-
7/24/2019 C-VLAN 802.1x.pdf
1/44
IEEE 802.1Q, IEEE802.1ad, IEEE 802.1ah
Standard a supporto delle VLAN
-
7/24/2019 C-VLAN 802.1x.pdf
2/44
IEEE 802.1Q VLAN frame format
Original Ethernet Frame Format
Ethernet Frames on a tagged port can include a VLAN
Label Field Name Size DescriptionPA Preamble 7 bytes Used to
synchronize traffic between nodesSF Start Frame Delimiter 1 bytes
Marks the beginning of the header
DA Destination Address 6 bytes The MAC address of the next/final
hopSA Source Address 6 bytes The MAC address of the sourceTPI Tag
Protocol Identifier 2 bytes Indicates this frame uses 802.1p or Q
tags set to 8100 in the standard
P User Priority 3 bits Indicates 802.1p priority level 0-7
(CoS)
CFI Canonical Format Indicator 1 bit Indicates if the MAC
addresses are in canonical format (bit orderinginformation)
Ethernet uses 0 / different in Token Ring
VLAN ID VLAN Identifier (VID) 12 bits Indicates which VLAN this
frame belongs to (1-4094)
T/L Type/Length Field 2 bytes Ethernet II type or 802.3 length
information
Payload Payload 48 - 1500bytes
User data or higher layer protocol information
FCS Frame Check Sequence 4 bytes Error checking on the frames
contents also known as CRC (Cyclical
Redundancy Check)
UserPriority (P) CFI
VLAN ID (VID)to identify 4094 possible VLANs81 00
TPI
PA SFD DA SA TL Data Bytes 46 - 1500 Byte FCS IFG
PA SFD DA SA TPI VLAN TL Data Bytes 46 - 1500 Byte FCS IFG
-
7/24/2019 C-VLAN 802.1x.pdf
3/44
IEEE 802.1Q VLANReserved VID values
Two VID values are reserved (can not be
used configured) 0x000: Null VLAN ID for priority-tagged
frames
0xFFF: Management wildcard lookup, otherfuture uses
-
7/24/2019 C-VLAN 802.1x.pdf
4/44
IEEE 802.1Q VLAN
C-TAG
C-DA Client DataC-SA FCS
C-DA Client DataC-SA FCS
C-TAG C-FCS
Standard currently refers to VLANs (Virtual LANs) IEEE 802.1Q
changes the terminology to Customer VLANs (C-VLAN)
As the frame has changed, the checksum must be recalculated
C-VLAN also contains 3 bits for priority information Originally
defined in IEEE 802.1p
Opportunity to use this information with Ethernet (QoS)
VLAN Aware Bridge
-
7/24/2019 C-VLAN 802.1x.pdf
5/44
IEEE 802.1Q-aware Bridge
Switch 1
Switch 1
Switch 1
Switch
Location A
Location B
Location C
Three virtual switches inside a single Q-aware bridge
-
7/24/2019 C-VLAN 802.1x.pdf
6/44
Port Type: Access Port Each Access Port has the following
behaviour:
An access port has one VLAN in it's member set - the Port
VLAN(P-VLAN, configured against that port)
All frames received with the P-VLAN are forwarded
All untagged and priority frames are forwarded (with P-VLAN)
All frames received with any other VLAN are dropped.
Frames received on other ports on the bridge will only be
forwardedto this port if they contain the P-VLAN
All frames transmitted on this port have the P-VLAN tag
removed.
VLAN rules are enforced by the management system
-
7/24/2019 C-VLAN 802.1x.pdf
7/44
Port Type: Trunk Port Each Trunk Port has the following
behaviour:
A Trunk port is in the member set of all VLANs, and transmits
allframes with VLAN tags.
It will discard all packets received on it that are from a VLAN
notconfigured on the bridge
Every frame transmitted on this port will contain one of the
configured VLANs The operator only has to configure the port as
a Trunk port, all
configured VLANs will then become part of its member set
Every new VLAN they create automatically becomes part of
themember set.
VLAN rules are enforced by the management system
-
7/24/2019 C-VLAN 802.1x.pdf
8/44
Provider Bridge
IEEE 802.1ad
-
7/24/2019 C-VLAN 802.1x.pdf
9/44
Starting with the Q-in-Q concept
(introduced by Cisco) Q-in-Q has two key concepts:
Introduces the Tunnel Port / Tunnel VLAN concept, which isused
to tunnel Customer VLAN-tagged traffic through aprovider network by
stacking a second VLAN.
