© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕ ๑

Switched NetworksSwitched Networks

Petr GrygPetr Grygáárekrek

© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕ ๒

L2 SwitchingL2 Switching

๓© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Layer 2 sLayer 2 switching witching

• eliminates collisions (microsegmentation)eliminates collisions (microsegmentation)• full duplex improves performancefull duplex improves performance• hardware-based bridging (high port density)hardware-based bridging (high port density)

• wire-speed switching, low latencywire-speed switching, low latency• usage of TCAMsusage of TCAMs

๔© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Expectations of today’s switched Expectations of today’s switched networksnetworks

• Fast convergence Fast convergence • Deterministic paths Deterministic paths • Redundancy Redundancy • ScalabilityScalability

• MMultiprotocol supportultiprotocol support• MulticastingMulticasting• Deterministic QoSDeterministic QoS• ......

๕© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Redundancy in switched networksRedundancy in switched networks

๖© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Problems with redundancyProblems with redundancy

• Bridging/switching requires topology without Bridging/switching requires topology without loopsloops• avoids frame cycling and duplicationavoids frame cycling and duplication

• Alternative links are necessary to implement Alternative links are necessary to implement redundancyredundancy

• Need for protocol calculating tree topologyNeed for protocol calculating tree topology• Runs between bridges/switchesRuns between bridges/switches• Some ports blocked, other forwardingSome ports blocked, other forwarding

๗© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Redundancy implementation optionsRedundancy implementation options

• L2: Spanning TreeL2: Spanning Tree• Some links unused all the time (blocked ports)Some links unused all the time (blocked ports)• VLAN-based load balancing is still an optionVLAN-based load balancing is still an option

• L3: Routing protocolsL3: Routing protocols• Better metricBetter metric• Support for load balancingSupport for load balancing• L3 may be moved rather easily to access layer with L3 may be moved rather easily to access layer with

L3 switchesL3 switches

• ““Routed” L2 networksRouted” L2 networks• THRILL / FabricPathTHRILL / FabricPath

๘© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Spanning TreeSpanning Tree (802.1d) (802.1d)

• spanning treespanning tree is a tree which spans over all is a tree which spans over all switchesswitches

• continually monitors network topology and continually monitors network topology and dynamically chooses spanning treedynamically chooses spanning tree• topology is automatically recalculated if some link topology is automatically recalculated if some link

failsfails

• distributed calculationdistributed calculation• Based on BPDU exchange, timers and/or proposal-Based on BPDU exchange, timers and/or proposal-

agreement interactionsagreement interactions

๙© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Spanning Tree PrincipleSpanning Tree Principle

1.1. RRoot bridgeoot bridge election election• according toaccording to  preconfigured bridge prioritiespreconfigured bridge priorities• preemptivepreemptive

2.2. Calculation of shortest path tree Calculation of shortest path tree • Shortest paths from elected root bridge to every other bridges Shortest paths from elected root bridge to every other bridges

(based on cummulated path cost from received BPDUs)(based on cummulated path cost from received BPDUs)• preference preference of individual of individual linlinks may be influenced by configuring ks may be influenced by configuring

link costslink costs• by default, cost is inverse proportional to bandwidthby default, cost is inverse proportional to bandwidth• if multiple equal-cost path exist, port priority used as tiebreakerif multiple equal-cost path exist, port priority used as tiebreaker

• PortPorts on spanning tree are s on spanning tree are forwarding, forwarding, other blockingother blockingBoth of these phases take place continuouslyBoth of these phases take place continuously

๑๐© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Spanning Tree OperationSpanning Tree Operation1.1. Root bridge electionRoot bridge election2.2. Selection of root port of every bridgeSelection of root port of every bridge

• forwards traffic to/from root bridgeforwards traffic to/from root bridge3.3. Selection of designated ports for every LAN segmentSelection of designated ports for every LAN segment

• necessary when LAN segment attached via multiple bridgesnecessary when LAN segment attached via multiple bridges• path via bridge with lower root path cost is preferredpath via bridge with lower root path cost is preferred

• Only root and designated ports forward traffic, other ports Only root and designated ports forward traffic, other ports are blockedare blocked

