Page 61 / 216 Scroll up to view Page 56 - 60
D-Link DES-6500 Layer 3 Stackable Gigabit Ethernet Switch
43
switches through a single physical connection and allows Spanning Tree to be enabled on all
ports and work normally.
The IEEE 802.1Q standard restricts the forwarding of untagged packets to the VLAN the
receiving port is a member of.
The main characteristics of IEEE 802.1Q are as follows:
Assigns packets to VLANs by filtering.
Assumes the presence of a single global spanning tree.
Uses an explicit tagging scheme with one-level tagging.
802.1Q VLAN Packet Forwarding
Packet forwarding decisions are made based upon the following three types of rules:
Ingress rules – rules relevant to the classification of received frames belonging to a
VLAN.
Forwarding rules between ports – decides whether to filter or forward the packet.
Egress rules – determines if the packet must be sent tagged or untagged.
Figure 4- 15.
IEEE 802.1Q Packet Forwarding
Page 62 / 216
D-Link DES-6500 Layer 3 Stackable Gigabit Ethernet Switch
44
802.1Q VLAN Tags
The figure below shows the 802.1Q VLAN tag. There are four additional octets inserted after
the source MAC address. Their presence is indicated by a value of 0x8100 in the EtherType
field. When a packet’s EtherType field is equal to 0x8100, the packet carries the IEEE
802.1Q/802.1p tag. The tag is contained in the following two octets and consists of 3 bits of
user priority, 1 bit of Canonical Format Identifier (CFI – used for encapsulating Token Ring
packets so they can be carried across Ethernet backbones), and 12 bits of VLAN ID (VID).
The 3 bits of user priority are used by 802.1p. The VID is the VLAN identifier and is used by
the 802.1Q standard. Because the VID is 12 bits long, 4094 unique VLANs can be identified.
The tag is inserted into the packet header making the entire packet longer by 4 octets. All of
the information originally contained in the packet is retained.
Figure 4- 16.
IEEE 802.1Q Tag
The EtherType and VLAN ID are inserted after the MAC source address, but before the
original EtherType/Length or Logical Link Control. Because the packet is now a bit longer
than it was originally, the Cyclic Redundancy Check (CRC) must be recalculated.
Page 63 / 216
D-Link DES-6500 Layer 3 Stackable Gigabit Ethernet Switch
45
Figure 4- 17.
Adding an IEEE 802.1Q Tag
Port VLAN ID
Packets that are tagged (are carrying the 802.1Q VID information) can be transmitted from
one 802.1Q compliant network device to another with the VLAN information intact. This
allows 802.1Q VLANs to span network devices (and indeed, the entire network, if all network
devices are 802.1Q compliant).
Unfortunately, not all network devices are 802.1Q compliant. These devices are referred to as
tag-unaware.
802.1Q devices are referred to as
tag-aware.
Prior to the adoption of 802.1Q VLANs, port-based and MAC-based VLANs were in
common use. These VLANs relied upon a Port VLAN ID (PVID) to forward packets. A
packet received on a given port would be assigned that port’s PVID and then be forwarded to
the port that corresponded to the packet’s destination address (found in the switch’s
forwarding table). If the PVID of the port that received the packet is different from the PVID
of the port that is to transmit the packet, the switch will drop the packet.
Within the switch, different PVIDs mean different VLANs (remember that two VLANs
cannot communicate without an external router). So, VLAN identification based upon the
PVIDs cannot create VLANs that extend outside a given switch (or switch stack).
Every physical port on a switch has a PVID. 802.1Q ports are also assigned a PVID, for use
within the switch. If no VLANs are defined on the switch, all ports are then assigned to a
default VLAN with a PVID equal to 1. Untagged packets are assigned the PVID of the port on
which they were received. Forwarding decisions are based upon this PVID, in so far as
VLANs are concerned. Tagged packets are forwarded according to the VID contained within
the tag. Tagged packets are also assigned a PVID, but the PVID is not used to make packet
forwarding decisions, the VID is.
Tag-aware switches must keep a table to relate PVIDs within the switch to VIDs on the
network. The switch will compare the VID of a packet to be transmitted to the VID of the port
that is to transmit the packet. If the two VIDs are different, the switch will drop the packet.
Because of the existence of the PVID for untagged packets and the VID for tagged packets,
tag-aware and tag-unaware network devices can coexist on the same network.
Page 64 / 216
D-Link DES-6500 Layer 3 Stackable Gigabit Ethernet Switch
46
A switch port can have only one PVID, but can have as many VIDs as the switch has memory
in its VLAN table to store them.