Introduces the concept of tunnelling various Customer
ControlProtocols (C-PDUs) that would normally be terminated by
the
peering bridge.
Therefore:
Q-in-Q can tunnel all of a single customers VLAN-tagged
trafficover a single T-VLAN
Q-in-Q allows for scalable networks, and customer
separation.
-
7/24/2019 C-VLAN 802.1x.pdf
10/44
Ethernet Multi TAG Frame, not standardised (Cisco Solution)(so
called Q in Q or Q dot Q frames)
VLAN Stacking
DA SATPI
2
VLAN2
PA SFD DA SA TPI VLAN TL Data Bytes 46 - 1500 Byte FCS IFG
TPI
1
VLAN1
TL Data Bytes 46 - 1500 ByteMod.FCS
IFG
Tagged Ethernet II Frame
-
7/24/2019 C-VLAN 802.1x.pdf
11/44
IEEE 802.1ad; Network view
C-VLAN #1
C-VLAN #1
C-VLAN #1
C-VLAN #2
C-VLAN #2
C-VLAN #2
C-VLAN #3
C-VLAN #3
Provider Bridge NetworkIEEE 802.1ad
C-VLAN #3
Node 1
Node 2
Node 3
Node 4Node 5
-
7/24/2019 C-VLAN 802.1x.pdf
12/44
IEEE 802.1ad: Bridge ViewTunnelEdgeBridge
TunnelEdge
Bridge
Provider Network(equipped with
standard bridges)
Tunnel Port which encapsulates purpleand red Customer VLAN into
light blueTunnel VLAN->Port-based Service VLAN
Customer-VLANs
Tunnel-VLANs
Customer A
network 1
Customer Anetwork 3
Customer Bnetwork 1
Customer Anetwork 2
Customer Bnetwork 2
-
7/24/2019 C-VLAN 802.1x.pdf
13/44
Definition of a PB (IEEE 802.1ad) A Provider Bridge enables a
Service Provider to use a
common infrastructure of Bridges and LANs to offer theequivalent
of separate
LANs
Bridges
Virtual Bridged Private LANsto independent customer
organisations
Separation of the different domains is the key here:
C-VLANs are Customer-operated
S-VLANs are Service-provider operated
Customer is unaware of Service network (and other customers)
-
7/24/2019 C-VLAN 802.1x.pdf
14/44
S-TAGProvider Edge Bridge
I-TAG
IEEE 802.1ad Frame Formats
Customer TPID = 8100, Provider TPID = 88A8
Provider Bridges see C-TAGd traffic as untagged
Therefore, an S-TAG is stacked on top of the C-TAG
Unlike Q-in-Q, we can now see whether each VLAN isfrom a
customer or service provider.
C-DA Client DataC-SA C-TAG C-FCS
C-DA Client DataC-SA C-TAG C-FCS
S-TAG S-FCS
-
7/24/2019 C-VLAN 802.1x.pdf
15/44
New definitions from IEEE
802.1ad C-VLAN:
Customer VLAN, previously defined as a VLAN in 802.1Q.
TPID = 8100
S-VLAN:
Service Provider VLAN, used inside the provider network.
TPID = 88A8 (Also contains Drop Eligibility flag)
Provider Edge Bridge:
A system comprising a single S-VLAN component and one ormore
C-VLAN components
S-VLAN Bridge:
A system comprising a single S-VLAN component.
