allow for simplified administration A common infrastructure shared across VLAN trunks can provide a measure of security with great flexibility for a comparatively low cost. Quality of service schemes can optimize traffic on trunk links for real-time (e.g. VoIP) or low-latency requirements (e.g. SAN). However, VLANs as a security solution should be implemented with great care as they can be defeated unless implemented carefully. In cloud computing VLANs, IP addresses, and MAC addresses in the cloud are resources that end users can manage. To help mitigate security issues, placing cloud- based virtual machines on VLANs may be preferable to placing them directly on the Internet. Network technologies with VLAN capabilities include Ethernet Asynchronous Transfer Mode (ATM) Fiber Distributed Data Interface (FDDI) HiperSockets InfiniBand Although it was possible to use IP routing to connect multiple Ethernet networks together, it was expensive and relatively slow. It was required to look for alternatives that required less processing per packet. However, using switches to connect multiple Ethernet networks in a fault-tolerant fashion requires redundant paths through that network, which in turn requires a spanning tree configuration. This ensures that there is only one active path from any source node to any destination on the network. This causes centrally located switches to become bottlenecks, limiting scalability as more networks are interconnected. To help alleviate this problem, VLANs are invented by adding a tag to each Ethernet frame. These tags could be thought of as colors, say red, green, or blue. In this scheme, each switch could be assigned to handle frames of a single color, and ignore the JTO Phase-II Version 3.0 June 2021 Page 48 of 103 For Restricted Circulation JTO Phase-II DNIT Switching VLAN QinQ STP rest. The networks could be interconnected with three spanning trees, one for each color. By sending a mix of different frame colors, the aggregate bandwidth could be improved. This can be referred as multitree bridge. This color is what is now known in the Ethernet frame as the IEEE 802.1Q header, or the VLAN tag. Configuration and design considerations Early network designers often segmented physical LANs with the aim of reducing the size of the Ethernet collision domain—thus improving performance. When Ethernet switches made this a non-issue (because each switch port is a collision domain), attention turned to reducing the size of the data link layer broadcast domain. VLANs were first employed to separate several broadcast domains across one physical medium. A VLAN can also serve to restrict access to network resources without regard to physical topology of the network. VLANs operate at the data link layer of the OSI model. Administrators often configure a VLAN to map directly to an IP network, or subnet, which gives the appearance of involving the network layer. Generally, VLANs within the same organization will be assigned different non-overlapping network address ranges. This is not a requirement of VLANs. There is no issue with separate VLANs using identical overlapping address ranges (e.g. two VLANs each use the private network 192.168.0.0/16). However, it is not possible to route data between two networks with overlapping addresses without delicate IP remapping, so if the goal of VLANs is segmentation of a larger overall organizational network, non-overlapping addresses must be used in each separate VLAN. A basic switch that is not configured for VLANs has VLAN functionality disabled or permanently enabled with a default VLAN that contains all ports on the device as members. The default VLAN typically uses VLAN identifier 1. Every device connected to one of its ports can send packets to any of the others. Separating ports by VLAN groups separates their traffic very much like connecting each group using a distinct switch for each group. In the context of VLANs, the term trunk denotes a network link carrying multiple VLANs, which are identified by labels (or tags) inserted into their packets. Such trunks must run between tagged ports of VLAN-aware devices, so they are often switch-to- switch or switch-to-router links rather than links to hosts. (Note that the term 'trunk' is also used for what Cisco calls "channels" : Link Aggregation or Port Trunking). A router (Layer 3 device) serves as the backbone for network traffic going across different VLANs. It is only when the VLAN port group is to extend to another device that tagging is used. Since communications between ports on two different switches travel via the uplink ports of each switch involved, every VLAN containing such ports must also contain the uplink port of each switch involved, and traffic through these ports must be tagged. Switches typically have no built-in method to indicate VLAN to port associations to someone working in a wiring closet. It is necessary for a technician to either have administrative access to the device to view its configuration, or for VLAN port assignment charts or diagrams to be kept next to the switches in each wiring closet. JTO Phase-II Version 3.0 June 2021 Page 49 of 103 For Restricted Circulation JTO Phase-II DNIT Switching VLAN QinQ STP PROTOCOLS AND DESIGN The protocol most commonly used today to support VLANs is IEEE 802.1Q. The IEEE 802.1 working group defined this method of multiplexing VLANs in an effort to