C-VLAN 802.1x.pdf
Short Description
Download C-VLAN 802.1x.pdf...
Description
IEEE 802.1Q, IEEE802.1ad, IEEE 802.1ah Standard a supporto delle VLAN
IEEE 802.1Q VLAN frame format Original Ethernet Frame Format PA
SFD
DA
SA
TL Data Bytes 46 - 1500 Byte FCS IFG
Ethernet Frames on a tagged port can include a VLAN PA
SFD
DA
SA TPI 81
Label PA SF DA SA TPI P CFI VLAN ID T/L Payload FCS
00
Field Name Preamble Start Frame Delimiter Destination Address Source Address Tag Protocol Identifier User Priority Canonical Format Indicator
Size 7 bytes 1 bytes 6 bytes 6 bytes 2 bytes 3 bits 1 bit
VLAN Identifier (VID) Type/Length Field Payload
12 bits 2 bytes 48 - 1500 bytes 4 bytes
Frame Check Sequence
TPI VLAN TL Data Bytes 46 - 1500 Byte FCS IFG User Priority (P)
CFI
VLAN ID (VID) to identify 4094 possible VLANs
Description Used to synchronize traffic between nodes Marks the beginning of the header The MAC address of the next/final hop The MAC address of the source Indicates this frame uses 802.1p or Q tags – set to “8100” in the standard Indicates 802.1p priority level 0-7 (CoS) Indicates if the MAC addresses are in canonical format (bit ordering information) – Ethernet uses “0” / different in Token Ring Indicates which VLAN this frame belongs to (1-4094) Ethernet II “type” or 802.3 “length” information User data or higher layer protocol information Error checking on the frame’s contents – also known as “CRC” (Cyclical Redundancy Check)
IEEE 802.1Q VLAN Reserved VID values
• Two VID values are reserved (can not be used configured) – 0x000: Null VLAN ID for priority-tagged frames – 0xFFF: Management wildcard lookup, other future uses
IEEE 802.1Q – VLAN C-DA
C-SA
Client Data
FCS
VLAN Aware C-TAGBridge
C-DA
C-SA C-TAG
Client Data
C-FCS FCS
• Standard currently refers to VLANs (Virtual LANs) – IEEE 802.1Q changes the terminology to Customer VLANs (C-VLAN) – As the frame has changed, the checksum must be recalculated
• C-VLAN also contains 3 bits for priority information – Originally defined in IEEE 802.1p – Opportunity to use this information with Ethernet (QoS)
IEEE 802.1Q-aware Bridge Three virtual switches inside a single Q-aware bridge
Location A
Switch 1 Switch 1 Switch 1
Location B
Switch Location C
Port Type: Access Port • Each Access Port has the following behaviour: – An access port has one VLAN in it's member set - the Port VLAN (P-VLAN, configured against that port) – All frames received with the P-VLAN are forwarded – All untagged and priority frames are forwarded (with P-VLAN) – All frames received with any other VLAN are dropped. – Frames received on other ports on the bridge will only be forwarded to this port if they contain the P-VLAN – All frames transmitted on this port have the P-VLAN tag removed.
• VLAN rules are enforced by the management system
Port Type: Trunk Port • Each Trunk Port has the following behaviour: – A Trunk port is in the member set of all VLANs, and transmits all frames with VLAN tags. – It will discard all packets received on it that are from a VLAN not configured on the bridge – Every frame transmitted on this port will contain one of the configured VLAN’s – The operator only has to configure the port as a Trunk port, all configured VLAN’s will then become part of it’s member set – Every new VLAN they create automatically becomes part of the member set.
• VLAN rules are enforced by the management system
Provider Bridge IEEE 802.1ad
Starting with the Q-in-Q concept (introduced by Cisco) • Q-in-Q has two key concepts: – Introduces the Tunnel Port / Tunnel VLAN concept, which is used to tunnel Customer VLAN-tagged traffic through a provider network by stacking a second VLAN. – Introduces the concept of tunnelling various Customer Control Protocols (C-PDUs) that would normally be terminated by the peering bridge.
• Therefore: – Q-in-Q can tunnel all of a single customer’s VLAN-tagged traffic over a single T-VLAN – Q-in-Q allows for scalable networks, and customer separation.