Provider Bridge:
An S-VLAN Bridge or a Provider Edge Bridge
-
7/24/2019 C-VLAN 802.1x.pdf
16/44
Component definitions(EISS = Enhanced Internal Sublayer
Service)
The PB / PEB definitions define components
These are generic building blocks for the PB & PEB The type
of component determines the type of VLAN
handled
Two such component types are defined in IEEE 802.1ad
C-VLAN component: A VLAN-aware bridge component with each Port
supported by an
instance of the EISS that can recognize, insert, and
removeCustomer VLAN tags
S-VLAN component:
A VLAN-aware bridge component with each Port supported by
aninstance of the EISS that can recognize, insert, and
removeService VLAN tags
-
7/24/2019 C-VLAN 802.1x.pdf
17/44
Port designations Customer Edge Port (CEP):
C-VLAN component port on a Provider Edge Bridge that receives
/
transmits frames for a single customer Customer Network Port
(CNP):
An S-VLAN component port on a Provider Bridge / within a
ProviderEdge Bridge that receives / transmits frames for a single
customer
Provider Edge Port (PEP): A C-VLAN component port within a
Provider Edge Bridge that
connects to a CNP and receives / transmits frames for a
singlecustomer
Provider Network Port (PNP): An S-VLAN component port on a
Provider Bridge that receives /
transmits frames for multiple customers
-
7/24/2019 C-VLAN 802.1x.pdf
18/44
Port designation on Provider Bridges
Tagged
UntaggedCEP
CEP
PVID
CVID
PEP
PEP
PEP
CNP
CNP
CNP
Untagged PVID
Untagged PVID
Untagged PVID
PNP
Tagged or Untagged
Tagged or Untagged
Tagged or Untagged
Tagged
S1
S2
S3
C-VLAN Components S-VLAN Component
Provider Edge Bridge
CustomerQ
-Bridges
CNP Untagged PVID
CNP Tagged SVID
PNPTagged
S4
S5
S6
Provider Bridge
C
ustomerOperated
ProviderBridges
CEP (untagged) supports only one C-VLAN
CEP (tagged) supports multiple C-VLANs (with multiple
C-VIDs)
CNP (untagged) has a 1:1 relationship with a C-VLAN / S-VLAN
CNP (tagged) supports multiple S-VLANs (with multiple
S-VIDs)
PNP (tagged) supports multiple services
-
7/24/2019 C-VLAN 802.1x.pdf
19/44
Customer Edge Port (CEP)
Connected to customer-owned equipment
Receives and transmits frames for a single customer
Supports the following types of service C-untagged: handling of
frames with no C-VLAN tag
C-tagged: handling of frames with a C-VLAN tag
Provides a mapping for each C-VLAN to S-VLAN Untagged and
Priority mapped to the Port Default C-VLAN
Connected via a C-VLAN component to one or more PEP(s) Customer
RSTP is extended over this C-VLAN component
Customer BPDUs are VLAN-tagged and transmitted over theProvider
Network as normal multicast traffic
-
7/24/2019 C-VLAN 802.1x.pdf
20/44
Customer Network Port (CNP)
Connected to customer-owned equipment
Receives and transmits frames for a single customer
Supports the following types of service Port-based: handling of
frames with no S-VLAN tag
S-tagged: handling of frames with a S-VLAN tag
Provides a re-mapping function for S-VLANs Untagged and Priority
mapped to the Port Default S-VLAN
A CNP exists as either: Physical port: Connected directly to the
customer
Logical port: Internal LAN connection on a 1:1 basis to a
PEP
-
7/24/2019 C-VLAN 802.1x.pdf
21/44
Provider Network Port (PNP) Connected to provider equipment
Receives and transmits frames for multiple customers
Supports the following types of service S-tagged: handling of
frames with a S-VLAN tag
SC-tagged: handling of frames with a S-VLAN and C-VLAN tag
All frames received must have an S-VLAN tag Any packets without
a valid S-VLAN are dropped
Connected via the S-VLAN component to CNP Provider BPDUs are
only transmitted over the PNP
-
7/24/2019 C-VLAN 802.1x.pdf
22/44
Changes for Protocol Frames IEEE 802.1Q defined the following
range as reserved:
01-80-C2-00-00-00 to 01-80-C2-00-00-0F
Frames received in this range must not be forwarded, but must
beeither peered or discarded.
