D-Link DES-6500 Layer 3 Stackable Gigabit Ethernet Switch

43

switches through a single physical connection and allows Spanning Tree to be enabled on all

ports and work normally.

The IEEE 802.1Q standard restricts the forwarding of untagged packets to the VLAN the

receiving port is a member of.

The main characteristics of IEEE 802.1Q are as follows:

•

Assigns packets to VLANs by filtering.

•

Assumes the presence of a single global spanning tree.

•

Uses an explicit tagging scheme with one-level tagging.

802.1Q VLAN Packet Forwarding

Packet forwarding decisions are made based upon the following three types of rules:

•

Ingress rules – rules relevant to the classification of received frames belonging to a

VLAN.

•

Forwarding rules between ports – decides whether to filter or forward the packet.

•

Egress rules – determines if the packet must be sent tagged or untagged.

Figure 4- 15.

IEEE 802.1Q Packet Forwarding

D-Link DES-6500 Layer 3 Stackable Gigabit Ethernet Switch

44

802.1Q VLAN Tags

The figure below shows the 802.1Q VLAN tag. There are four additional octets inserted after

the source MAC address. Their presence is indicated by a value of 0x8100 in the EtherType

field. When a packet’s EtherType field is equal to 0x8100, the packet carries the IEEE

802.1Q/802.1p tag. The tag is contained in the following two octets and consists of 3 bits of

user priority, 1 bit of Canonical Format Identifier (CFI – used for encapsulating Token Ring

packets so they can be carried across Ethernet backbones), and 12 bits of VLAN ID (VID).

The 3 bits of user priority are used by 802.1p. The VID is the VLAN identifier and is used by

the 802.1Q standard. Because the VID is 12 bits long, 4094 unique VLANs can be identified.

The tag is inserted into the packet header making the entire packet longer by 4 octets. All of

the information originally contained in the packet is retained.

Figure 4- 16.

IEEE 802.1Q Tag

The EtherType and VLAN ID are inserted after the MAC source address, but before the

original EtherType/Length or Logical Link Control. Because the packet is now a bit longer

than it was originally, the Cyclic Redundancy Check (CRC) must be recalculated.

D-Link DES-6500 Layer 3 Stackable Gigabit Ethernet Switch

45

Figure 4- 17.

Adding an IEEE 802.1Q Tag

Port VLAN ID

Packets that are tagged (are carrying the 802.1Q VID information) can be transmitted from

one 802.1Q compliant network device to another with the VLAN information intact. This

allows 802.1Q VLANs to span network devices (and indeed, the entire network, if all network

devices are 802.1Q compliant).

Unfortunately, not all network devices are 802.1Q compliant. These devices are referred to as

tag-unaware.

802.1Q devices are referred to as

tag-aware.

Prior to the adoption of 802.1Q VLANs, port-based and MAC-based VLANs were in

common use. These VLANs relied upon a Port VLAN ID (PVID) to forward packets. A

packet received on a given port would be assigned that port’s PVID and then be forwarded to

the port that corresponded to the packet’s destination address (found in the switch’s

forwarding table). If the PVID of the port that received the packet is different from the PVID

of the port that is to transmit the packet, the switch will drop the packet.

Within the switch, different PVIDs mean different VLANs (remember that two VLANs

cannot communicate without an external router). So, VLAN identification based upon the

PVIDs cannot create VLANs that extend outside a given switch (or switch stack).

Every physical port on a switch has a PVID. 802.1Q ports are also assigned a PVID, for use

within the switch. If no VLANs are defined on the switch, all ports are then assigned to a

default VLAN with a PVID equal to 1. Untagged packets are assigned the PVID of the port on

which they were received. Forwarding decisions are based upon this PVID, in so far as

VLANs are concerned. Tagged packets are forwarded according to the VID contained within

the tag. Tagged packets are also assigned a PVID, but the PVID is not used to make packet

forwarding decisions, the VID is.

Tag-aware switches must keep a table to relate PVIDs within the switch to VIDs on the

network. The switch will compare the VID of a packet to be transmitted to the VID of the port

that is to transmit the packet. If the two VIDs are different, the switch will drop the packet.

Because of the existence of the PVID for untagged packets and the VID for tagged packets,

tag-aware and tag-unaware network devices can coexist on the same network.

D-Link DES-6500 Layer 3 Stackable Gigabit Ethernet Switch

46

A switch port can have only one PVID, but can have as many VIDs as the switch has memory

in its VLAN table to store them.