VLAN Stacking Tagged Ethernet II Frame PA SFD
DA
DA
SA
SA
TPI VLAN TL Data Bytes 46 - 1500 Byte FCS IFG
Mod. TPI VLAN TPI VLAN TL Data Bytes 46 - 1500 Byte IFG FCS 2 1 2 1
Ethernet Multi TAG Frame, not standardised (Cisco Solution) (so called „Q in Q“ or „Q dot Q“ frames)
IEEE 802.1ad; Network view C-VLAN #1
Node 2 Node 3 C-VLAN #2 C-VLAN #1
Node 1 C-VLAN #3
C-VLAN #2
Provider Bridge Network IEEE 802.1ad C-VLAN #3
Node 5
C-VLAN #3
C-VLAN #1 C-VLAN #2
Node 4
IEEE 802.1ad: Bridge View Tunnel Edge Bridge
Tunnel-VLANs
Tunnel Edge Bridge
Customer B network 1
Customer B network 2
Provider Network Customer A network 2
(equipped with standard bridges) Customer A network 3
Customer A network 1
Customer-VLANs
Tunnel Port which encapsulates purple and red Customer VLAN into light blue Tunnel VLAN ->Port-based Service VLAN
Definition of a PB (IEEE 802.1ad) • A Provider Bridge enables a Service Provider to use a common infrastructure of Bridges and LANs to offer the equivalent of separate – LANs – Bridges – Virtual Bridged Private LANs
…to independent customer organisations • Separation of the different domains is the key here: – C-VLANs are Customer-operated – S-VLANs are Service-provider operated – Customer is unaware of Service network (and other customers)
IEEE 802.1ad – Frame Formats C-DA
C-SA C-TAG
Client Data
C-FCS
ProviderS-TAG Edge Bridge
C-DA I-TAGC-SA S-TAG C-TAG
Client Data
C-FCS S-FCS
• Customer TPID = 8100, Provider TPID = 88A8 – Provider Bridges see C-TAG’d traffic as untagged – Therefore, an S-TAG is stacked on top of the C-TAG
• Unlike Q-in-Q, we can now see whether each VLAN is from a customer or service provider.
New definitions from IEEE 802.1ad •
C-VLAN: – –
•
S-VLAN: – –
•
A system comprising a single S-VLAN component and one or more C-VLAN components
S-VLAN Bridge: –
•
Service Provider VLAN, used inside the provider network. TPID = 88A8 (Also contains Drop Eligibility flag)
Provider Edge Bridge: –
•
Customer VLAN, previously defined as a VLAN in 802.1Q. TPID = 8100
A system comprising a single S-VLAN component.
Provider Bridge: –
An S-VLAN Bridge or a Provider Edge Bridge
Component definitions (EISS = Enhanced Internal Sublayer Service) • The PB / PEB definitions define “components” – These are generic building blocks for the PB & PEB – The type of component determines the type of VLAN handled – Two such component types are defined in IEEE 802.1ad • C-VLAN component: – A VLAN-aware bridge component with each Port supported by an instance of the EISS that can recognize, insert, and remove Customer VLAN tags
• S-VLAN component: – A VLAN-aware bridge component with each Port supported by an instance of the EISS that can recognize, insert, and remove Service VLAN tags
Port designations • Customer Edge Port (CEP): – C-VLAN component port on a Provider Edge Bridge that receives / transmits frames for a single customer
• Customer Network Port (CNP): – An S-VLAN component port on a Provider Bridge / within a Provider Edge Bridge that receives / transmits frames for a single customer
• Provider Edge Port (PEP): – A C-VLAN component port within a Provider Edge Bridge that connects to a CNP and receives / transmits frames for a single customer
• Provider Network Port (PNP): – An S-VLAN component port on a Provider Bridge that receives / transmits frames for multiple customers
Port designation on Provider Bridges Customer Q-Bridges
Provider Edge Bridge
C-VLAN Components CEP
CEP
Untagged PVID
Tagged
S-VLAN Component
Tagged or Untagged PEP
CNP Untagged PVID
S1
Tagged or Untagged PEP
CNP Untagged PVID
S2
Tagged or Untagged PEP
CNP Untagged PVID
S3
Tagged
PNP
CVID
CEP (untagged) supports only one C-VLAN CEP (tagged) supports multiple C-VLANs (with multiple C-VIDs) CNP (untagged) has a 1:1 relationship with a C-VLAN / S-VLAN CNP (tagged) supports multiple S-VLANs (with multiple S-VIDs) PNP (tagged) supports multiple services
Customer Operated Provider Bridges
Provider Bridge CNP Untagged PVID
S4
S5 CNP
Tagged
SVID S6
Tagged
PNP
Customer Edge Port (CEP) • Connected to customer-owned equipment – Receives and transmits frames for a single customer
• Supports the following types of service – C-untagged: handling of frames with no C-VLAN tag – C-tagged: handling of frames with a C-VLAN tag
• Provides a mapping for each C-VLAN to S-VLAN – Untagged and Priority mapped to the Port Default C-VLAN