• Ports in blocking state listen for BPDUsPorts in blocking state listen for BPDUs• transit into Listening (and possibly Forwarding) state when BPDUs transit into Listening (and possibly Forwarding) state when BPDUs

are not received anymoreare not received anymore

๑๑© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Mechanics of SPT (1)Mechanics of SPT (1)• Root bridge generates Bridge Protocol Data Unit Root bridge generates Bridge Protocol Data Unit

(BPDU) every 2 seconds(BPDU) every 2 seconds• Other switches forward it along spanning tree, accumulating Other switches forward it along spanning tree, accumulating

total root path cost inside BPDUtotal root path cost inside BPDU• Root bridge defines values of various timersRoot bridge defines values of various timers

• Every bridge checks for periodic arrivals of BPDUs on Every bridge checks for periodic arrivals of BPDUs on it’s root portit’s root port• Root port is the port nearest to the root (lowest path cost)Root port is the port nearest to the root (lowest path cost)• Bridge maintains “best” BPDU heart on every portBridge maintains “best” BPDU heart on every port

• Link cost added to root path cost when BPDU arrives on portLink cost added to root path cost when BPDU arrives on port• MaxAge timer (20s) used to time-out BPDUMaxAge timer (20s) used to time-out BPDU

• New root port have to be chosen when MaxAge timer expires on New root port have to be chosen when MaxAge timer expires on current root portcurrent root port

• Blocking port will go to LIS / LRN /FWD states after MaxAge Blocking port will go to LIS / LRN /FWD states after MaxAge expiresexpires

๑๒© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Mechanics of SPT (2)Mechanics of SPT (2)• When bridge detects link failure, it reports topology change to the root port (TCN)When bridge detects link failure, it reports topology change to the root port (TCN)

• Every other bridge forwards TCN to the root portEvery other bridge forwards TCN to the root port• When root hears Topology Change Notification, it reports Topology Change in it’s When root hears Topology Change Notification, it reports Topology Change in it’s

BPDUs for some timeBPDUs for some time• After bridge hears Topology Change indication, it shortens it’s MaxAge timer After bridge hears Topology Change indication, it shortens it’s MaxAge timer

to its MAC address table entriesto its MAC address table entries• Good reason to explicitly mark “edge” ports to avoid STP changes when hosts Good reason to explicitly mark “edge” ports to avoid STP changes when hosts

are turned on and offare turned on and off• To avoid loops during transition to another tree, SPT defines transient statesTo avoid loops during transition to another tree, SPT defines transient states

• LListeisteningning – bridge listens for BPDUs – bridge listens for BPDUs• selection of root bridge, root port and designated portsselection of root bridge, root port and designated ports

• LearLearningning – bridge only learns bridging table – bridge only learns bridging table• still does not forward trafficstill does not forward traffic• used to limit floodingused to limit flooding

• Port spends 15 seconds in both Listening and Learning statesPort spends 15 seconds in both Listening and Learning states• After link failure, it may take up to 50 secs to build alternative spanning treeAfter link failure, it may take up to 50 secs to build alternative spanning tree

• When BPDUs are no longer heart on some port:When BPDUs are no longer heart on some port: 20 secs to MaxAge timer expiration, 15s in Listening state, 15s in Learning 20 secs to MaxAge timer expiration, 15s in Listening state, 15s in Learning statestate

๑๓© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

BPDU flagsBPDU flags

• Topology ChangeTopology Change• Set by root bridge to inform other bridges about topology Set by root bridge to inform other bridges about topology

changechange

• Topology Change Notification (TCN)Topology Change Notification (TCN)• Signals change of network topology Signals change of network topology

• Topology Change Notification AckTopology Change Notification Ack• acknowledges TCN to downstream bridgeacknowledges TCN to downstream bridge

TCN counters are a good tool to detect and TCN counters are a good tool to detect and troubleshoot STP instabilitytroubleshoot STP instability

๑๔© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Spanning Tree EnhancementsSpanning Tree EnhancementsAdditional features to shorten STP convergenceAdditional features to shorten STP convergence

• 50 seconds reconverergence of 802.1d is not enough for today’s high 50 seconds reconverergence of 802.1d is not enough for today’s high availability requirementsavailability requirements

