C-VLAN 802.1x.pdf
-
Upload
giorgio-valtolina -
Category
Documents
-
view
218 -
download
0
Transcript of C-VLAN 802.1x.pdf
-
7/24/2019 C-VLAN 802.1x.pdf
1/44
IEEE 802.1Q, IEEE802.1ad, IEEE 802.1ah
Standard a supporto delle VLAN
-
7/24/2019 C-VLAN 802.1x.pdf
2/44
IEEE 802.1Q VLAN frame format
Original Ethernet Frame Format
Ethernet Frames on a tagged port can include a VLAN
Label Field Name Size DescriptionPA Preamble 7 bytes Used to synchronize traffic between nodesSF Start Frame Delimiter 1 bytes Marks the beginning of the header
DA Destination Address 6 bytes The MAC address of the next/final hopSA Source Address 6 bytes The MAC address of the sourceTPI Tag Protocol Identifier 2 bytes Indicates this frame uses 802.1p or Q tags set to 8100 in the standard
P User Priority 3 bits Indicates 802.1p priority level 0-7 (CoS)
CFI Canonical Format Indicator 1 bit Indicates if the MAC addresses are in canonical format (bit orderinginformation) Ethernet uses 0 / different in Token Ring
VLAN ID VLAN Identifier (VID) 12 bits Indicates which VLAN this frame belongs to (1-4094)
T/L Type/Length Field 2 bytes Ethernet II type or 802.3 length information
Payload Payload 48 - 1500bytes
User data or higher layer protocol information
FCS Frame Check Sequence 4 bytes Error checking on the frames contents also known as CRC (Cyclical
Redundancy Check)
UserPriority (P) CFI
VLAN ID (VID)to identify 4094 possible VLANs81 00
TPI
PA SFD DA SA TL Data Bytes 46 - 1500 Byte FCS IFG
PA SFD DA SA TPI VLAN TL Data Bytes 46 - 1500 Byte FCS IFG
-
7/24/2019 C-VLAN 802.1x.pdf
3/44
IEEE 802.1Q VLANReserved VID values
Two VID values are reserved (can not be
used configured) 0x000: Null VLAN ID for priority-tagged
frames
0xFFF: Management wildcard lookup, otherfuture uses
-
7/24/2019 C-VLAN 802.1x.pdf
4/44
IEEE 802.1Q VLAN
C-TAG
C-DA Client DataC-SA FCS
C-DA Client DataC-SA FCS
C-TAG C-FCS
Standard currently refers to VLANs (Virtual LANs) IEEE 802.1Q changes the terminology to Customer VLANs (C-VLAN)
As the frame has changed, the checksum must be recalculated
C-VLAN also contains 3 bits for priority information Originally defined in IEEE 802.1p
Opportunity to use this information with Ethernet (QoS)
VLAN Aware Bridge
-
7/24/2019 C-VLAN 802.1x.pdf
5/44
IEEE 802.1Q-aware Bridge
Switch 1
Switch 1
Switch 1
Switch
Location A
Location B
Location C
Three virtual switches inside a single Q-aware bridge
-
7/24/2019 C-VLAN 802.1x.pdf
6/44
Port Type: Access Port Each Access Port has the following behaviour:
An access port has one VLAN in it's member set - the Port VLAN(P-VLAN, configured against that port)
All frames received with the P-VLAN are forwarded
All untagged and priority frames are forwarded (with P-VLAN)
All frames received with any other VLAN are dropped.
Frames received on other ports on the bridge will only be forwardedto this port if they contain the P-VLAN
All frames transmitted on this port have the P-VLAN tag removed.
VLAN rules are enforced by the management system
-
7/24/2019 C-VLAN 802.1x.pdf
7/44
Port Type: Trunk Port Each Trunk Port has the following behaviour:
A Trunk port is in the member set of all VLANs, and transmits allframes with VLAN tags.
It will discard all packets received on it that are from a VLAN notconfigured on the bridge
Every frame transmitted on this port will contain one of the
configured VLANs The operator only has to configure the port as a Trunk port, all
configured VLANs will then become part of its member set
Every new VLAN they create automatically becomes part of themember set.