IEEE 802.1ad sets a new range for S-VLAN components:
01-80-C2-00-00-01 to 01-80-C2-00-00-0A
Bridge Group Address is treated as a normal multicast
address
Customer BPDUs will therefore be S-VLAN tagged
These frames then forwarded as per customer multicast
-
7/24/2019 C-VLAN 802.1x.pdf
23/44
Network / Subnetwork Segregation Protocol
FramesProtocol Type
Spanning Tree
Rapid Spanning Tree
Multiple Spanning Tree
Pause
Link Aggregation Control
Link Aggregation Marker
Port Authentication Entity
Link Layer Discovery
GARP Mulicast Registration
GARP VLAN Registration
Multicast
MAC Address
01-80-c2-00-00-00
01-80-c2-00-00-01
01-80-c2-00-00-02
01-80-c2-00-00-03
01-80-c2-00-00-0e
01-80-c2-00-00-20
01-80-c2-00-00-21
LengthOr
Ethertype
length
88-08
88-09
88-8e
88-cc
length
Not LLC encapsulated
DSAP-SSAP
42-42
42-42
Control
03
03
LLC Type 1 Header
IEEE 802.1Q Bridges Reserved Addresses
IEEE 802.1ad Bridges Additional Reserved Addresses
Multicast
MAC Address
01-80-c2-00-00-08
LengthOr
Ethertype
length
DSAP-SSAP
42-42
Control
03
LLC Type 1 HeaderProtocol Type
Provider Spanning TreeProvider Rapid Spanning Tree
Provider Multiple Spanning Tree
Provider GARP VLAN Registration 01-80-c2-00-00-0d
-
7/24/2019 C-VLAN 802.1x.pdf
24/44
PNP
Customer RSTP
CEP
CNP
PNP
PEP
CNPProvider Edge
BridgeCNP
IEEE 802.1ad specifies RSTP per C-VLAN component of PEBs
RSTP BPDUs use normal bridge group address
RSTP BPDUs are transmitted on all CEPs and PEPs
BPDU transmission on PEPs extends RSTP per C-VLAN to other
customer subnets
Provider bridge group address is included in C-VLAN
componentreserved list, so Provider BPDUs via CNPs are effectively
blocked
CEP
PEP
CNP
Customer Spanning Trees
PNP PNP
PNP
PNP
Normal bridge group address omittedfrom PB and S-VLAN
componentreserved list
Customer BPDUs are neither blockednor processed, instead they
aretagged and forwarded
-
7/24/2019 C-VLAN 802.1x.pdf
25/44
PNP
Provider MSTP
CEP
CNP
PNP
PEP
CNPProvider Edge
BridgeCNP
Provider Spanning Tree
CEP
PEP
CNP
PNP PNP
PNP
PNP
IEEE 802.1ad specifies MSTP on PBs and S-VLANcomponents of
PEBs
Provider BPDUs use provider bridge group address
Provider BPDUs are transmitted on all CNPs & PNPs
-
7/24/2019 C-VLAN 802.1x.pdf
26/44
Provider Backbone Bridge
IEEE 802.1ah
-
7/24/2019 C-VLAN 802.1x.pdf
27/44
Provider Backbone Bridge Network
Concepts
Backbone service creation
Provisioning Hierarchy: Customer
Provider
Backbone
Address space separation
-
7/24/2019 C-VLAN 802.1x.pdf
28/44
Provider Backbone Bridge
Terminology
-
7/24/2019 C-VLAN 802.1x.pdf
29/44
From LAN Bridges to
Provider Backbone Bridges
-
7/24/2019 C-VLAN 802.1x.pdf
30/44
Bridge Types Backbone Bridge
Backbone Edge Bridge
-
7/24/2019 C-VLAN 802.1x.pdf
31/44
New Backbone Edge Bridge Ports
Customer Backbone Port (CBP): porta di un Backbone Edge Bridge
chepu ricevere e trasmettere I-tagged frame, pu assegnare B-VID e
tradurreI-SID.
Provider Instance Port (PIP): porta di un I-component in un
BackboneEdge Bridge che fornisce accesso al backbone service.
Tagged
UntaggedCEP
CEP
PVID
CVID
PEP
PEP
PEP
CNP
CNP
CNP
Untagged PVID
Untagged PVID
Untagged PVID
PNP
Tagged or Untagged
Tagged or Untagged
Tagged or Untagged
Tagged
S1
S2
S3
C-VLAN Components S-VLAN Component
Provider Edge Bridge
CustomerQ-Bridges
-
7/24/2019 C-VLAN 802.1x.pdf
32/44
Backbone Edge Bridge (I-Function)
Verso le PIP:
C-DA e C-SA sono incapsulati dentro lI-TAG
B-DA preso da una tabella locale B-SA lindirizzo MAC della
PIP
Dalle PIP:
accetta solo i frame con B-DA uguale allindirizzo
MAC della PIP C-DA e C-SA sono presi dallI-TAG
LI-TAG viene rimosso e scartato
-
7/24/2019 C-VLAN 802.1x.pdf
33/44
Backbone Edge Bridge (B-Function)
Aggiunge un B-TAG ed effettua il forwarding deiframe I-tagged
verso le PNP
Rimuove il B-TAG quando riceve frame da unaPNP
S-TAG TPID e B-TAG TPID sono uguali (88A8)
come nellIEEE 802.1ad
-
7/24/2019 C-VLAN 802.1x.pdf
34/44
Backbone Edge Bridge (IB-Function)
Contiene un B-component e uno o pi I-component
-
7/24/2019 C-VLAN 802.1x.pdf
35/44
Backbone Bridge Components B-component : componente S-VLAN con
una o
pi Customer Backbone Port (CBP)
Riconosce e utilizza I-TAG.