• PortFastPortFast• access ports transits directly to Forwarding stateaccess ports transits directly to Forwarding state• edge port up<->downPort transition do not cause topology change and edge port up<->downPort transition do not cause topology change and

shortening of MAC address aging timeoutshortening of MAC address aging timeout• UplinkFastUplinkFast

• fast switch to alternate uplink port when primary uplink fails (detected by HW)fast switch to alternate uplink port when primary uplink fails (detected by HW)• Bypasses Listening and Learning statesBypasses Listening and Learning states• Mechanism to update bridging table accordinglyMechanism to update bridging table accordingly

• BackboneFastBackboneFast• eliminates 20s MaxAge delay when non-directly attached link on root path failseliminates 20s MaxAge delay when non-directly attached link on root path fails• utilizes special BPDU types to confirm loss of root bridge connection on root utilizes special BPDU types to confirm loss of root bridge connection on root

portport

๑๕© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Spanning Tree SecuritySpanning Tree Security

• BPDU GuardBPDU Guard• Root GuardRoot Guard• Unidirectional link detectionUnidirectional link detection

• BPDU Filter – to split multiple STP domainsBPDU Filter – to split multiple STP domains

๑๖© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Rapid Spanning TreeRapid Spanning Tree (802.1w) - (1) (802.1w) - (1)

• ““Subsecond” convergenceSubsecond” convergence• Backward-compatible with 802.1dBackward-compatible with 802.1d

• per-port, not recommendedper-port, not recommended• The same basic principles as legacy STPThe same basic principles as legacy STP• Proposal/agreement mechanism added to try to speed up Proposal/agreement mechanism added to try to speed up

transfer to forwarding statetransfer to forwarding state• Hierarchical descent in treeHierarchical descent in tree

• Incorporates many 802.1d enhancementsIncorporates many 802.1d enhancements• PortFast (edge ports)PortFast (edge ports)• UplinkFast, BackboneFastUplinkFast, BackboneFast

๑๗© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Rapid Spanning Tree (802.1w) - (2)Rapid Spanning Tree (802.1w) - (2)• Shared and P2P link typesShared and P2P link types

• differentiated according to full/half duplexdifferentiated according to full/half duplex• Potentially faster transition to forwarding state on P2P Potentially faster transition to forwarding state on P2P

links (proposal-agreement negotiation)links (proposal-agreement negotiation)• Every bridge sends BPDUs independently (according to Every bridge sends BPDUs independently (according to

Hello timer)Hello timer)• does not forward Root bridge’s BPDUs as 802.1ddoes not forward Root bridge’s BPDUs as 802.1d• BPDUs used as keepalives (3 misses treated as link BPDUs used as keepalives (3 misses treated as link

failure)failure)• Topology change notification flooded directly from bridge Topology change notification flooded directly from bridge

which detected itwhich detected it• does not need to travel to root bridge and back does not need to travel to root bridge and back

downstream the treedownstream the tree

๑๘© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Transparent Interconnection Transparent Interconnection of Lots of Links (TRILL) - 802.1aqof Lots of Links (TRILL) - 802.1aq• L2 multipath solutionL2 multipath solution• Eliminates Spanning TreeEliminates Spanning Tree• ISIS-like routingISIS-like routing• L2 frame encapsulationL2 frame encapsulation

• new header carries switch identities on frame pathnew header carries switch identities on frame path

๑๙© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Multilayer switchingMultilayer switching

๒๐© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Layer 3 switchingLayer 3 switching• hardware-based routinghardware-based routing

• speed of switching and the scalability of routingspeed of switching and the scalability of routing• Usage of TCAMsUsage of TCAMs

• for network prefixes and subnet masksfor network prefixes and subnet masks

• llayer 3 switch acts on a packet in the same way ayer 3 switch acts on a packet in the same way that a traditional router does that a traditional router does • not only forwards it but modifies some header fields not only forwards it but modifies some header fields

also (TTL, checksum)also (TTL, checksum)

๒๑© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Routing vs. L3 switchingRouting vs. L3 switching

• GGeneral-purpose routerseneral-purpose routers• microprocessor-based engines (“software-based routers”)microprocessor-based engines (“software-based routers”)

