Embed Size (px)
Citation preview
Bridging Protocols Overview
Bridge Functions Consortium
Bridging Protocols
Filtering Database (802.1Q/802.1D) Spanning Tree Protocol (802.1D clauses 8 &
9) VLANs (802.1Q) GARP/GVRP (802.1D clause 12/802.1Q clause 11)
GARP/GMRP (802.1D clause 10 & 12) Link Aggregation (802.3ad)
Bridging History Back in the days before Ethernet was
the clear winning technology on the LAN, Token Ring and FDDI were popular
This meant two different methods of bridging
1) Source Route Bridginga. Used by Token Ring and FDDI
2) Transparent Bridginga. Used by Ethernet
Source Route Bridging Source Route Bridging allows load balancing
to avoid congestion. This is done by routing packets over two or more routes to a destination.
Switch 3
Switch 1Switch 2Source LAN
Server
Destination LAN
Transparent Bridging The transparent bridging method follows the plug
and play philosophy. Each bridge contains one (or more) Filtering
Databases that learn and remember MAC addresses on its networks.
Forwarding decisions are then made with consultation of the Filtering Database. If a destination MAC address has been learned, the packet is then forwarded out of that port.
These addresses then will be cleared from the Filtering Database if they are not active for a specific amount of time. This range is defined by Aging Time, which can be set in the management.
Filtering Database One database
contains MAC addresses, which port they’re on, and if they’re active or disabled
Duplicate MAC addresses not allowed (the second one would replace the first)
Entry MAC Addr Port active1 0800900A2580 1 yes2 002034987AB1 1 yes3 00000C987C00 2 yes4 00503222A001 2 yes56789
101112
Learning of Addresses The Filtering Database learns a station’s location
from the source address on an incoming frame
Switch
Frame with destination address00 22 22 33 33 44 is received on Port 4.
Port 1
Port 4
Frames with the destination address 00 22 22 33 33 44 are only forwarded on port 1
Frame with destination address00 22 22 33 33 44 is received on Port 4.
Frame with source address00 22 22 33 33 44 is received on Port 1.
This source address is“learned” by the filteringdatabase. All future frames destined for this MAC addresswill be forwarded ONLY out of this Port.
Destination address not yet learned. Packet is forwarded out all ports.
Multicast Frames Multicast Frames originate from one source
and have the possibility of going to more than one destination. An example of this is the Spanning Tree BPDU.
Switch 4
Switch 1
Shared LAN
Switch 3Switch 2
The Permanent Database Upon Bridge Initialization, a reserved block of Multicast
Addresses is transferred to the Filtering Database
Currently only 3 of these multicast addresses are standardized. The rest are reserved for future use. Frames containing these addresses in the source are never learned or forwarded.
Assignment ValueBridge Group Address (Span. Tree) 01 80 C2 00 00 00IEEE Std. 802.3, Full Duplex Pause Operation 01 80 C2 00 00 01Slow Protocols Multicast Address 01 80 C2 00 00 02Reserved for future standardization 01 80 C2 00 00 03
To01 80 C2 00 00 0F
Basic/Extended Filtering Services Bridges that support Basic Filtering Services
can dynamically learn all MAC addresses except those from the Permanent Database
These addresses can also be statically configured so that they do not age out
Switches filtering frames from the Permanent Database are said to support Basic Filtering Services
Extended Filtering Services are implemented by devices that support advanced features like GARP
Aging Time Aging time is defined as a range of 10 to one million
seconds One million seconds = 11 days 13 hrs 46 min and 40
sec The default time is 300 seconds The Filtering Database starts aging time when an
address is learned and resets it whenever another frame arrives on that port
Why is aging time important? When aging time expires, the address and port are discarded
from the Filtering Database.
Filtering Database Review Every bridge has a table called a
Filtering Database Entries in this table are updated upon
receipt of frames, the source addresses and the ports they arrive on are learned
Once a MAC address is associated with a port, frames containing that destination address are only forwarded out of that port
Filtering Database Review (cont.)