VLAN rules are enforced by the management system
-
7/24/2019 C-VLAN 802.1x.pdf
8/44
Provider Bridge
IEEE 802.1ad
-
7/24/2019 C-VLAN 802.1x.pdf
9/44
Starting with the Q-in-Q concept
(introduced by Cisco) Q-in-Q has two key concepts:
Introduces the Tunnel Port / Tunnel VLAN concept, which isused to tunnel Customer VLAN-tagged traffic through aprovider network by stacking a second VLAN.
Introduces the concept of tunnelling various Customer ControlProtocols (C-PDUs) that would normally be terminated by the
peering bridge.
Therefore:
Q-in-Q can tunnel all of a single customers VLAN-tagged trafficover a single T-VLAN
Q-in-Q allows for scalable networks, and customer separation.
-
7/24/2019 C-VLAN 802.1x.pdf
10/44
Ethernet Multi TAG Frame, not standardised (Cisco Solution)(so called Q in Q or Q dot Q frames)
VLAN Stacking
DA SATPI
2
VLAN2
PA SFD DA SA TPI VLAN TL Data Bytes 46 - 1500 Byte FCS IFG
TPI
1
VLAN1
TL Data Bytes 46 - 1500 ByteMod.FCS
IFG
Tagged Ethernet II Frame
-
7/24/2019 C-VLAN 802.1x.pdf
11/44
IEEE 802.1ad; Network view
C-VLAN #1
C-VLAN #1
C-VLAN #1
C-VLAN #2
C-VLAN #2
C-VLAN #2
C-VLAN #3
C-VLAN #3
Provider Bridge NetworkIEEE 802.1ad
C-VLAN #3
Node 1
Node 2
Node 3
Node 4Node 5
-
7/24/2019 C-VLAN 802.1x.pdf
12/44
IEEE 802.1ad: Bridge ViewTunnelEdgeBridge
TunnelEdge
Bridge
Provider Network(equipped with
standard bridges)
Tunnel Port which encapsulates purpleand red Customer VLAN into light blueTunnel VLAN->Port-based Service VLAN
Customer-VLANs
Tunnel-VLANs
Customer A
network 1
Customer Anetwork 3
Customer Bnetwork 1
Customer Anetwork 2
Customer Bnetwork 2
-
7/24/2019 C-VLAN 802.1x.pdf
13/44
Definition of a PB (IEEE 802.1ad) A Provider Bridge enables a Service Provider to use a
common infrastructure of Bridges and LANs to offer theequivalent of separate
LANs
Bridges
Virtual Bridged Private LANsto independent customer organisations
Separation of the different domains is the key here:
C-VLANs are Customer-operated
S-VLANs are Service-provider operated
Customer is unaware of Service network (and other customers)
-
7/24/2019 C-VLAN 802.1x.pdf
14/44
S-TAGProvider Edge Bridge
I-TAG
IEEE 802.1ad Frame Formats
Customer TPID = 8100, Provider TPID = 88A8
Provider Bridges see C-TAGd traffic as untagged
Therefore, an S-TAG is stacked on top of the C-TAG
Unlike Q-in-Q, we can now see whether each VLAN isfrom a customer or service provider.
C-DA Client DataC-SA C-TAG C-FCS
C-DA Client DataC-SA C-TAG C-FCS
S-TAG S-FCS
-
7/24/2019 C-VLAN 802.1x.pdf
15/44
New definitions from IEEE
802.1ad C-VLAN:
Customer VLAN, previously defined as a VLAN in 802.1Q.
TPID = 8100
S-VLAN:
Service Provider VLAN, used inside the provider network.
TPID = 88A8 (Also contains Drop Eligibility flag)
Provider Edge Bridge:
A system comprising a single S-VLAN component and one ormore C-VLAN components
S-VLAN Bridge:
A system comprising a single S-VLAN component.
