Presentation on theme: "Virtual Links: VLANs and Tunneling CS 4251: Computer Networking II Nick Feamster Spring 2008."— Presentation transcript:
Virtual Links: VLANs and Tunneling CS 4251: Computer Networking II Nick Feamster Spring 2008
Why VLANs? Layer 2: devices on one VLAN cannot communicate with users on another VLAN without the use of routers and network layer addresses Advantages –Help control broadcasts (primarily MAC-layer broadcasts) –Switch table entry scaling –Improve network security –Help logically group network users Key feature: Divorced from physical network topology
VLAN basics VLAN configuration issues: –A switch creates a broadcast domain –VLANs help manage broadcast domains –VLANs can be defined on port groups, users or protocols –LAN switches and network management software provide a mechanism to create VLANs VLANs help control the size of broadcast domains and localize traffic. VLANs are associated with individual networks. Devices in different VLANs cannot directly communicate without the intervention of a Layer 3 routing device.
VLAN Trunking Protocol VLAN trunking: many VLANs throughout an organization by adding special tags to frames to identify the VLAN to which they belong. This tagging allows many VLANs to be carried across a common backbone, or trunk. IEEE 802.1Q trunking protocol is the standard, widely implemented trunking protocol
Trunking: History An example of this in a communications network is a backbone link between an MDF and an IDF A backbone is composed of a number of trunks.
VLAN Trunking Conserve ports when creating a link between two devices implementing VLANs Trunking will bundle multiple virtual links over one physical link by allowing the traffic for several VLANs to travel over a single cable between the switches.
Trunking Operation Manages the transfer of frames from different VLANs on a single physical line Trunking protocols establish agreement for the distribution of frames to the associated ports at both ends of the trunk Two mechanisms –frame filtering –frame tagging
Frame Tagging A frame tagging mechanism assigns an identifier, VLAN ID, to the frames –Easier management –Faster delivery of frames
Frame Tagging Each frame sent on the link is tagged to identify which VLAN it belongs to. Different tagging schemes exist Two common schemes for Ethernet frames –802.1Q : IEEE standard Encapsulates packet in an additional 4-byte header –ISL – Cisco proprietary Inter-Switch Link protocol Tagging occurs within the frame itself
VLANs and trunking VLAN frame tagging is an approach that has been specifically developed for switched communications. Frame tagging places a unique identifier in the header of each frame as it is forwarded throughout the network backbone. The identifier is understood and examined by each switch before any broadcasts or transmissions are made to other switches, routers, or end-station devices. When the frame exits the network backbone, the switch removes the identifier before the frame is transmitted to the target end station. Frame tagging functions at Layer 2 and requires little processing or administrative overhead.
Inter-VLAN Routing If a VLAN spans across multiple devices a trunk is used to interconnect the devices. A trunk carries traffic for multiple VLANs. For example, a trunk can connect a switch to another switch, a switch to the inter-VLAN router, or a switch to a server with a special NIC installed that supports trunking. Remember that when a host on one VLAN wants to communicate with a host on another, a router must be involved.
Inter-VLAN Issues and Solutions Hosts on different VLANs must communicate Logical connectivity: a single connection, or trunk, from the switch to the router –That trunk can support multiple VLANs –This topology is called a router on a stick because there is a single connection to the router
Physical and logical interfaces The primary advantage of using a trunk link is a reduction in the number of router and switch ports used. Not only can this save money, it can also reduce configuration complexity. Consequently, the trunk-connected router approach can scale to a much larger number of VLANs than a one-link-per-VLAN design.
MPLS Overview Main idea: Virtual circuit –Packets forwarded based only on circuit identifier Destination Source 1 Source 2 Router can forward traffic to the same destination on different interfaces/paths.
Circuit Abstraction: Label Swapping Label-switched paths (LSPs): Paths are named by the label at the paths entry point At each hop, label determines: –Outgoing interface –New label to attach Label distribution protocol: responsible for disseminating signalling information A A 2D Tag Out New D
Layer 3 Virtual Private Networks Private communications over a public network A set of sites that are allowed to communicate with each other Defined by a set of administrative policies –determine both connectivity and QoS among sites –established by VPN customers –One way to implement: BGP/MPLS VPN mechanisms (RFC 2547)
Building Private Networks Separate physical network –Good security properties –Expensive! Secure VPNs –Encryption of entire network stack between endpoints Layer 2 Tunneling Protocol (L2TP) –PPP over IP –No encryption Layer 3 VPNs Privacy and interconnectivity (not confidentiality, integrity, etc.)
Layer 2 vs. Layer 3 VPNs Layer 2 VPNs can carry traffic for many different protocols, whereas Layer 3 is IP only More complicated to provision a Layer 2 VPN Layer 3 VPNs: potentially more flexibility, fewer configuration headaches
Layer 3 BGP/MPLS VPNs Isolation: Multiple logical networks over a single, shared physical infrastructure Tunneling: Keeping routes out of the core VPN A/Site 1 VPN A/Site 2 VPN A/Site 3 VPN B/Site 2 VPN B/Site 1 VPN B/Site 3 CE A1 CE B3 CE A3 CE B2 CE A2 CE 1 B1 CE 2 B1 PE 1 PE 2 PE 3 P1P1 P2P2 P3P3 10.1/ / / / / /16 BGP to exchange routes MPLS to forward traffic
High-Level Overview of Operation IP packets arrive at PE Destination IP address is looked up in forwarding table Datagram sent to customers network using tunneling (i.e., an MPLS label-switched path)
BGP/MPLS VPN key components Forwarding in the core: MPLS Distributing routes between PEs: BGP Isolation: Keeping different VPNs from routing traffic over one another –Constrained distribution of routing information –Multiple virtual forwarding tables Unique addresses: VPN-IP4 Address extension
Virtual Routing and Forwarding Separate tables per customer at each router /24 RD: Green /24 RD: Blue /24 Customer 1 Customer 2 Customer 1 Customer 2
Routing: Constraining Distribution Performed by Service Provider using route filtering based on BGP Extended Community attribute – BGP Community is attached by ingress PE route filtering based on BGP Community is performed by egress PE Site 1Site 2Site 3 Static route, RIP, etc. RD: /24 Route target: Green Next-hop: A A /24 BGP
Forwarding PE and P routers have BGP next-hop reachability through the backbone IGP Labels are distributed through LDP (hop-by-hop) corresponding to BGP Next-Hops Two-Label Stack is used for packet forwarding Top label indicates Next-Hop (interior label) Second level label indicates outgoing interface or VRF (exterior label) IP Datagram Label 2 Label 1 Layer 2 Header Corresponds to LSP of BGP next-hop (PE) Corresponds to VRF/interface at exit
Forwarding in BGP/MPLS VPNs Step 1: Packet arrives at incoming interface –Site VRF determines BGP next-hop and Label #2 IP Datagram Label 2 Step 2: BGP next-hop lookup, add corresponding LSP (also at site VRF) IP Datagram Label 2 Label 1