• easier adding of new features (and bugs ;-) )easier adding of new features (and bugs ;-) )• software-based packet switchingsoftware-based packet switching• various WAN interfacesvarious WAN interfaces

• Layer 3 Layer 3 switchswitch• hardware-based packet hardware-based packet switchingswitching

• similar procedures as applied to L2 frames are applied also to L3 packets by similar procedures as applied to L2 frames are applied also to L3 packets by L3 switchL3 switch

• handle high-performance LAN traffichandle high-performance LAN traffic• many ports of the same technology (Ethernet)many ports of the same technology (Ethernet)• routed or switched port modesrouted or switched port modes• Often VLAN-based, virtual router interfaces to individual VLANsOften VLAN-based, virtual router interfaces to individual VLANs• Some configured features cause that packets must be process-switched, Some configured features cause that packets must be process-switched,

i.e. handled by CPUi.e. handled by CPU• special kinds of ACLs, per-packet load balancing, …special kinds of ACLs, per-packet load balancing, …

๒๒© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Multilayer SwitchingMultilayer Switching• Notion of flow (L2, L3, L4)Notion of flow (L2, L3, L4)

• Unidirectional stream defined by IP addresses (and L4 Unidirectional stream defined by IP addresses (and L4 information)information)• May aggregate more TCP/UDP flows between two May aggregate more TCP/UDP flows between two

stationsstations• Defined by flow mask Defined by flow mask

• Destination IP addressDestination IP address• Source+Destination IP addressSource+Destination IP address• Source+Destination IP address, L4 protocol, source+destination Source+Destination IP address, L4 protocol, source+destination

portport• Although Destination IP address is sufficient for normal Although Destination IP address is sufficient for normal

destination-based switching, more specific masks must be destination-based switching, more specific masks must be used if standard/extended ACLs àre defined or policy used if standard/extended ACLs àre defined or policy routing is appliedrouting is applied

๒๓© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Multilayer SwitchingMultilayer SwitchingImplementation optionImplementation option

• First packet routed, following packets of the same flow First packet routed, following packets of the same flow switchedswitched• Cache of flow entries maintainedCache of flow entries maintained

• Cache entry created when first packet is processedCache entry created when first packet is processed• Contains both L3 and L2 information (including Contains both L3 and L2 information (including

input/output VLAN IDs)input/output VLAN IDs)• Used for fast frame/packet header rewriteUsed for fast frame/packet header rewrite

๒๔© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Example 1:Example 1: Cisco M Cisco Multilayer Switchingultilayer Switching (MLS) (MLS)

ImplementationImplementation

๒๕© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

MLS ComponentsMLS Components• Switching Engine (SE)Switching Engine (SE)

• switch with additional intelligence (MLS-enabled)switch with additional intelligence (MLS-enabled)• Route Processor (RP)Route Processor (RP)

• router capable to report information to SErouter capable to report information to SE

• SE and RP communicate via MLSP protocolSE and RP communicate via MLSP protocol• RP multicasts information about all MAC addresses of RP’s RP multicasts information about all MAC addresses of RP’s

interfaces (together with LAN IDs) by MLSPinterfaces (together with LAN IDs) by MLSP• needed by SE to recognize packets sent to the routerneeded by SE to recognize packets sent to the router

• RP sends flow masks of active flows to SEs by MLSPRP sends flow masks of active flows to SEs by MLSP• MLSP message may ask SE to invalidate caches when route MLSP message may ask SE to invalidate caches when route

path changes path changes • and when ACLs configured at RP interfaces changesand when ACLs configured at RP interfaces changes

๒๖© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

MLS Operation (1)MLS Operation (1)• Candidate PacketCandidate Packet

• = Packet sent to MAC address of RP interface (packet going out of = Packet sent to MAC address of RP interface (packet going out of local VLAN)local VLAN)

• Creates entry in SE’s switching cacheCreates entry in SE’s switching cache• Flow mask associated with switching cache entry defines packet Flow mask associated with switching cache entry defines packet

header fields sufficient to identify flowheader fields sufficient to identify flow• Necessary because of possible ACLs on RP interfacesNecessary because of possible ACLs on RP interfaces• Flow mask sent to SE by RP via MLSPFlow mask sent to SE by RP via MLSP

