DGS-3224TGR Gigabit Ethernet Switch User’s Guide

14

Authentication

The authentication protocol ensures that both the router SNMP agent and the remote user SNMP application program

discard packets from unauthorized users. Authentication is accomplished using ‘community strings’, which function like

passwords. The remote user SNMP application and the router SNMP must use the same community string.

Packet Forwarding

The switch enters the relationship between destination MAC or IP addresses and the Ethernet port or gateway router the

destination resides on into its forwarding table. This information is then used to forward packets. This reduces the traffic

congestion on the network, because packets, instead of being transmitted to all ports, are transmitted to the destination port

only. Example: if Port 1 receives a packet destined for a station on Port 2, the switch transmits that packet through Port 2

only, and transmits nothing through the other ports. This process is referred to as ‘learning’ the network topology.

MAC Address Aging Time

The Aging Time affects the learning process of the Switch. Dynamic forwarding table entries, which are made up of the

source and destination MAC addresses and their associated port numbers, are deleted from the table if they are not accessed

within the aging time.

The aging time can be from 10 to 1,000,000 seconds with a default value of 300 seconds. A very long aging time can result

in dynamic forwarding table entries that are out-of-date or no longer exist. This may cause incorrect packet forwarding

decisions by the Switch.

If the Aging Time is too short however, many entries may be aged out too soon. This will result in a high percentage of

received packets whose source addresses cannot be found in the forwarding table, in which case the switch will broadcast

the packet to all ports, negating many of the benefits of having a switch.

Static forwarding entries are not affected by the aging time.

Filtering

The switch uses a filtering database to segment the network and control communication between segments. It can also filter

packets off the network for intrusion control. Static filtering entries can be made by MAC Address filtering.

Each port on the switch is a unique collision domain and the switch filters (discards) packets whose destination lies on the

same port as where it originated. This keeps local packets from disrupting communications on other parts of the network.

For intrusion control, whenever a switch encounters a packet originating from or destined to a MAC address entered into

the filter table, the switch will discard the packet.

Some filtering is done automatically by the switch:

•

Dynamic filtering – automatic learning and aging of MAC addresses and their location on the network. Filtering

occurs to keep local traffic confined to its segment.

•

Filtering done by the Spanning Tree Protocol that can filter packets based on topology, making sure that signal

loops don’t occur.

•

Filtering done for VLAN integrity. Packets from a member of a VLAN (VLAN 2, for example) destined for a

device on another VLAN (VLAN 3) will be filtered.

DGS-3224TGR Gigabit Ethernet Switch User’s Guide

15

Spanning Tree

802.1w Rapid Spanning Tree

The DGS-3224TGR implements two versions of the Spanning Tree Protocol, the Rapid Spanning Tree Protocol (RSTP) as

defined by the IEE 802.1w specification and a version compatible with the IEEE 802.1d STP. RSTP can operate with

legacy equipment implementing IEEE 802.1d, however the advantages of using RSTP will be lost.

The IEEE 802.1w Rapid Spanning Tree Protocol (RSTP) evolved from the 802.1d STP standard. RSTP was developed in

order to overcome some limitations of STP that impede the function of some recent switching innovations, in particular,

certain Layer 3 function that are increasingly handled by Ethernet switches. The basic function and much of the

terminology is the same as STP. Most of the settings configured for STP are also used for RSTP. This section introduces

some new Spanning Tree concepts and illustrates the main differences between the two protocols.

Port Transition States

An essential difference between the two protocols is in the way ports transition to a forwarding state and the in the way this

transition relates to the role of the port (forwarding or not forwarding) in the topology. RSTP combines the transition states

disabled, blocking and listening used in 802.1d and creates a single state

Discarding

. In either case, ports do not forward

packets; in the STP port transition states disabled, blocking or listening or in the RSTP port state discarding there is no

functional difference, the port is not active in the network topology. The table below compares how the two protocols differ

regarding the port state transition.

Both protocols calculate a stable topology in the same way. Every segment will have a single path to the root bridge. All

bridges listen for BPDU packets. However, BPDU packets are sent more frequently – with every Hello packet. BPDU

packets are sent even if a BPDU packet was not received. Therefore, each link between bridges is sensitive to the status of

the link. Ultimately this difference results faster detection of failed links, and thus faster topology adjustment. A drawback

of 802.1d is this absence of immediate feedback from adjacent bridges.

STP/RSTP Comparison

802.1d STP

802.1w RSTP

Forwarding?

Learning?

Disabled

Discarding

No

No

Blocking

Discarding

No

No

Listening

Discarding

No

No

Learning

Learning

No

Yes

Forwarding

Forwarding

Yes

Yes

Comparing Port States

RSTP is capable of more rapid transition to a forwarding state – it no longer relies on timer configurations – RSTP

compliant bridges are sensitive to feedback from other RSTP compliant bridge links. Ports do not need to wait for the

topology to stabilize before transitioning to a forwarding state.

In order to allow this rapid transition, the protocol

introduces two new variables: the edge port and the point-to-point (P2P) port.

Edge Port

The edge port is a configurable designation used for a port that is directly connected to a segment where a loop cannot be

created. An example would be a port connected directly to a single workstation. Ports that are designated as edge ports

transition to a forwarding state immediately without going through the listening and learning states. An edge port loses its

status if it receives a BPDU packet, immediately becoming a normal spanning tree port.

P2P Port

A P2P port is also capable of rapid transition. P2P ports may be used to connect to other bridges. Under RSTP, all ports

operating in full-duplex mode are considered to be P2P ports, unless manually overridden through configuration.

