这篇笔记主要记录:

  1. VLAN解决的问题
  2. VLAN涉及的概念
  3. VLAN的结构
  4. VLAN的工作过程

下面三部分教程中有讲到,但没有记录在此:

  1. 交换机(bridge)之间传递信息的过程
  2. 设定的细节
  3. 交换机维护的member set和untag set是独立使用还是在交换机之间共用

另外这部分不需要图解,Yay~

VLAN存在的意义

  1. Without VLAN, the layer 2 switches/bridges will forward received broadcast and multicast frames to all ports(也就是无限制的广播)
    这会带来两个问题:
    • 浪费带宽
    • 带来安全问题
  2. Easy administration of logical group of stations(VLAN). Also moves, adds and changes in members of these groups.
  3. Traffic between VLANs is firewalled. The propagation of multicast and broadcast traffic between VLANs is limited.
    • 不同VLAN之间的station如果要沟通,不能直接发信息,要通过router转送
    • 在VLAN的架构下,任何一个成员丢出一个封包,它只会送给该VLAN下的成员,而不会送到整个网络上去

VLAN的特点

  1. shared和point-to-point media都支持VLAN
  2. 每一个VLAN都有唯一的ID(VID)
  3. 支持VLAN的switch/bridge和不支持的互相兼容
  4. In the absence of VLAN configuration, switch/bridges work in plug-and play(随插即用,大部分的layer2的设备都有这个特点,一开机就可以运作)

VLAN的架构

VLAN可以分为三个层级:

  1. 配置

    先设定比如哪个station属于哪个VLAN,这些配置直接设定在交换机上
    有四种划分VLAN的方式:

    1. port-based VLAN,将port作为识别VLAN的对象,而不是station,这也是IEEE802.1Q的实现方式
    2. MAC-based VLAN,将station作为识别VLAN的对象,而不是port,这种方式更有弹性,支持设备的移动
    3. IP-subnet based VLAN
    4. layer-3 protocol(IP/IPX) based VLAN

  2. Distribution/Resolution

    将上面的设定告知其他交换机
    Distribute VLAN membership information for Bridges to determine on which VLAN a given packet shoud be forwarded
    实现方式:

    1. Declaration Protocols(通常使用这种)
      GARP(Generic Attributes Registration Protocol) is used to distribute membership information among Bridges
    2. Request/Response protocols

  1. 交换机对封包的具体处理,可以分为三步:

    1. 判断这个封包来自哪个VLAN(Ingress rules,根据VID,决定是forwarding还是filtering)
    2. 这个VLAN下的成员都在哪些port上(Forwarding rules)
    3. 从某个port出去的时候是否要贴上该VLAN的tag(Egress rules)

    交换机收到一个封包,如果:

    1. 没有带标签(implicitly tagged),标明它来自哪个port,则使用PVID(port VID)标记它归属的VLAN
    2. 带标签的VID(eplicitly tagged),带标签的VID能明确知道它属于哪个VLAN

Port-Based VLAN Definitions

  1. VLAN aware devices understand VLAN membership and VLAN frame format
  2. VlAN unaware devices
  3. AN Access Link is a LAN segement used to multiplex one or more VLAN unaware devices into a port of a VLAN Bridge(该link上连接的初交换机外的设备都不认识VLAN)
    1. All frams on an access link are implicitly tagged
    2. No VLAN tagged frames on a access link
    3. Viewed as being on the edge of the network
    4. Can be attached to other 802.1D-conforment BLAN(可以和旧有系统相容)
  4. A Trunk Link is a LAN segment used to multiplex VLANs between VLAN Bridges
    1. All devices connect to a Trunk Link must be VLAN aware
    2. All frames(including end station frames) on a Trunk Link are explicitly tagged with a VID

  5. A Hybrid Link is a LAN segment that has both VLAN aware and unaware devices. There can be a mix of Tagged Frames and Untagged Frames but they must be from different VLANs.

    Rules for Tagging Frames on a Hybrid Link:

    1. For each VLAN, an frames traversing a particular hybrid link must be tagged the same way:
      • All implicitly tagged or
      • All carrying the same explicit tag
    2. There can be a mix of implicity and explicit tagged frames but they must be for different VLANs

spanning tree and VLAN

  1. 所有的VLAN都是沿着spanning tree 构建的
  2. 每一个VLAN只是spanning tree的subset
  3. 不同VLAN的路径可能重叠,可能完全分开
  4. VLAN的拓扑结构是同态的,但不管怎么动态变化一定是spanning tree的subset

Bridge Operation for VLAN

这对每一个VLAN,bridge都要维护2个结构:

  1. Member set(Port ids)
  2. Untagged set(Port ids)

设定bridge => 交换机之间交换信息 => 每个bridge生成上述两个数据结构

封包进到一个bridge中,先看该封包属于哪个VLAN,然后查Member set,看目的地port是否在Member set中存在,如果不再就将这个封包过滤掉,所以在VLAN中广播,只有属于该VLAN的成员才能收到

VLA tag structure

由2部分组成:

  1. Tag Protocol Identifier(TPID):标记(81-00)这个封包是不是VLAN类型
  2. Tag Control Information(TCI 2bytes)
    1. User-Priority(0~7),优先权越高,可以越早被送出,使用3个bit表示
    2. Canonical Format Indicator(1 bit)
    3. VID(VLAN Identifier),12个bit(2^12 = 4096),所以最多可以有4096个VLAN

TPID有两种实现方式:Ethernet-encoded TPID(2 bytes)和SNAP-encoded TPID(8 bytes)