• Enable PacketEnable Packet• = Packet sent from MAC address of RP interface (to another = Packet sent from MAC address of RP interface (to another

VLAN)VLAN)• Completes corresponding cache entryCompletes corresponding cache entry

To recognize Candidate/Enable packets, SE must know MAC addresses To recognize Candidate/Enable packets, SE must know MAC addresses of all RP interfaces – propagated by MLSPof all RP interfaces – propagated by MLSP

๒๗© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

MLS Operation (2)MLS Operation (2)• If SE detects packet sent from client to RP interface, it looks for If SE detects packet sent from client to RP interface, it looks for

matching cache entrymatching cache entry• If it is found, packet’s L3 and L2 header is rewritten, and RP If it is found, packet’s L3 and L2 header is rewritten, and RP

is bypassed completelyis bypassed completely• SRC MAC=MAC of RP interface, DST MAC from cache, SRC MAC=MAC of RP interface, DST MAC from cache,

IP TTL--, recalculate IP header checksumIP TTL--, recalculate IP header checksum• Forwards to VLAN according to information in cache Forwards to VLAN according to information in cache

entryentry• Based on VLAN membership of outgoing RP Based on VLAN membership of outgoing RP

interfaceinterface• If routing tables or ACLs change on the RP, cache in SE has to If routing tables or ACLs change on the RP, cache in SE has to

be completely invalidatedbe completely invalidated• RP reports that to SEs via MLSPRP reports that to SEs via MLSP• it may introduce significant inefficiency in some situationsit may introduce significant inefficiency in some situations

๒๘© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Example 2:Example 2:Cisco Express Forwarding (CEF)Cisco Express Forwarding (CEF)

๒๙© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Cisco Express ForwardingCisco Express Forwarding

• Used to limit searches in the routing table, recursive Used to limit searches in the routing table, recursive routing table lookup and ARP-cache entry access routing table lookup and ARP-cache entry access needed for frame header rewriteneeded for frame header rewrite

• Except routing table, router also maintains Except routing table, router also maintains • Forwarding Information Base (FIB) Forwarding Information Base (FIB) • Adjacency TableAdjacency Table

• All necessary forwarding information is concentrated at All necessary forwarding information is concentrated at single placesingle place

๓๐© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

CEF Forwarding CEF Forwarding InformationInformation Base and Base and Adjacency Table (1)Adjacency Table (1)

• Forwarding Information Base (FIB) Forwarding Information Base (FIB) • routing table transformed to 4-level 256-way tree for faster routing table transformed to 4-level 256-way tree for faster

searchingsearching• leaf used to forward particular packet selected on longest-leaf used to forward particular packet selected on longest-

matchmatch• links to adjacency tablelinks to adjacency table• ““Mtrie” structureMtrie” structure

• created in advance (by software process)created in advance (by software process)• takes into account all destinations in routing table, not takes into account all destinations in routing table, not

only active flowsonly active flows• recursive lookups resolvedrecursive lookups resolved

• Adjacency tableAdjacency table• Maintain L2/L3 neighbor informationMaintain L2/L3 neighbor information• Used to make ARP table search process fasterUsed to make ARP table search process faster• Allows fast packet rewriteAllows fast packet rewrite

๓๑© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

CEF Forwarding CEF Forwarding InformationInformation Base and Base and Adjacency Table (2)Adjacency Table (2)

• Nodes of FIB (256-way tree) point into Adjacency tableNodes of FIB (256-way tree) point into Adjacency table• ““mtrie” data structure – leafs contain pointers to mtrie” data structure – leafs contain pointers to

Adjacency tableAdjacency table• Not needed to search in additional ARP tableNot needed to search in additional ARP table• Support for load balancing (multiple pointers to Support for load balancing (multiple pointers to

Adjacency table used in round-robin way) Adjacency table used in round-robin way) • If L2 neighbor information change, FIB structure If L2 neighbor information change, FIB structure

need not to be completely invalidatedneed not to be completely invalidated

๓๒© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

CEF AdvantagesCEF Advantages• Suitable even for many short-term flows (Internet Suitable even for many short-term flows (Internet

backbone)backbone)• No need of route-cache invalidation after routing No need of route-cache invalidation after routing

table changetable change• All packets (including first one) routed by hardwareAll packets (including first one) routed by hardware