provide multivendor VLAN support. Prior to the introduction of the 802.1Q standard, several proprietary protocols existed, including Cisco Inter-Switch Link (ISL). Both ISL and IEEE 802.1Q tagging perform explicit tagging, the frame itself is tagged with VLAN information. ISL uses an external tagging process that does not modify the Ethernet frame, while 802.1Q uses a frame-internal field for tagging, and therefore does modify the basic Ethernet frame structure. This internal tagging allows IEEE 802.1Q to work on both access and trunk links using standard Ethernet hardware. IEEE 802.1Q Under IEEE 802.1Q, the maximum number of VLANs on a given Ethernet network is 4,094 (4,096 values provided by the 12-bit VID field minus reserved values at each end of the range, 0 and 4,095). This does not impose the same limit on the number of IP subnets in such a network since a single VLAN can contain multiple IP subnets. IEEE 802.1ad extends the number of VLANs supported by adding support for multiple, nested VLAN tags. IEEE 802.1aq (Shortest Path Bridging) expands the VLAN limit to 16 million. Both improvements have been incorporated into the IEEE 802.1Q standard. Cisco Inter-Switch Link Inter-Switch Link (ISL) is a Cisco proprietary protocol used to interconnect switches and maintain VLAN information as traffic travels between switches on trunk links. ISL is provided as an alternative to IEEE 802.1Q. ISL is available only on some Cisco equipment and has been deprecated. Cisco VLAN Trunking Protocol VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol that propagates the definition of VLANs on the whole local area network. VTP is available on most of the Cisco Catalyst Family products. The comparable IEEE standard in use by other manufacturers is GARP VLAN Registration Protocol (GVRP) or the more recent Multiple VLAN Registration Protocol (MVRP). MEMBERSHIP VLAN membership can be established either statically or dynamically. Static VLANs are also referred to as port-based VLANs. Static VLAN assignments are created by assigning ports to a VLAN. As a device enters the network, the device automatically assumes the VLAN of the port. If the user changes ports and needs access to the same VLAN, the network administrator must manually make a port- to-VLAN assignment for the new connection. Dynamic VLANs are created using software or by protocol. With a VLAN Management Policy Server (VMPS), an administrator can assign switch ports to VLANs JTO Phase-II Version 3.0 June 2021 Page 50 of 103 For Restricted Circulation JTO Phase-II DNIT Switching VLAN QinQ STP dynamically based on information such as the source MAC address of the device connected to the port or the username used to log onto that device. As a device enters the network, the switch queries a database for the VLAN membership of the port that device is connected to. Protocol methods include Multiple VLAN Registration Protocol (MVRP) and the somewhat obsolete GARP VLAN Registration Protocol (GVRP). In a switch that supports protocol-based VLANs, traffic may be handled on the basis of its protocol. Essentially, this segregates or forwards traffic from a port depending on the particular protocol of that traffic; traffic of any other protocol is not forwarded on the port. This allows, for example, IP and IPX traffic to be automatically segregated by the network. There are two ways of categorizing VLAN enabled ports on network devices: Untagged or Native ports Tagged or Trunk ports A network port is a communication endpoint a device uses to send and receive traffic.Native ports accept traffic from a single VLAN and are used to link end devices like routers, servers, terminals etc. They do not need to accommodate an additional identification tag as they are involved in exchanging traffic with a single end device. Hence the name, untagged ports. They are also referred to as access ports. Trunk ports are used to pass traffic from multiple VLANs and are used to link switches. In order to distinguish between frames from different VLANs, trunk ports add identification tags to the frames. Hence the name, tagged ports. A trunk is a point-to-point link between two network devices that carry more than one VLAN. Figure 27: A simple VLAN In the diagram above, devices 1 and 2 have established Native VLANs with Switch 1. Similarly, devices 3 and 4 have Native VLANs established with Switch 2. Note that native VLANs transport untagged frames. However, when these untagged frames reach a trunk end, they need to be tagged to make sure the switch on the other side of the trunk can forward the frames to the right destinations. As a result, the switches with trunk ports add tags to the frames for identification - a process typically known as VLAN Encapsulation. Switch 1 tags all frames it receives from device 1 with VLAN ID 1 because device 1 belongs to VLAN 1, before forwarding the frames on the trunk. Similarly, it tags all frames from device 2 with VLAN ID 2. Switch 2, on receiving the tagged frames, decapsulates them to check which VLAN they are destined for and JTO Phase-II Version 3.0 June 2021 Page 51 of 103 For Restricted Circulation JTO Phase-II DNIT Switching VLAN QinQ STP forwards them accordingly. Traffic on VLAN 1 will not be seen by devices in VLAN2 because Layer 2 unicast, multicast and broadcast traffic will not cross VLAN boundaries. When a switch port is configured to function as a trunk port, it