Managed Ethernet Switches & VLANs

Switches and bridges may be managed, allowing a network operator to control them remotely. These bridges include a processor that can control the configuration of a filter table. This additional table is checked before a bridge/switch forards a frame. It can be used to add extra security by denying access between specified groups of Ethernet MAC addresses to enforce a security policy.

Managed bridges can collect information about the network - such as to indicate teh MAC source address of equipment connected to a port, or remotely capture an Ethernet frame for analysis by the network operator.

Three common enhancements for managed switches support:

Priority Queuing

End Hosts and Routers with sophisticated NICs can signal the priority associated with a frame. This uses the extra 4 byte "tag" field defined by 802.1Q inserted between the Ethernet frame MAC header and the Ethernet frame payload. The same header may also be used to associate the frame with a particular VLAN. In this way the systems can indicate the VLAN to which a frame should be sent. VLAN-enabled switches are able to read these tag fields and allow configuration by the system administrator to specify whether tags should be added/removed in the frames that they forward.

Virtual LANs

Virtual LANs, (VLANs) as defined by IEEE 802.1Q, are of two forms:

Most modern managed switches support virtual LANs (VLANs) allowing the network to be divided into a set of broadcast domains, each of which can support independently operating IP networks.

Each VLAN forms a Layer 2 broadcast domain. In effect, this divides the forwarding table inside the switch into separate VLANs, preventing forwrading between sets of ports in different VLANs. The ports connecting switches together can be configured to support more than one VLAN by using 802.1pQ tagging to associate each frame with its corrsponding VLAN. VLANs are typically used to provide traffic separation – either to enhance performance or to provide security. When used with IP, each VLAN usually corresponds to one or more IP networks.

An IEEE VLAN interface (sometimes known as dot1q), such as provided on the LAN interface of a switch, is said to be in one of two modes:

Note: Some equipment supports the idea of a native VID for a trunk port. In this case, frames that do not carry a VLAN tag are implicitly associated with the default VLAN for the interface. Some equipment does not recognise this mode and will ignore untagged frames.

Note: A L2 protocol may be used to announce creation or deletion of a VLAN throughout a L2 domain. In a managed network, a policy server may also be used to dynamically associate layer 2 ports with specific MAC addresses and VLANs. The IEEE has defined Multiple VLAN Registration Protocol (MVRP). This was formerly known as GARP VLAN Registration Protocol (GVRP). It is a layer 2 protocol that enables automatic configuration of VLAN information on switches. VTP is a CISCO-proprietary protocol that also automates VLAN configuration.

An IP router that receives frames from a VLAN interface, access or trunk, does not propagate the 802.1Q tag on the outgoing interface. That is, the output VID (if any) is assigned based on the routing decision and not on the VID value associated with a received frame. In this way, an IP router will normally change the VID associated with an IP packet as it performs L2 forwarding. There are no standards for layer 3 switching devices, and hence their treatment of VLANs is proprietary and can result in VIDs being propagated across a L3 switch. In a routed network, the VID can also be propagated over the router by tunnelling the Ethernet frames over IP (e.g. using L2TP, RFC3931).

The 802.1Q Tag

The IEEE 802.1Q standard defines the format of a 4 byte “tag” field. The presence of a tag is indicated by the Ethertype value of 0x8100. The remainder of the tag has 3 parts: a fixed tag protocol identifier (0x8100 in hex), a user priority value ranging from 0 to 7 (called an 802.1p value) a format identified and the Virtual LAN information (VLAN id).

Note: if the VLAN id is 0, the tag contains only user priority information (this allows the 802.1Q tag to be used when VLANs are not being used).

The tag is followed by the actual EtherType value for the frame payload (e.g x0800 for an IP packet). i.e. the 4-byte tag field defined by the IEEE 802.1Q standard is inserted between the MAC source address and the Ethetrype field in an Ethernet frame. That is, the type of the frame becomes 0x8100, and the Tag itself is followed by the type of the frame payload.

Note: The Tag adds to the total frame size, and the Ethernet NICs that suppport the use of Tags therefore need to be able to send/receive slightly larger Frames. Trunk mode therefore requires IEEE 802.3ac, where the maximum frame size is extended to 1522 bytes.

The format of the header is:

Advanced use of VLANs

Q-in-Q Tags

In metro-Ethernet, two VLAN Tags may be stacked (used one after another in a frame header) to increase this number of VIDs.

Provider Bridging

The IEEE has defined a standard that allows multiple levels of VLANs to be used, in a method known as provider bridging. This simply allows additional tag fields to be placed before an existing VLAN. At the destination, the additional tag is removed.

The standard is specified in 802.1ad, which identifies the tag value as 0x88a8 in the S-TAG and 0x8100 in the C-TAG.

In IEEE 802.1ad the CFI is replaced by a Drop Eligability Indicator (DEI), increasing the functionality of the PCP field.

Some MAC addresses have different mappings, e.g.

Note; Pre-standard implementations are sometimes referred to as "QinQ" and may use 0x8100 in both tags. This is not specified in 802.1ad. 802.1ad provider bridge uses the standard 0x88a8 in the S-TAG and 0x8100 in the C-TAG. At least on major manufacturer uses a default value of 0x9100 (Juniper), and this continues in practical use, although is being replaced by the 802.1ad specification.


Gorry Fairhurst - Date: 18/03/2012 EG3557