In real switches these tables vary in size, most have the capability of holding several thousand MAC addresses. I’ve seen one that has the capacity to learn more than 150,000 addresses (3Com9100).
Spanning Tree Protocol (STP)
“An algorithm,…, used to prevent logic loops in a bridged network by creating a spanning tree… When multiple paths exist,…, STA lets a bridge use only the most efficient one. If that path fails, STA automatically reconfigures the network to make another path become active, sustaining network operations…”
Definition of Spanning Tree Algorithm from Newton’s Telecom Dictionary.
The Spanning Tree PoemI think that I shall never seeA graph more lovely than a tree.
A tree whose crucial propertyIs loop-free connectivity.
A tree that must be sure to spanSo packets can reach every LAN.
First, the root must be selected.By ID, it is elected.
Least-cost paths from root are traced.In the tree, these paths are placed.
A mesh is made by folks like me,Then bridges find a spanning tree.
-Radia Perlman
What is a Spanning Tree?
Only one active path exists between any two devices.
Resembles a family tree. (problems arise in both when loops occur)
Why Spanning Tree? The purpose of Spanning Tree is to
have bridges dynamically discover a subset of the topology that is loop-free and yet has just enough connectivity so that there is a path between every pair of nodes in the LAN.
How does Spanning Tree work? The basic idea behind the Spanning
Tree Protocol is that bridges transmit special messages to each other that allow them to calculate a spanning tree
Configuration Bridge Protocol Data Units (BPDUs)
Sometimes referred to a Config. BPDUs
STP Example
Root
BA
D EC F
Port States Bridge ports operate the Spanning Tree
Algorithm using the following states: Blocking – incoming frames are discarded Listening – incoming frames are discarded, but
the port is in the process of transitioning to Learning
Learning – incoming frames are discarded, but their source addresses and ports are placed in the Filtering Database
Forwarding – incoming frames are forwarded, source addresses are learned
Disabled – the port is disabled by management
Configuration BPDUs The Configuration BPDU contains enough info
so that bridges can do the following:1) Elect a single bridge to be Root Bridge2) Calculate the distance of the shortest path from
themselves to the Root Bridge3) Elect a Designated Bridge for each LAN segment,
which is the bridge in the LAN segment closest to the Root Bridge, to forward packets from that LAN segment toward the Root Bridge.
4) Choose the port, called the root port, that gives the best path from themselves to the Root Bridge.
5) Select ports to be included in the spanning tree. These include only root ports and designated ports.
Inside Config BPDUs
Destination MAC Address: 01 80 C2 00 00 00
Special Multicast address for Spanning Tree
Root ID ID of the bridge assumed to be root
Bridge ID ID of the bridge transmitting BPDU
Cost Cost of least-cost path to the root from
the transmitting bridge (at least the best path of which the transmitting bridge is currently aware of)
Inside Config BPDUs
Protocol ID = 0x0000 Protocol Version ID and
BPDU Type = 0x00 If transmitting bridge is
Root, Message Age = Zero, otherwise it is set to the value of the Root Port’s Message Age timer plus an increment of one*
Path Cost Path costs are designed to be
associated with the speed of the link
Link Speed Recommendedvalue
Recommendedrange
Range
4 Mb/s 250 100–1000 1–65 535
10 Mb/s 100 50–600 1–65 535
16 Mb/s 62 40–400 1–65 535
100 Mb/s 19 10–60 1–65 535
1 Gb/s 4 3–10 1–65 535
10 Gb/s 2 1–5 1–65 535
Bridge Initialization Root ID set to Bridge ID Root Path Cost set to zero All ports on bridge become
designated ports Configuration BPDU transmitted on
each designated port Hello Timer is started
How this all works together
A bridge continuously receives Configuration BPDUs on each of its ports and saves the “best” configuration message from each port. The bridge determines the best configuration message by comparing not only the Configuration BPDUs received on a particular port, but also the configuration message that the bridge would transmit on that port.