Because some devices on a network may be tag-unaware, a decision must be made at each

port on a tag-aware device before packets are transmitted – should the packet to be transmitted

have a tag or not? If the transmitting port is connected to a tag-unaware device, the packet

should be untagged. If the transmitting port is connected to a tag-aware device, the packet

should be tagged.

Tagging and Untagging

Every port on an 802.1Q compliant switch can be configured as

tagging

or

untagging.

Ports with tagging enabled will put the VID number, priority and other VLAN information

into the header of all packets that flow into and out of it. If a packet has previously been

tagged, the port will not alter the packet, thus keeping the VLAN information intact. The

VLAN information in the tag can then be used by other 802.1Q compliant devices on the

network to make packet-forwarding decisions.

Ports with untagging enabled will strip the 802.1Q tag from all packets that flow into and out

of those ports. If the packet doesn’t have an 802.1Q VLAN tag, the port will not alter the

packet. Thus, all packets received by and forwarded by an untagging port will have no 802.1Q

VLAN information. (Remember that the PVID is only used internally within the switch).

Untagging is used to send packets from an 802.1Q-compliant network device to a non-

compliant network device.

Ingress Filtering

A port on a switch where packets are flowing into the switch and VLAN decisions must be

made is referred to as an

ingress port

. If ingress filtering is enabled for a port, the switch will

examine the VLAN information in the packet header (if present) and decide whether or not to

forward the packet.

If the packet is tagged with VLAN information, the ingress port will first determine if the

ingress port itself is a member of the tagged VLAN. If it is not, the packet will be dropped. If

the ingress port is a member of the 802.1Q VLAN, the switch then determines if the

destination port is a member of the 802.1Q VLAN. If it is not, the packet is dropped. If the

destination port is a member of the 802.1Q VLAN, the packet is forwarded and the destination

port transmits it to its attached network segment.

If the packet is not tagged with VLAN information, the ingress port will tag the packet with

its own PVID as a VID (if the port is a tagging port). The switch then determines if the

destination port is a member of the same VLAN (has the same VID) as the ingress port. If it

does not, the packet is dropped. If it has the same VID, the packet is forwarded and the

destination port transmits it on its attached network segment.

This process is referred to as

ingress filtering

and is used to conserve bandwidth within the

switch by dropping packets that are not on the same VLAN as the ingress port at the point of

D-Link DES-6500 Layer 3 Stackable Gigabit Ethernet Switch

47

reception

.

This eliminates the subsequent processing of packets that will just be dropped by

the destination port.

Default VLANs

The Switch initially configures one VLAN, VID = 1, called “default.” The factory default

setting assigns all ports on the Switch to the “default.” As new VLANs are configured in Port-

based mode, their respective member ports are removed from the “default.”

Packets cannot cross VLANs. If a member of one VLAN wants to connect to another VLAN,

the link must be through an external router.

Note

: If no VLANs are configured on the switch, then all

packets will be forwarded to any destination port. Packets with

unknown source addresses will be flooded to all ports.

Broadcast and multicast packets will also be flooded to all

ports.

An example is presented below:

VLAN Name

VID

Switch Ports

System (default)

1

5, 6, 7, 8, 21, 22, 23, 24

Engineering

2

9, 10, 11, 12

Marketing

3

13, 14, 15, 16

Finance

4

17, 18, 19, 20

Sales

5

1, 2, 3, 4

Table 4- 1.

VLAN Example – Assigned Ports

VLAN Segmentation

Take for example a packet that is transmitted by a machine on Port 1 that is a member of

VLAN 2. If the destination lies on another port (found through a normal forwarding table

lookup), the switch then looks to see if the other port (Port 10) is a member of VLAN 2 (and

can therefore receive VLAN 2 packets). If Port 10 is not a member of VLAN 2, then the

packet will be dropped by the switch and will not reach its destination. If Port 10 is a member

of VLAN 2, the packet will go through. This selective forwarding feature based on VLAN

criteria is how VLANs segment networks. The key point being that Port 1 will only transmit

on VLAN 2.

Network resources such as printers and servers however, can be shared across VLANs. This is

achieved by setting up overlapping VLANs. That is ports can belong to more than one VLAN

group. For example, setting VLAN 1 members to ports 1, 2, 3, and 4 and VLAN 2 members

to ports 1, 5, 6, and 7. Port 1 belongs to two VLAN groups. Ports 8, 9, and 10 are not

configured to any VLAN group. This means ports 8, 9, and 10 are in the same VLAN group.