adds unique identification tags – either 802.1Q tags or Inter-Switch Link (ISL) tags to the frames as they move between switches. IEEE802.1Q, often referred to as DOT1Q or 1Q, is the networking standard that supports virtual LANs (VLANs) on an IEEE 802.3 Ethernet network. It is the most widely used encapsulation method for VLAN tagging. Note: IEEE 802.3 is a standard that specifies the characteristics of physical layer and Media Access Control(MAC) layer for wired Ethernet connections, generally called LANs. It is also referred to as the Ethernet standard. Figure 28: IEEE802.1Q Frame Format The dot1Q frame standard accommodates a VLAN tag in the original Ethernet frame. This VLAN tag is 4 bytes long and consists of the fields discussed below: 1. Tag Protocol ID(TPID): This field is used to identify the frame as IEEE 802.1q frame. The value is set to 0x8100. 2. Priority(PRI): This field indicates frame priority level. Also called Priority Code Point(PCP). See this link for priority levels. 3. Canonical Format Indicator(CFI): Now known as Drop Eligibility Indicator(DEI), this field along with PCP is used to indicate frames that can be dropped during congestion. 4. VLAN ID: This ID is unique for each VLAN and helps in identifying which VLAN the current frame belongs to. This field is 12 bits long. Hence, 1dotQ supports 2^12 i.e. 4096 unique VLANs on a single Ethernet network. As 802.1q encapsulation inserts an additional field into the Ethernet frame, Frame Check Sequence(FCS) is recalculated. All switches support 802.1q encapsulation.VLAN cross connect (CC or VLAN-XC) is a mechanism used to create Switched VLANs, VLAN CC uses IEEE 802.1ad frames where the S Tag is used as a Label as in MPLS. JTO Phase-II Version 3.0 June 2021 Page 52 of 103 For Restricted Circulation JTO Phase-II DNIT Switching VLAN QinQ STP 5.4 Q IN Q The original 802.1Q specification allows a single Virtual Local Area Network (VLAN) header to be inserted into an Ethernet frame. QinQ allows multiple VLAN tags to be inserted into a single frame, an essential capability for implementing Metro Ethernet network topologies. Just as QinQ extends 802.1Q, QinQ itself is extended by other Metro Ethernet protocols. In a multiple VLAN header context, out of convenience the term "VLAN tag" or just "tag" for short is often used in place of "802.1Q VLAN header". QinQ allows multiple VLAN tags in an Ethernet frame; together these tags constitute a tag stack. When used in the context of an Ethernet frame, a QinQ frame is a frame that has 2 VLAN 802.1Q headers (double-tagged). QinQ is formally known as IEEE 802.1ad as an Ethernet Network Standard which is an amendment to IEEE 802.1Q standard. This amendment to IEEE Std 802.1Q-1998 is intended to develop an architecture, compatible and interoperable with existing Bridged Local Area Network protocols and equipment, to provide separate instances of the MAC services to multiple independent users of a Bridged Local Area Network in a manner that does not require cooperation among the users, and requires a minimum of cooperation between the users and the provider of the MAC service. This amendment will enable a Service Provider to offer the equivalent of separate LAN Segments, Bridged or Virtual Bridged LANs, to a number of users, over the Provider's bridged network. Figure 29: Q in Q tagging Q in Q tagging has been implemented in Broadband Network. Q in Q tag in broadband involves use of outer VLAN and inner VLAN tag, which helps in identifying the end user uniquely and segregate the users traffic. JTO Phase-II Version 3.0 June 2021 Page 53 of 103 For Restricted Circulation JTO Phase-II DNIT Switching VLAN QinQ STP Figure 30: QinQ implementation in Broadband Network 5.5 STP STP is a protocol which has been designed to support redundant links by preventing the switching loops in the network. It is a Layer 2 protocol used for link management that runs on bridges and switches, Thus STP should be enabled on the switch interfaces, in case if redundant links are to be used. STP protocols are standardarized as IEEE 802.1D by IEEE. Redundancy in nework is required to increase its reliability. But this may adversely effects the network when switches flood traffic out all ports, when the traffic needs to be sent to a destination that is not yet known. Broadcast and multicast traffic is forwarded out to every port, apart from the port on which the traffic arrived. In absence of STP algorithm, broadcast traffic may stuck up in the loop thereby making the network very slow. Spanning trees use an algorithm to search for the redundant links in the LAN and select the best paths. It is mainly used to put all links in either forwarding or blocking.After this process, all the links without a redundant link is likely to be in the forwarding state. The redundant links that were not as good as the selected links would be in blocking state. Spanning Tree never uses multiple links to the same destination. There is no load-sharing feature with Spanning Tree 5.6 CONCLUSION Switching is necessary in data network but in a network scenario where number of users are too many and QoS is essential, in that case just switching of data will not solve the purpose. It is to be supplemented by the services of VLAN, QinQ and STP so that QoS parameters and their optimum values are ensured. JTO Phase-II Version 3.0 June 2021 Page 54 of 103 For Restricted Circulation