Presentation on theme: "Virtual Links: VLANs and Tunneling"— Presentation transcript:
1 Virtual Links: VLANs and Tunneling CS 4251: Computer Networking II Nick Feamster Spring 2008
2 Why VLANs?Layer 2: devices on one VLAN cannot communicate with users on another VLAN without the use of routers and network layer addressesAdvantagesHelp control broadcasts (primarily MAC-layer broadcasts)Switch table entry scalingImprove network securityHelp logically group network usersKey feature: Divorced from physical network topology
3 VLAN basics VLAN configuration issues: A switch creates a broadcast domainVLANs help manage broadcast domainsVLANs can be defined on port groups, users or protocolsLAN switches and network management software provide a mechanism to create VLANsVLANs help control the size of broadcast domains and localize traffic.VLANs are associated with individual networks.Devices in different VLANs cannot directly communicate without the intervention of a Layer 3 routing device.
4 VLAN Trunking Protocol VLAN trunking: many VLANs throughout an organization by adding special tags to frames to identify the VLAN to which they belong.This tagging allows many VLANs to be carried across a common backbone, or trunk.IEEE 802.1Q trunking protocol is the standard, widely implemented trunking protocol
5 Trunking: HistoryAn example of this in a communications network is a backbone link between an MDF and an IDFA backbone is composed of a number of trunks.
6 VLAN TrunkingConserve ports when creating a link between two devices implementing VLANsTrunking will bundle multiple virtual links over one physical link by allowing the traffic for several VLANs to travel over a single cable between the switches.
7 Trunking OperationManages the transfer of frames from different VLANs on a single physical lineTrunking protocols establish agreement for the distribution of frames to the associated ports at both ends of the trunkTwo mechanismsframe filteringframe tagging
9 Frame TaggingA frame tagging mechanism assigns an identifier, VLAN ID, to the framesEasier managementFaster delivery of frames
10 Frame TaggingEach frame sent on the link is tagged to identify which VLAN it belongs to.Different tagging schemes existTwo common schemes for Ethernet frames802.1Q: IEEE standardEncapsulates packet in an additional 4-byte headerISL – Cisco proprietary Inter-Switch Link protocolTagging occurs within the frame itself
11 VLANs and trunkingVLAN frame tagging is an approach that has been specifically developed for switched communications.Frame tagging places a unique identifier in the header of each frame as it is forwarded throughout the network backbone.The identifier is understood and examined by each switch before any broadcasts or transmissions are made to other switches, routers, or end-station devices.When the frame exits the network backbone, the switch removes the identifier before the frame is transmitted to the target end station.Frame tagging functions at Layer 2 and requires little processing or administrative overhead.
12 Inter-VLAN RoutingIf a VLAN spans across multiple devices a trunk is used to interconnect the devices.A trunk carries traffic for multiple VLANs.For example, a trunk can connect a switch to another switch, a switch to the inter-VLAN router, or a switch to a server with a special NIC installed that supports trunking.Remember that when a host on one VLAN wants to communicate with a host on another, a router must be involved.
13 Inter-VLAN Issues and Solutions Hosts on different VLANs must communicateLogical connectivity: a single connection, or trunk, from the switch to the routerThat trunk can support multiple VLANsThis topology is called a router on a stick because there is a single connection to the router
14 Physical and logical interfaces The primary advantage of using a trunk link is a reduction in the number of router and switch ports used.Not only can this save money, it can also reduce configuration complexity.Consequently, the trunk-connected router approach can scale to a much larger number of VLANs than a one-link-per-VLAN design.
15 Why Tunnel? Security Flexibility Bypassing local network engineers E.g., VPNsFlexibilityTopologyProtocolBypassing local network engineersOppressive regimes: China, Pakistan, TS…Compatibility/InteroperabilityDispersion/Logical grouping/OrganizationReliabilityFast Reroute, Resilient Overlay Networks (Akamai SureRoute)Stability (“path pinning”)E.g., for performance guarantees
16 MPLS Overview Main idea: Virtual circuit Packets forwarded based only on circuit identifierSource 1DestinationSource 2Router can forward traffic to the same destination on different interfaces/paths.
17 Circuit Abstraction: Label Swapping DA21Tag Out New3A2DLabel-switched paths (LSPs): Paths are “named” by the label at the path’s entry pointAt each hop, label determines:Outgoing interfaceNew label to attachLabel distribution protocol: responsible for disseminating signalling information
18 Layer 3 Virtual Private Networks Private communications over a public networkA set of sites that are allowed to communicate with each otherDefined by a set of administrative policiesdetermine both connectivity and QoS among sitesestablished by VPN customersOne way to implement: BGP/MPLS VPN mechanisms (RFC 2547)
19 Building Private Networks Separate physical networkGood security propertiesExpensive!Secure VPNsEncryption of entire network stack between endpointsLayer 2 Tunneling Protocol (L2TP)“PPP over IP”No encryptionLayer 3 VPNsPrivacy and interconnectivity (not confidentiality, integrity, etc.)
20 Layer 2 vs. Layer 3 VPNsLayer 2 VPNs can carry traffic for many different protocols, whereas Layer 3 is “IP only”More complicated to provision a Layer 2 VPNLayer 3 VPNs: potentially more flexibility, fewer configuration headaches
21 Layer 3 BGP/MPLS VPNsVPN A/Site 1VPN A/Site 2VPN A/Site 3VPN B/Site 2VPN B/Site 1VPN B/Site 3CEA1CEB3CEA3CEB2CEA2CE1B1CE2B1PE1PE2PE3P1P2P310.1/1610.2/1610.3/1610.4/16BGP to exchange routesMPLS to forward trafficIsolation: Multiple logical networks over a single, shared physical infrastructureTunneling: Keeping routes out of the core
22 High-Level Overview of Operation IP packets arrive at PEDestination IP address is looked up in forwarding tableDatagram sent to customer’s network using tunneling (i.e., an MPLS label-switched path)
23 BGP/MPLS VPN key components Forwarding in the core: MPLSDistributing routes between PEs: BGPIsolation: Keeping different VPNs from routing traffic over one anotherConstrained distribution of routing informationMultiple “virtual” forwarding tablesUnique addresses: VPN-IP4 Address extension
24 Virtual Routing and Forwarding Separate tables per customer at each routerCustomer 1/24/24 RD: GreenCustomer 1Customer 2/24Customer 2/24 RD: Blue
25 Routing: Constraining Distribution Performed by Service Provider using route filtering based on BGP Extended Community attributeBGP Community is attached by ingress PE route filtering based on BGP Community is performed by egress PESite 2BGPStatic route, RIP, etc.RD: /24 Route target: Green Next-hop: ASite 1A/24Site 3
26 ForwardingPE and P routers have BGP next-hop reachability through the backbone IGPLabels are distributed through LDP (hop-by-hop) corresponding to BGP Next-HopsTwo-Label Stack is used for packet forwardingTop label indicates Next-Hop (interior label)Second level label indicates outgoing interface or VRF (exterior label)Corresponds to LSP of BGP next-hop (PE)Corresponds to VRF/interface at exitLayer 2 HeaderLabel 1Label 2IP Datagram
27 Forwarding in BGP/MPLS VPNs Step 1: Packet arrives at incoming interfaceSite VRF determines BGP next-hop and Label #2Label 2IP DatagramStep 2: BGP next-hop lookup, add corresponding LSP (also at site VRF)Label 1Label 2IP Datagram