Provider Bridge:
An S-VLAN Bridge or a Provider Edge Bridge
-
7/24/2019 C-VLAN 802.1x.pdf
16/44
Component definitions(EISS = Enhanced Internal Sublayer Service)
The PB / PEB definitions define components
These are generic building blocks for the PB & PEB The type of component determines the type of VLAN
handled
Two such component types are defined in IEEE 802.1ad
C-VLAN component: A VLAN-aware bridge component with each Port supported by an
instance of the EISS that can recognize, insert, and removeCustomer VLAN tags
S-VLAN component:
A VLAN-aware bridge component with each Port supported by aninstance of the EISS that can recognize, insert, and removeService VLAN tags
-
7/24/2019 C-VLAN 802.1x.pdf
17/44
Port designations Customer Edge Port (CEP):
C-VLAN component port on a Provider Edge Bridge that receives /
transmits frames for a single customer Customer Network Port (CNP):
An S-VLAN component port on a Provider Bridge / within a ProviderEdge Bridge that receives / transmits frames for a single customer
Provider Edge Port (PEP): A C-VLAN component port within a Provider Edge Bridge that
connects to a CNP and receives / transmits frames for a singlecustomer
Provider Network Port (PNP): An S-VLAN component port on a Provider Bridge that receives /
transmits frames for multiple customers
-
7/24/2019 C-VLAN 802.1x.pdf
18/44
Port designation on Provider Bridges
Tagged
UntaggedCEP
CEP
PVID
CVID
PEP
PEP
PEP
CNP
CNP
CNP
Untagged PVID
Untagged PVID
Untagged PVID
PNP
Tagged or Untagged
Tagged or Untagged
Tagged or Untagged
Tagged
S1
S2
S3
C-VLAN Components S-VLAN Component
Provider Edge Bridge
CustomerQ
-Bridges
CNP Untagged PVID
CNP Tagged SVID
PNPTagged
S4
S5
S6
Provider Bridge
C
ustomerOperated
ProviderBridges
CEP (untagged) supports only one C-VLAN
CEP (tagged) supports multiple C-VLANs (with multiple C-VIDs)
CNP (untagged) has a 1:1 relationship with a C-VLAN / S-VLAN
CNP (tagged) supports multiple S-VLANs (with multiple S-VIDs)
PNP (tagged) supports multiple services
-
7/24/2019 C-VLAN 802.1x.pdf
19/44
Customer Edge Port (CEP)
Connected to customer-owned equipment
Receives and transmits frames for a single customer
Supports the following types of service C-untagged: handling of frames with no C-VLAN tag
C-tagged: handling of frames with a C-VLAN tag
Provides a mapping for each C-VLAN to S-VLAN Untagged and Priority mapped to the Port Default C-VLAN
Connected via a C-VLAN component to one or more PEP(s) Customer RSTP is extended over this C-VLAN component
Customer BPDUs are VLAN-tagged and transmitted over theProvider Network as normal multicast traffic
-
7/24/2019 C-VLAN 802.1x.pdf
20/44
Customer Network Port (CNP)
Connected to customer-owned equipment
Receives and transmits frames for a single customer
Supports the following types of service Port-based: handling of frames with no S-VLAN tag
S-tagged: handling of frames with a S-VLAN tag
Provides a re-mapping function for S-VLANs Untagged and Priority mapped to the Port Default S-VLAN
A CNP exists as either: Physical port: Connected directly to the customer
Logical port: Internal LAN connection on a 1:1 basis to a PEP
-
7/24/2019 C-VLAN 802.1x.pdf
21/44
Provider Network Port (PNP) Connected to provider equipment
Receives and transmits frames for multiple customers
Supports the following types of service S-tagged: handling of frames with a S-VLAN tag
SC-tagged: handling of frames with a S-VLAN and C-VLAN tag
All frames received must have an S-VLAN tag Any packets without a valid S-VLAN are dropped
Connected via the S-VLAN component to CNP Provider BPDUs are only transmitted over the PNP
-
7/24/2019 C-VLAN 802.1x.pdf
22/44
Changes for Protocol Frames IEEE 802.1Q defined the following range as reserved:
01-80-C2-00-00-00 to 01-80-C2-00-00-0F
Frames received in this range must not be forwarded, but must beeither peered or discarded.