DGS-3224TGR Gigabit Ethernet Switch User’s Guide

16

802.1d/802.1w Compatibility

RSTP can interoperate with legacy equipment and is capable of automatically adjusting BPDU packets to 802.1d format

when necessary. However, any segment using 802.1 STP will not benefit from the rapid transition and rapid topology

change detection of RSTP. The protocol also provides for a variable used for migration in the event that legacy equipment

on a segment is updated to use RSTP.

The Spanning Tree Protocol (STP) operates on two levels: on the switch level, the settings are globally implemented. On

the port level, the settings are implemented on a user-defined Group of ports basis.

VLANs

A Virtual Local Area Network (VLAN) is a network topology configured according to a logical scheme rather than the

physical layout. VLANs can be used to combine any collection of LAN segments into an autonomous user group that

appears as a single LAN. VLANs also logically segment the network into different broadcast domains so that packets are

forwarded only between ports within the VLAN. Typically, a VLAN corresponds to a particular subnet, although not

necessarily.

VLANs can enhance performance by conserving bandwidth, and improve security by limiting traffic to specific domains.

A VLAN is a collection of end nodes grouped by logic instead of physical location. End nodes that frequently communicate

with each other are assigned to the same VLAN, regardless of where they are physically on the network. Logically, a

VLAN can be equated to a broadcast domain, because broadcast packets are forwarded to only members of the VLAN on

which the broadcast was initiated.

Note: VLANs on the DGS-3224TGR

No matter what basis is used to uniquely identify end nodes and assign

these nodes VLAN membership, packets

cannot

cross VLANs without a

network device performing a routing function between the VLANs.

The DGS-3224TGR supports only IEEE 802.1Q VLANs. The port

untagging function can be used to remove the 802.1Q tag from packet

headers to maintain compatibility with devices that are tag-unaware.

The switch’s default is to assign all ports to a single 802.1Q VLAN named

“default.”

The default VLAN has a VID = 1

IEEE 802.1Q VLANs

Some relevant terms:

•

Tagging

– The act of putting 802.1Q VLAN information into the header of a packet.

•

Untagging

– The act of stripping 802.1Q VLAN information out of the packet header.

•

Ingress port

– A port on a switch where packets are flowing into the switch and VLAN decisions must be

made.

•

Egress port

– A port on a switch where packets are flowing out of the switch, either to another switch or to an

end station, and tagging decisions must be made.

IEEE 802.1Q (tagged) VLANs are implemented on the DGS-3224TGR 802.1Q VLANs require tagging, which enables

them to span the entire network (assuming all switches on the network are IEEE 802.1Q-compliant).

VLANs allow a network to be segmented in order to reduce the size of broadcast domains. All packets entering a VLAN

will only be forwarded to the stations (over IEEE 802.1Q enabled switches) that are members of that VLAN, and this

includes broadcast, multicast and unicast packets from unknown sources.

VLANs can also provide a level of security to your network. IEEE 802.1Q VLANs will only deliver packets between

stations that are members of the VLAN.

DGS-3224TGR Gigabit Ethernet Switch User’s Guide

17

Any port can be configured as either

tagging

or

untagging

. The

untagging

feature of IEEE 802.1Q VLANs allows VLANs

to work with legacy switches that don’t recognize VLAN tags in packet headers. The

tagging

feature allows VLANs to

span multiple 802.1Q-compliant switches through a single physical connection and allows Spanning Tree to be enabled on

all ports and work normally.

The IEEE 802.1Q standard restricts the forwarding of untagged packets to the VLAN the receiving port is a member of.

The main characteristics of IEEE 802.1Q are as follows:

•

Assigns packets to VLANs by filtering.

•

Assumes the presence of a single global spanning tree.

•

Uses an explicit tagging scheme with one-level tagging

802.1Q VLAN Packet Forwarding

Packet forwarding decisions are made based upon the following three types of rules:

•

Ingress rules – rules relevant to the classification of received frames belonging to a VLAN.

•

Forwarding rules between ports – decides filter or forward the packet

•

Egress rules – determines if the packet must be sent tagged or untagged.

Figure 5- 1.

IEEE 802.1Q Packet Forwarding

DGS-3224TGR Gigabit Ethernet Switch User’s Guide

18

802.1Q VLAN Tags

The figure below shows the 802.1Q VLAN tag. There are four additional octets inserted after the source MAC address.

Their presence is indicated by a value of 0x8100 in the EtherType field. When a packet’s EtherType field is equal to

0x8100, the packet carries the IEEE 802.1Q/802.1p tag. The tag is contained in the following two octets and consists of

three bits of user priority, one bit of Canonical Format Identifier (CFI – used for encapsulating Token Ring packets so they

can be carried across Ethernet backbones) and twelve bits of VLAN ID (VID). The three bits of user priority are used by

802.1p. The VID is the VLAN identifier and is used by the 802.1Q standard. Because the VID is twelve bits long, 4094

unique VLANs can be identified.

The tag is inserted into the packet header making the entire packet longer by four octets. All of the information contained in

the packet originally is retained.

Figure 5- 2.

IEEE 802.1Q Tag

The EtherType and VLAN ID are inserted after the MAC source address, but before the original EtherType/Length or

Logical Link Control. Because the packet is now a bit longer than it was originally, the Cyclic Redundancy Check (CRC)

must be recalculated.

Figure 5- 3.

Adding an IEEE 802.1Q Tag