• Connected via a C-VLAN component to one or more PEP(s) – Customer RSTP is extended over this C-VLAN component – Customer BPDUs are VLAN-tagged and transmitted over the Provider Network as normal multicast traffic
Customer Network Port (CNP) • Connected to customer-owned equipment – Receives and transmits frames for a single customer
• Supports the following types of service – Port-based: handling of frames with no S-VLAN tag – S-tagged: handling of frames with a S-VLAN tag
• Provides a re-mapping function for S-VLAN’s – Untagged and Priority mapped to the Port Default S-VLAN
• A CNP exists as either: – Physical port: Connected directly to the customer – Logical port: Internal LAN connection on a 1:1 basis to a PEP
Provider Network Port (PNP) • Connected to provider equipment – Receives and transmits frames for multiple customers
• Supports the following types of service – S-tagged: handling of frames with a S-VLAN tag – SC-tagged: handling of frames with a S-VLAN and C-VLAN tag
• All frames received must have an S-VLAN tag – Any packets without a valid S-VLAN are dropped
• Connected via the S-VLAN component to CNP – Provider BPDU’s are only transmitted over the PNP
Changes for Protocol Frames • IEEE 802.1Q defined the following range as reserved: – 01-80-C2-00-00-00 to 01-80-C2-00-00-0F – Frames received in this range must not be forwarded, but must be either peered or discarded.
• IEEE 802.1ad sets a new range for S-VLAN components: – – – –
01-80-C2-00-00-01 to 01-80-C2-00-00-0A Bridge Group Address is treated as a normal multicast address Customer BPDUs will therefore be S-VLAN tagged These frames then forwarded as per customer multicast
Network / Subnetwork Segregation – Protocol Frames IEEE 802.1Q Bridges – Reserved Addresses Multicast MAC Address
Length Or Ethertype
DSAP-SSAP
Control
01-80-c2-00-00-00
length
42-42
03
01-80-c2-00-00-01
88-08
01-80-c2-00-00-02
88-09
Port Authentication Entity
01-80-c2-00-00-03
88-8e
Link Layer Discovery
01-80-c2-00-00-0e
88-cc
GARP Mulicast Registration
01-80-c2-00-00-20
GARP VLAN Registration
01-80-c2-00-00-21
Protocol Type
LLC Type 1 Header
Spanning Tree Rapid Spanning Tree Multiple Spanning Tree Pause Link Aggregation Control Link Aggregation Marker
length
Not LLC encapsulated
42-42
03
IEEE 802.1ad Bridges – Additional Reserved Addresses Protocol Type
Multicast MAC Address
Length Or Ethertype
DSAP-SSAP
Control
length
42-42
03
LLC Type 1 Header
Provider Spanning Tree Provider Rapid Spanning Tree
01-80-c2-00-00-08
Provider Multiple Spanning Tree Provider GARP VLAN Registration
01-80-c2-00-00-0d
Customer RSTP • Normal bridge group address omitted from PB and S-VLAN component reserved list • Customer BPDUs are neither blocked nor processed, instead they are tagged and forwarded
PNP PNP
PNP
PNP Provider Edge Bridge
PEP
PNP
CNP
PNP CNP
CNP
CNP
PEP
• IEEE 802.1ad specifies RSTP per C-VLAN component of PEBs • RSTP BPDUs use normal bridge group address CEP
CEP
• RSTP BPDUs are transmitted on all CEPs and PEPs • BPDU transmission on PEPs extends RSTP per C-VLAN to other • customer subnets
Customer Spanning Trees
• Provider bridge group address is included in C-VLAN component reserved list, so Provider BPDUs via CNPs are effectively blocked
Provider Spanning Tree
Provider MSTP PNP
PNP
PNP
PNP
PNP Provider Edge Bridge
PEP
CEP
CNP
PNP CNP
CNP
CNP
PEP
CEP
• IEEE 802.1ad specifies MSTP on PBs and S-VLAN components of PEBs • Provider BPDUs use provider bridge group address • Provider BPDUs are transmitted on all CNPs & PNPs…
Provider Backbone Bridge IEEE 802.1ah
Provider Backbone Bridge Network Concepts • Backbone service creation • Provisioning Hierarchy: – Customer – Provider – Backbone
• Address space separation
Provider Backbone Bridge Terminology
From LAN Bridges to Provider Backbone Bridges
Bridge Types • Backbone Bridge • Backbone Edge Bridge
New Backbone Edge Bridge Ports Customer Q-Bridges
Provider Edge Bridge
C-VLAN Components CEP
CEP
•
•
Untagged PVID
Tagged
S-VLAN Component
Tagged or Untagged PEP
CNP Untagged PVID
S1
Tagged or Untagged PEP
CNP Untagged PVID
S2
Tagged or Untagged PEP
CNP Untagged PVID
S3
Tagged
PNP
CVID
Customer Backbone Port (CBP): porta di un Backbone Edge Bridge che può ricevere e trasmettere I-tagged frame, può assegnare B-VID e tradurre I-SID. Provider Instance Port (PIP): porta di un I-component in un Backbone Edge Bridge che fornisce accesso al backbone service.