How is “best” determined? Given two Configuration BPDUs—C1 and C2
—C1 is the “best” if: the root ID in C1 is numerically lower then the
root ID in C2 If the root IDs are equal, then if the cost in C1 is
numerically lower than the cost in C2 If the root IDs and cost are equal, then if the
Bridge ID in C1 is numerically lower than the Bridge ID in C2
The final tiebreaker is the port ID. Each port on a switch has a port ID. Useful if two ports from the same switch are on one LAN segment.
Transmitting BPDUs If Hold Timer is active the
Configuration BPDU will be transmitted upon expiration.
Ensures no more than one Configuration BPDU is transmitted per Hold Time period
Transmit only if Message Age < Max Age
After transmission Hold Timer is reset
BPDU Processing Received Configuration BPDU is
checked against stored BPDU If the received BPDU is better or
the same but with a smaller age, then stored BPDU is overwritten
Bridge then recalculates root, root path cost, and root port
Message Age Each Configuration BPDU contains
a message age field Incremented after every unit of
time If message age = max age then
the BDPU is discarded
“Root” or “Path to Root” Fails
Bridge will no longer receive fresh BPDUs
Gradually increases message age on currently stored Configuration BPDU
When max age occurs bridge will recalculate root, root path cost, and root port
Hello Time/Root BPDU Propagation The Root Bridge periodically transmits
Configuration BPDUs every hello time When the Root Bridge generates a
Configuration BPDU the message age field is set to 0
Upon receipt, Bridge will transmit Configuration BPDU on each port for which it is the Designated Bridge, and increment the message age by at least one*
Designated Bridge
Topology Change?
Stopping Loops during Topology Change
Use two substates: Listening and Learning
Data received while in these states is not forwarded
Received Configuration BPDUs are stored
Root, root path cost, and root port are calculated
Topology Change Procedure
1) Bridge notices that the Spanning Tree algorithm has caused it to transition a port into or out of the blocking state
2) Bridge periodically transmits a Topology Change Notification BPDU with same period as hello time. It continues this until the Root bridge acknowledges by setting the topology change bit in its Configuration BPDUs.
Topology Change Procedure (cont.)
3) A bridge that receives a Topology Change Notification BPDU on a port for which it is the Designated Bridge does two things:
1) Performs step 2 from previous slide (notifies the root bridge of topology change)
2) Sets the topology change acknowledgement flag in the next Configuration BPDU it transmits on the LAN from which the Topology Change Notification BPDU was received
4) Root Bridge sets the topology change flag in its Configuration BPDUs for a period equal to the sum of forward delay and max age, if the Root Bridge
a. Notices a topology change because one of its ports has changed state, or
b. Receives a topology change notification message
Topology Change Procedure (cont.)
5) A bridge that is receiving Configuration BPDUs with the topology change flag set (or the Root Bridge that is setting the topology change flag in its Configuration BPDUs) uses the forward delay timer until it starts receiving Configuration BPDUs without the topology change flag set
Topology Change Procedure (cont.)
Networkwide Parameters For correct operation some parameters
need to be uniform throughout the Spanning Tree. The Root Bridge includes the following values in its Configuration BPDUs:
1) Max age: time after which Configuration BPDUs are discarded
2) Hello time: interval, used by the Root Bridge, between issuing Configuration BPDUs
3) Forward Delay: amount of time in learning and listening states (half the time of transition from blocking to forwarding)
Management Parameters Bridge priority: a 2-octet value that
allows the network admin. to influence the choice of the Root Bridge and the Designated Bridge
Port Priority: a 1-octet value that allows the network admin. to influence the choice of port when a bridge has two ports connected to the same LAN segment
Why eliminate Loops? Loops cause traffic to build up in a
network until the network no longer function due to full bandwidth usage
A B
LAN Connection
Incoming broadcast frame
Performance Issues Two properties make bridge
performance crucial:1) Lack of receipt of BPDUs causes
bridges to add connectivity. If a bridge does not receive any Configuration BPDUs on some port it will take over as the Designated Bridge on that port.