Supporta lassegnazione di B-VID (V-LAN allinternodel backbone)
basati su I-SID sulle CBP.
Supporta la terminazione degli Spanning Tree PBBN
I-component : componente S-VLAN con una opi Provider Instance
Port (PIP)
Supporta il mapping tra S-VID e I-SID Supporta la terminazione
degli Spanning Tree PBN
-
7/24/2019 C-VLAN 802.1x.pdf
36/44
Backbone Core Bridge
Usato allinterno di una Provider Backbone Bridged
Network(PBBN).
Esegue il learning dei soli MAC appartenenti alla PBBN. Gestisce
iframe come i Provider Bridge (IEEE 802.1ad).
Il nome BCB solo una distinzione logica allinterno dello
standard802.1ah.
-
7/24/2019 C-VLAN 802.1x.pdf
37/44
Definizioni in sintesi Backbone MAC Address (B-MAC): indirizzo
MAC associato ad una ProviderInstance Port a utilizzato per creare
lheader MAC di frame I-tagged trasmessi
attraverso una Provider Backbone Bridged Network Backbone MAC
Frame: un frame LAN con indirizzi MAC backbone Backbone service
instance: istanza di un servizio in una Provider Backbone
Bridged Network tra due o pi Virtual Instance Ports in Backbone
Edge Bridges.
Backbone Service Instance Identifier (I-SID): campo del tag di
una BackboneService Instance che identifica listanza del servizio
di un frame Backbone Service Instance Drop Eligibility Indicator
(I-DEI): campo del tag di una
Backbone Service Instance che indica la possibilit di scarto di
un frame in unabackbone service instance
Backbone Service Instance priority code point (I-PCP): campo del
tag di unaBackbone Service Instance che indica la priorit di un
frame in una backbone service
instance Backbone Service Instance tag (I-TAG): tag con
Ethertype 88E7 Backbone VLAN (B-VLAN): VLAN identificata da un
Backbone VLAN ID. Backbone VLAN drop eligible indicator (B-DEI):
campo di un B-TAG che identifica
la possibilit di scarto del frame Backbone VLAN ID (B-VID):
identificatore VLAN in un B-TAG.
Backbone VLAN priority code point (B-PCP): campo di un B-TAG che
indica lapriorit di un frame in una Backbone VLAN
Backbone VLAN tag (B-TAG): S-TAG usato insieme a indirizzi
backbone MAC. Backbone VLAN tagged frames: frame che contengono un
B-TAG immediatamente
dopo il source MAC address.
-
7/24/2019 C-VLAN 802.1x.pdf
38/44
Ethernet Types / I-TAG
-
7/24/2019 C-VLAN 802.1x.pdf
39/44
Port BasedConcettualmente identico al caso 802.1ad, non accetta
framecon S-TAG a meno che non abbiano T-TAG=0 (priority).
-
7/24/2019 C-VLAN 802.1x.pdf
40/44
S-TaggedMappa unistanza di servizio identificata da un S-VID in
unistanza di servizio Backbone sulla PBBNidentificato da un SID
-
7/24/2019 C-VLAN 802.1x.pdf
41/44
Interfacce S-TAGGED Mapping 1:1 tra S-VID e I-SID: In questo
caso non viene trasportato lS-TAG maviene dedotto dallI-SID,
priorit e DEIvengono rigenerati a livello di I-TAG.
Bundling degli S-VID su un unico I-SID: Inquesto caso viene
trasportato anche lS-TAG con relativi priorit e DEI, copiatianche
nellI-TAG.
Encapsulation
-
7/24/2019 C-VLAN 802.1x.pdf
42/44
Encapsulation
-
7/24/2019 C-VLAN 802.1x.pdf
43/44
I-Tagged
-
7/24/2019 C-VLAN 802.1x.pdf
44/44
Esempio