• HW accesses FIB and Adjacency tableHW accesses FIB and Adjacency table• If topology chances, only part of FIB can be selectively If topology chances, only part of FIB can be selectively

modifiedmodified• doesn’t clear complete cache as MLS doesdoesn’t clear complete cache as MLS does

๓๓© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

VLANsVLANs

๓๔© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Earlier and today’s LAN traffic Earlier and today’s LAN traffic characteristicscharacteristics

• ““Clasical” 80/20 rule:Clasical” 80/20 rule:• 80% of traffic remains local (VLAN boundary)80% of traffic remains local (VLAN boundary)• Users don’t cross backbone to access most of required Users don’t cross backbone to access most of required

resources (workgroup servers)resources (workgroup servers)• Users grouped logicallyUsers grouped logically

• 80/20 rule no longer valid for global services80/20 rule no longer valid for global services• 20/80 rule20/80 rule• Responds to trend of resource centraliResponds to trend of resource centralizzationation

• sserver farms, Web services, erver farms, Web services, data centers, ...data centers, ...• Requires high-performance L3 switchingRequires high-performance L3 switching

๓๕© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

VLAN modelsVLAN models• 1 VLAN 1 VLAN = 1 IP subnet= 1 IP subnet• VLAN modelsVLAN models

• campus-wide LANs (older)campus-wide LANs (older)• ““end-to-end VLANs”end-to-end VLANs”• VLANs group devices according to functionality (common resources)VLANs group devices according to functionality (common resources)• regardless to physical locationregardless to physical location• Common security policy for all VLAN membersCommon security policy for all VLAN members• User's mobility limited to VLANUser's mobility limited to VLAN• 80/20 rule80/20 rule

• local VLANs (modern approach)local VLANs (modern approach)• Uses L3 switchesUses L3 switches• Switch block used as design unitSwitch block used as design unit• Switch block contains multiple access switches +L3 switchSwitch block contains multiple access switches +L3 switch

• VLANs terminated on L3 switchVLANs terminated on L3 switch• fast routing (L3 switching) between interconnected L3 switchesfast routing (L3 switching) between interconnected L3 switches• 20/80 rule20/80 rule

• VLANs in datacentersVLANs in datacenters

• provide flexibility for configuration-based creation of virtual topologiesprovide flexibility for configuration-based creation of virtual topologies• including service modules on the stickincluding service modules on the stick

๓๖© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

VLAN membershipVLAN membership• Static (port-based)Static (port-based)

• (non-trunk) ports with no explicit VLAN assignment fall into default VLAN (non-trunk) ports with no explicit VLAN assignment fall into default VLAN • Dynamic (based on L2/L3 information, most often source MAC address)Dynamic (based on L2/L3 information, most often source MAC address)

• 802.1x-based802.1x-based• Proprietary solutions like Cisco VMPS serverProprietary solutions like Cisco VMPS server

• Maintains database of MAC-to-VLAN assignmentsMaintains database of MAC-to-VLAN assignments• Devices not listed may fall to „default“ VLANDevices not listed may fall to „default“ VLAN

• VLAN assignment defined by VLAN assignment defined by the the first frame receivedfirst frame received• Cisco: all devices on the port must be in the same VLANCisco: all devices on the port must be in the same VLAN

• If following frames should belong to another VLANs, they are not If following frames should belong to another VLANs, they are not permittedpermitted

• Port-to-VLAN assignmPort-to-VLAN assignmentent del deleteeted d if port isif port is disconnected disconnected • (linkbeat pulses fail(linkbeat pulses fail to arrive to arrive))

• PPort limitationsort limitations for users may be defined for users may be defined• Specific device may be Specific device may be denied to assign VLAN if connected to wrong denied to assign VLAN if connected to wrong

portport• VMPS server: high-end switch (or LinuxVMPS server: high-end switch (or Linux :-) :-) ))• VMPS client: has IP address of VMPS server and ports allowing dynamic VMPS client: has IP address of VMPS server and ports allowing dynamic

membership configuredmembership configured• UDP-based VLAN Query Protocol (VQP) between VMPS client(s) and UDP-based VLAN Query Protocol (VQP) between VMPS client(s) and