Backbone Edge Bridge (I-Function)
Verso le PIP: • C-DA e C-SA sono incapsulati dentro l’I-TAG • B-DA è preso da una tabella locale • B-SA è l’indirizzo MAC della PIP Dalle PIP: • accetta solo i frame con B-DA uguale all’indirizzo MAC della PIP • C-DA e C-SA sono presi dall’I-TAG • L’I-TAG viene rimosso e scartato
Backbone Edge Bridge (B-Function)
• Aggiunge un B-TAG ed effettua il forwarding dei frame I-tagged verso le PNP • Rimuove il B-TAG quando riceve frame da una PNP • S-TAG TPID e B-TAG TPID sono uguali (88A8) come nell’IEEE 802.1ad
Backbone Edge Bridge (IB-Function)
• Contiene un B-component e uno o più I-component
Backbone Bridge Components • B-component : componente S-VLAN con una o più Customer Backbone Port (CBP) – Riconosce e utilizza I-TAG. – Supporta l’assegnazione di B-VID (V-LAN all’interno del backbone) basati su I-SID sulle CBP. – Supporta la terminazione degli Spanning Tree PBBN
• I-component : componente S-VLAN con una o più Provider Instance Port (PIP) – Supporta il mapping tra S-VID e I-SID – Supporta la terminazione degli Spanning Tree PBN
Backbone Core Bridge
• Usato all’interno di una Provider Backbone Bridged Network (PBBN). • Esegue il learning dei soli MAC appartenenti alla PBBN. Gestisce i frame come i Provider Bridge (IEEE 802.1ad). • Il nome BCB è solo una distinzione logica all’interno dello standard 802.1ah.
Definizioni in sintesi • • • • • • • • • • • • •
Backbone MAC Address (B-MAC): indirizzo MAC associato ad una Provider Instance Port a utilizzato per creare l’header MAC di frame I-tagged trasmessi attraverso una Provider Backbone Bridged Network Backbone MAC Frame: un frame LAN con indirizzi MAC backbone Backbone service instance: istanza di un servizio in una Provider Backbone Bridged Network tra due o più Virtual Instance Ports in Backbone Edge Bridges. Backbone Service Instance Identifier (I-SID): campo del tag di una Backbone Service Instance che identifica l’istanza del servizio di un frame Backbone Service Instance Drop Eligibility Indicator (I-DEI): campo del tag di una Backbone Service Instance che indica la possibilità di scarto di un frame in una backbone service instance Backbone Service Instance priority code point (I-PCP): campo del tag di una Backbone Service Instance che indica la priorità di un frame in una backbone service instance Backbone Service Instance tag (I-TAG): tag con Ethertype 88E7 Backbone VLAN (B-VLAN): VLAN identificata da un Backbone VLAN ID. Backbone VLAN drop eligible indicator (B-DEI): campo di un B-TAG che identifica la possibilità di scarto del frame Backbone VLAN ID (B-VID): identificatore VLAN in un B-TAG. Backbone VLAN priority code point (B-PCP): campo di un B-TAG che indica la priorità di un frame in una Backbone VLAN Backbone VLAN tag (B-TAG): S-TAG usato insieme a indirizzi backbone MAC. Backbone VLAN tagged frames: frame che contengono un B-TAG immediatamente dopo il source MAC address.
Ethernet Types / I-TAG
Port Based Concettualmente identico al caso 802.1ad, non accetta frame con S-TAG a meno che non abbiano T-TAG=0 (priority).
S-Tagged Mappa un’istanza di servizio identificata da un SVID in un’istanza di servizio Backbone sulla PBBN identificato da un SID
Interfacce S-TAGGED • Mapping 1:1 tra S-VID e I-SID: In questo caso non viene trasportato l’S-TAG ma viene dedotto dall’I-SID, priorità e DEI vengono rigenerati a livello di I-TAG. • Bundling degli S-VID su un unico I-SID: In questo caso viene trasportato anche l’STAG con relativi priorità e DEI, copiati anche nell’I-TAG.
Encapsulation
I-Tagged
Esempio
View more...
Comments