IEEE 802.1ad sets a new range for S-VLAN components: 01-80-C2-00-00-01 to 01-80-C2-00-00-0A
Bridge Group Address is treated as a normal multicast address
Customer BPDUs will therefore be S-VLAN tagged
These frames then forwarded as per customer multicast
-
7/24/2019 C-VLAN 802.1x.pdf
23/44
Network / Subnetwork Segregation Protocol
FramesProtocol Type
Spanning Tree
Rapid Spanning Tree
Multiple Spanning Tree
Pause
Link Aggregation Control
Link Aggregation Marker
Port Authentication Entity
Link Layer Discovery
GARP Mulicast Registration
GARP VLAN Registration
Multicast
MAC Address
01-80-c2-00-00-00
01-80-c2-00-00-01
01-80-c2-00-00-02
01-80-c2-00-00-03
01-80-c2-00-00-0e
01-80-c2-00-00-20
01-80-c2-00-00-21
LengthOr
Ethertype
length
88-08
88-09
88-8e
88-cc
length
Not LLC encapsulated
DSAP-SSAP
42-42
42-42
Control
03
03
LLC Type 1 Header
IEEE 802.1Q Bridges Reserved Addresses
IEEE 802.1ad Bridges Additional Reserved Addresses
Multicast
MAC Address
01-80-c2-00-00-08
LengthOr
Ethertype
length
DSAP-SSAP
42-42
Control
03
LLC Type 1 HeaderProtocol Type
Provider Spanning TreeProvider Rapid Spanning Tree
Provider Multiple Spanning Tree
Provider GARP VLAN Registration 01-80-c2-00-00-0d
-
7/24/2019 C-VLAN 802.1x.pdf
24/44
PNP
Customer RSTP
CEP
CNP
PNP
PEP
CNPProvider Edge
BridgeCNP
IEEE 802.1ad specifies RSTP per C-VLAN component of PEBs
RSTP BPDUs use normal bridge group address
RSTP BPDUs are transmitted on all CEPs and PEPs
BPDU transmission on PEPs extends RSTP per C-VLAN to other customer subnets
Provider bridge group address is included in C-VLAN componentreserved list, so Provider BPDUs via CNPs are effectively blocked
CEP
PEP
CNP
Customer Spanning Trees
PNP PNP
PNP
PNP
Normal bridge group address omittedfrom PB and S-VLAN componentreserved list
Customer BPDUs are neither blockednor processed, instead they aretagged and forwarded
-
7/24/2019 C-VLAN 802.1x.pdf
25/44
PNP
Provider MSTP
CEP
CNP
PNP
PEP
CNPProvider Edge
BridgeCNP
Provider Spanning Tree
CEP
PEP
CNP
PNP PNP
PNP
PNP
IEEE 802.1ad specifies MSTP on PBs and S-VLANcomponents of PEBs
Provider BPDUs use provider bridge group address
Provider BPDUs are transmitted on all CNPs & PNPs
-
7/24/2019 C-VLAN 802.1x.pdf
26/44
Provider Backbone Bridge
IEEE 802.1ah
-
7/24/2019 C-VLAN 802.1x.pdf
27/44
Provider Backbone Bridge Network
Concepts
Backbone service creation
Provisioning Hierarchy: Customer
Provider
Backbone
Address space separation
-
7/24/2019 C-VLAN 802.1x.pdf
28/44
Provider Backbone Bridge
Terminology
-
7/24/2019 C-VLAN 802.1x.pdf
29/44
From LAN Bridges to
Provider Backbone Bridges
-
7/24/2019 C-VLAN 802.1x.pdf
30/44
Bridge Types Backbone Bridge
Backbone Edge Bridge
-
7/24/2019 C-VLAN 802.1x.pdf
31/44
New Backbone Edge Bridge Ports
Customer Backbone Port (CBP): porta di un Backbone Edge Bridge chepu ricevere e trasmettere I-tagged frame, pu assegnare B-VID e tradurreI-SID.
Provider Instance Port (PIP): porta di un I-component in un BackboneEdge Bridge che fornisce accesso al backbone service.
Tagged
UntaggedCEP
CEP
PVID
CVID
PEP
PEP
PEP
CNP
CNP
CNP
Untagged PVID
Untagged PVID
Untagged PVID
PNP
Tagged or Untagged
Tagged or Untagged
Tagged or Untagged
Tagged
S1
S2
S3
C-VLAN Components S-VLAN Component
Provider Edge Bridge
CustomerQ-Bridges
-
7/24/2019 C-VLAN 802.1x.pdf
32/44
Backbone Edge Bridge (I-Function)
Verso le PIP:
C-DA e C-SA sono incapsulati dentro lI-TAG
B-DA preso da una tabella locale B-SA lindirizzo MAC della PIP
Dalle PIP:
accetta solo i frame con B-DA uguale allindirizzo
MAC della PIP C-DA e C-SA sono presi dallI-TAG
LI-TAG viene rimosso e scartato
-
7/24/2019 C-VLAN 802.1x.pdf
33/44
Backbone Edge Bridge (B-Function)
Aggiunge un B-TAG ed effettua il forwarding deiframe I-tagged verso le PNP
Rimuove il B-TAG quando riceve frame da unaPNP
S-TAG TPID e B-TAG TPID sono uguali (88A8)
come nellIEEE 802.1ad
-
7/24/2019 C-VLAN 802.1x.pdf
34/44
Backbone Edge Bridge (IB-Function)
Contiene un B-component e uno o pi I-component
-
7/24/2019 C-VLAN 802.1x.pdf
35/44
Backbone Bridge Components B-component : componente S-VLAN con una o
pi Customer Backbone Port (CBP)
Riconosce e utilizza I-TAG.