VMPS serverVMPS server

๓๗© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

VLAN - TrunkingVLAN - Trunking• 802.1q header (802.1p/q)802.1q header (802.1p/q)

• ““internal tagging” – imposition of tag modifies original frameinternal tagging” – imposition of tag modifies original frame• EtherType=0x8100EtherType=0x8100• 2B header: 12b VLAN ID, 3b priority (QoS)2B header: 12b VLAN ID, 3b priority (QoS)• Maximum frame length extended from 1518 to 1522 BMaximum frame length extended from 1518 to 1522 B

• including CRCincluding CRC

• 802.1q trunks also allows untagged frames802.1q trunks also allows untagged frames• ““Native VLAN”Native VLAN”• Must be mapped to the same VLAN at both trunk link sides ends to avoid Must be mapped to the same VLAN at both trunk link sides ends to avoid

unwanted “hopping” between VLANsunwanted “hopping” between VLANs• Trunk configuration may limit VLANs allowed to transitTrunk configuration may limit VLANs allowed to transit

• Limits unnecessary broadcasts/flooding to switches where no members of Limits unnecessary broadcasts/flooding to switches where no members of particular VLAN resideparticular VLAN reside

• Lowers number of logical ports handled by per-VLAN STP which increases STP Lowers number of logical ports handled by per-VLAN STP which increases STP stabilitystability

• May be limited dynamically by pruning protocol reporting active VLAN members May be limited dynamically by pruning protocol reporting active VLAN members on individual switcheson individual switches• VLAN carrying service protocols (STP, VTP, …) is never prunedVLAN carrying service protocols (STP, VTP, …) is never pruned

• GARP/GVRP, Cisco: VTPGARP/GVRP, Cisco: VTP

๓๘© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

VLAN TunnelingVLAN Tunneling

• dot1QinQdot1QinQ• Encapsulates 802.1q frame in provider network Encapsulates 802.1q frame in provider network

with another 802.1q framewith another 802.1q frame• Enables overlapping VLAN numbers of Enables overlapping VLAN numbers of

multiple separated customers to be transported multiple separated customers to be transported via VLAN-based provider’s core networkvia VLAN-based provider’s core network

๓๙© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Spanning tree and VLANsSpanning tree and VLANs• 802.1q: Common Spanning Tree (CST)802.1q: Common Spanning Tree (CST)

• 802.1d802.1d in VLAN 1, common tree for all VLANs in VLAN 1, common tree for all VLANs• Per-VLAN Spanning TreePer-VLAN Spanning Tree

• Separate tree for every VLANSeparate tree for every VLAN• Infrastructure may be used efficientlyInfrastructure may be used efficiently• Requires lot of CPU processing if many VLAN are activeRequires lot of CPU processing if many VLAN are active

• Multiple Spanning Tree (802.1s)Multiple Spanning Tree (802.1s)• Based on Based on Rapid Spanning Tree (802.1w)Rapid Spanning Tree (802.1w)• Multiple SPT instances, each instance computes SPT for Multiple SPT instances, each instance computes SPT for

group of VLANsgroup of VLANs• ““Default” instance (IST0) used to interface with CSTDefault” instance (IST0) used to interface with CST

• avoid mapping of user VLANs to IST0avoid mapping of user VLANs to IST0

๔๐© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Routing between VLANsRouting between VLANs

๔๑© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Routing between VLANsRouting between VLANsConnection of one VLAN to one router port inefficient Connection of one VLAN to one router port inefficient

for tens of VLANs, there exists better solutions:for tens of VLANs, there exists better solutions:• Route-switch module of legacy (L2) switchRoute-switch module of legacy (L2) switch• VLAN virtual interfaces on L3 switchVLAN virtual interfaces on L3 switch• Router-on-the stickRouter-on-the stick

• Trunk link between switch cluster and single routerTrunk link between switch cluster and single router• Limited scalabilityLimited scalability• For 80/20 traffic pattern, router should be STP root for all For 80/20 traffic pattern, router should be STP root for all