Because some devices on a network may be tag-unaware, a decision must be made at each
port on a tag-aware device before packets are transmitted – should the packet to be transmitted
have a tag or not? If the transmitting port is connected to a tag-unaware device, the packet
should be untagged. If the transmitting port is connected to a tag-aware device, the packet
should be tagged.
Tagging and Untagging
Every port on an 802.1Q compliant switch can be configured as
tagging
or
untagging.
Ports with tagging enabled will put the VID number, priority and other VLAN information
into the header of all packets that flow into and out of it. If a packet has previously been
tagged, the port will not alter the packet, thus keeping the VLAN information intact. The
VLAN information in the tag can then be used by other 802.1Q compliant devices on the
network to make packet-forwarding decisions.
Ports with untagging enabled will strip the 802.1Q tag from all packets that flow into and out
of those ports. If the packet doesn’t have an 802.1Q VLAN tag, the port will not alter the
packet. Thus, all packets received by and forwarded by an untagging port will have no 802.1Q
VLAN information. (Remember that the PVID is only used internally within the switch).
Untagging is used to send packets from an 802.1Q-compliant network device to a non-
compliant network device.
Ingress Filtering
A port on a switch where packets are flowing into the switch and VLAN decisions must be
made is referred to as an
ingress port
. If ingress filtering is enabled for a port, the switch will
examine the VLAN information in the packet header (if present) and decide whether or not to
forward the packet.
If the packet is tagged with VLAN information, the ingress port will first determine if the
ingress port itself is a member of the tagged VLAN. If it is not, the packet will be dropped. If
the ingress port is a member of the 802.1Q VLAN, the switch then determines if the
destination port is a member of the 802.1Q VLAN. If it is not, the packet is dropped. If the
destination port is a member of the 802.1Q VLAN, the packet is forwarded and the destination
port transmits it to its attached network segment.
If the packet is not tagged with VLAN information, the ingress port will tag the packet with
its own PVID as a VID (if the port is a tagging port). The switch then determines if the
destination port is a member of the same VLAN (has the same VID) as the ingress port. If it
does not, the packet is dropped. If it has the same VID, the packet is forwarded and the
destination port transmits it on its attached network segment.
This process is referred to as
ingress filtering
and is used to conserve bandwidth within the
switch by dropping packets that are not on the same VLAN as the ingress port at the point of
Page 65 / 216
D-Link DES-6500 Layer 3 Stackable Gigabit Ethernet Switch
47
reception
.
This eliminates the subsequent processing of packets that will just be dropped by
the destination port.
Default VLANs
The Switch initially configures one VLAN, VID = 1, called “default.” The factory default
setting assigns all ports on the Switch to the “default.” As new VLANs are configured in Port-
based mode, their respective member ports are removed from the “default.”
Packets cannot cross VLANs. If a member of one VLAN wants to connect to another VLAN,
the link must be through an external router.
Note
: If no VLANs are configured on the switch, then all
packets will be forwarded to any destination port. Packets with
unknown source addresses will be flooded to all ports.
Broadcast and multicast packets will also be flooded to all
ports.
An example is presented below:
VLAN Name
VID
Switch Ports
System (default)
1
5, 6, 7, 8, 21, 22, 23, 24
Engineering
2
9, 10, 11, 12
Marketing
3
13, 14, 15, 16
Finance
4
17, 18, 19, 20
Sales
5
1, 2, 3, 4
Table 4- 1.
VLAN Example – Assigned Ports
VLAN Segmentation
Take for example a packet that is transmitted by a machine on Port 1 that is a member of
VLAN 2. If the destination lies on another port (found through a normal forwarding table
lookup), the switch then looks to see if the other port (Port 10) is a member of VLAN 2 (and
can therefore receive VLAN 2 packets). If Port 10 is not a member of VLAN 2, then the
packet will be dropped by the switch and will not reach its destination. If Port 10 is a member
of VLAN 2, the packet will go through. This selective forwarding feature based on VLAN
criteria is how VLANs segment networks. The key point being that Port 1 will only transmit
on VLAN 2.
Network resources such as printers and servers however, can be shared across VLANs. This is
achieved by setting up overlapping VLANs. That is ports can belong to more than one VLAN
group. For example, setting VLAN 1 members to ports 1, 2, 3, and 4 and VLAN 2 members
to ports 1, 5, 6, and 7. Port 1 belongs to two VLAN groups. Ports 8, 9, and 10 are not
configured to any VLAN group. This means ports 8, 9, and 10 are in the same VLAN group.

Rate

3.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top