Supporta lassegnazione di B-VID (V-LAN allinternodel backbone) basati su I-SID sulle CBP.
Supporta la terminazione degli Spanning Tree PBBN
I-component : componente S-VLAN con una opi Provider Instance Port (PIP)
Supporta il mapping tra S-VID e I-SID Supporta la terminazione degli Spanning Tree PBN
-
7/24/2019 C-VLAN 802.1x.pdf
36/44
Backbone Core Bridge
Usato allinterno di una Provider Backbone Bridged Network(PBBN).
Esegue il learning dei soli MAC appartenenti alla PBBN. Gestisce iframe come i Provider Bridge (IEEE 802.1ad).
Il nome BCB solo una distinzione logica allinterno dello standard802.1ah.
-
7/24/2019 C-VLAN 802.1x.pdf
37/44
Definizioni in sintesi Backbone MAC Address (B-MAC): indirizzo MAC associato ad una ProviderInstance Port a utilizzato per creare lheader MAC di frame I-tagged trasmessi
attraverso una Provider Backbone Bridged Network Backbone MAC Frame: un frame LAN con indirizzi MAC backbone Backbone service instance: istanza di un servizio in una Provider Backbone
Bridged Network tra due o pi Virtual Instance Ports in Backbone Edge Bridges.
Backbone Service Instance Identifier (I-SID): campo del tag di una BackboneService Instance che identifica listanza del servizio di un frame Backbone Service Instance Drop Eligibility Indicator (I-DEI): campo del tag di una
Backbone Service Instance che indica la possibilit di scarto di un frame in unabackbone service instance
Backbone Service Instance priority code point (I-PCP): campo del tag di unaBackbone Service Instance che indica la priorit di un frame in una backbone service
instance Backbone Service Instance tag (I-TAG): tag con Ethertype 88E7 Backbone VLAN (B-VLAN): VLAN identificata da un Backbone VLAN ID. Backbone VLAN drop eligible indicator (B-DEI): campo di un B-TAG che identifica
la possibilit di scarto del frame Backbone VLAN ID (B-VID): identificatore VLAN in un B-TAG.
Backbone VLAN priority code point (B-PCP): campo di un B-TAG che indica lapriorit di un frame in una Backbone VLAN
Backbone VLAN tag (B-TAG): S-TAG usato insieme a indirizzi backbone MAC. Backbone VLAN tagged frames: frame che contengono un B-TAG immediatamente
dopo il source MAC address.
-
7/24/2019 C-VLAN 802.1x.pdf
38/44
Ethernet Types / I-TAG
-
7/24/2019 C-VLAN 802.1x.pdf
39/44
Port BasedConcettualmente identico al caso 802.1ad, non accetta framecon S-TAG a meno che non abbiano T-TAG=0 (priority).
-
7/24/2019 C-VLAN 802.1x.pdf
40/44
S-TaggedMappa unistanza di servizio identificata da un S-VID in unistanza di servizio Backbone sulla PBBNidentificato da un SID
-
7/24/2019 C-VLAN 802.1x.pdf
41/44
Interfacce S-TAGGED Mapping 1:1 tra S-VID e I-SID: In questo
caso non viene trasportato lS-TAG maviene dedotto dallI-SID, priorit e DEIvengono rigenerati a livello di I-TAG.
Bundling degli S-VID su un unico I-SID: Inquesto caso viene trasportato anche lS-TAG con relativi priorit e DEI, copiatianche nellI-TAG.
Encapsulation
-
7/24/2019 C-VLAN 802.1x.pdf
42/44
Encapsulation
-
7/24/2019 C-VLAN 802.1x.pdf
43/44
I-Tagged
-
7/24/2019 C-VLAN 802.1x.pdf
44/44
Esempio