VLANsVLANs• Ensures shortest paths from every switch to the routerEnsures shortest paths from every switch to the router

๔๒© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Another technologies commonly Another technologies commonly seen in switched networksseen in switched networks

๔๓© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Channel Bundling / Port ChannellingChannel Bundling / Port Channelling• Group of ports configured to act as single link and share loadGroup of ports configured to act as single link and share load

• Group forms single link from STP perspectiveGroup forms single link from STP perspective• Only lines that are up at each instant are usedOnly lines that are up at each instant are used• Can group both trunk and access links (all of the same type)Can group both trunk and access links (all of the same type)

• Ports of a group have to have identical parametersPorts of a group have to have identical parameters• Speed, duplex, trunking mode, …Speed, duplex, trunking mode, …

• L2 or L3 modeL2 or L3 mode• Various load balancing methodsVarious load balancing methods

• per-source, per-destination, combination of bothper-source, per-destination, combination of both• each side may use different methodeach side may use different method• important to set properly to reach equal utilization of bundle linesimportant to set properly to reach equal utilization of bundle lines

• One switch may define multiple port groupsOne switch may define multiple port groups• Groups differentiated by group IDGroups differentiated by group ID

• Link Aggregation Control Protocol (LACP) – 802.1adLink Aggregation Control Protocol (LACP) – 802.1ad• Negotiates port bundles, continuously check status of each member linkNegotiates port bundles, continuously check status of each member link

๔๔© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Monitoring of Switched NetworkMonitoring of Switched Network• Switched Port Analyser (SPAN)Switched Port Analyser (SPAN)

• frames received/transmitted by specified port(s) are copied to port designated frames received/transmitted by specified port(s) are copied to port designated as SPAN portas SPAN port

• VSPAN = VSPAN = SPAN using VLANSPAN using VLANss as monitored source as monitored source • copies all frames of particular VLAN to SPAN portcopies all frames of particular VLAN to SPAN port

• RSPAN = remote monitoring using SPAN portRSPAN = remote monitoring using SPAN port• SPAN port of switch different from the one with monitored ports may be SPAN port of switch different from the one with monitored ports may be

usedused• (switches connected together with trunk link)(switches connected together with trunk link)

• reserves one VLAN on the trunk link to carry monitored trafficreserves one VLAN on the trunk link to carry monitored traffic

• ERSPAN – captured frames encapsulated in IP-based transport (GRE)ERSPAN – captured frames encapsulated in IP-based transport (GRE)

Due to SPAN port speed limitation, the mechanism is not sufficient for Due to SPAN port speed limitation, the mechanism is not sufficient for wire-speed traffic monitoring.wire-speed traffic monitoring.

๔๕© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

Switched network securitySwitched network security• ACLs supported by hardwareACLs supported by hardware

• Port ACLsPort ACLs• In/outIn/out• Filters according to MAC, but sometimes also IP/Layer4 addressFilters according to MAC, but sometimes also IP/Layer4 address

• VLAN ACLsVLAN ACLs• directionless, define traffic allowed to pass through particular VLANdirectionless, define traffic allowed to pass through particular VLAN

• L3 switch: virtual router interface’s ACLsL3 switch: virtual router interface’s ACLs

• Port securityPort security• Limits (source) MAC addresses allowed on portLimits (source) MAC addresses allowed on port• Limits number of MAC addresses dynamically learned on particular portLimits number of MAC addresses dynamically learned on particular port• 802.1x authentication, NAC802.1x authentication, NAC

• Protected portsProtected ports• disallows to forward traffic to other protected portsdisallows to forward traffic to other protected ports

• restrict peer-to-peer communicationrestrict peer-to-peer communication

• Private VLANsPrivate VLANs

• Isolated and Community VLANs, promiscuos portsIsolated and Community VLANs, promiscuos ports

๔๖© Petr Grygarek, VSB-TU Ostrava, Routed and Switched Networks๒๐๐๕

LABsLABs

• Observing STP behaviorObserving STP behavior• Configuring EtherChannelConfiguring EtherChannel

• Inter-VLAN routing with external routerInter-VLAN routing with external router• Inter-VLAN routing with L3 switchInter-VLAN routing with L3 switch

• + another routed ports+ another routed ports