2) Extra connectivity will cause loops
What affects Bridge Performance? Network Congestion Bridge will discard packets before
looking at them if CPU can’t keep up Bridge must be able to transmit
BPDUs no matter how congested the network is This involves being able to move
BPDUs to the front of the queue
VLANs (Virtual Local Area Network)
“A means by which LAN users on different physical LAN segments are afforded priority access privileges across the LAN backbone in order that they appear to be on the same physical segment on an enterprise-level logical LAN. VLAN solutions, which are priority in nature, are implemented in LAN switches, and VLAN membership is defined by the LAN administrator on the basis of either port address or MAC address.”
Definition of VLAN from Newton’s Telecom Dictionary.
How VLANs work:1) LAN Bridge receives tagged data from workstation2) Bridge reads current tag, and forwards data with a
VLAN ID (tag) corresponding to the VLAN the data came from (explicit tagging)
OR
1) LAN Bridge receives untagged data from workstation
2) Bridge determines the VLAN membership of data by noting the port on which it arrives (implicit tagging)
Basic VLAN Concepts Port-based VLANs
Each port on a switch is in one and only one VLAN (except trunk links)
Tagged Frames VLAN ID and Priority info is inserted (4 bytes)
Trunk Links Allow for multiple VLANs to cross one link
Access Links The edge of the network, where legacy devices
attach Hybrid Links
Combo of Trunk and Access Links
Basic VLAN Concepts (cont.)
Priority-tagged frame tag header carries priority info., but
no VLAN ID VLAN-tagged frame
tag header carries both VLAN ID and priority info.
Port VLAN ID (PVID) provides the VID for untagged and
priority-tagged frames received on that Port
Trunk Link
Attaches two VLAN-aware switches Carries Tagged frames ONLY.
Access Links
Access Links are Untagged for VLAN unaware devices
The VLAN switch adds Tags to received frames, and removes Tags when transmitting frames.
VLAN ID (Tag)
4 Bytes inserted after Destination and Source Address
Length/Type Field VLANs = 0x8100
Priority Bit Range: 0-7
VLAN ID Range: 0-4094
Tagging Conversions
Port VLAN ID Each port has a VLAN ID configured
on it Indicates which VLAN untagged data
should be associated with Does not constrain the port to a
specific VLAN, nor does it mean that only untagged data can be processed
Sample VLANs
Traffic Segregation
Workgroups: Physically Defined
A mobile user from workgroup C, in building 2, needs to do work in building 1. By physically changing buildings he must change the workgroup section of the LAN which he/she is in.
VLANs: Logically Defined With VLANs
he/she can physically change buildings, but remain in the same workgroup.
Broadcast Domains (Layer 2) broadcast domain: a network (or portion
of a network) that will receive a broadcast packet from any node located within that network
broadcast packet: an Ethernet packet sent to the broadcast address (FF:FF:FF:FF:FF:FF) which designates the packet as destined for all nodes in the broadcast domain
Constricting Broadcast Domains What defines the edge of a layer 2
broadcast domain? Router: does not forward layer 2
broadcast frames Filtering Database: by configuring the
broadcast address to be not forwarded VLANs: broadcast packets are tagged
so they do not leave the configured topology of the VLAN
Security Data is contained in the VLAN’s
topology By allotting sensitive data its own
VLAN, only those nodes in the VLAN will see it.
GARP/GVRP Generic Attribute Registration
Protocol
GARP VLAN Registration Protocol
How does GARP work? Devices declare their desire for a given
attribute by making a declaration Done by issuing a Join event Declarations can be withdrawn by
issuing a Leave event Devices enter a registration for an
attribute on a given port when they hear a declaration for the attribute on that port
GARP General-purpose protocol that
supports a specific class of applications within bridges
Defines a subset of the spanning tree that contains devices interested in a given network commodity
Referred to as an attribute
GVRP - GARP VLAN Registration Protocol
Disadvantages to Static VLANs Static VLANs are created via
management Must be maintained by a network
admin Static VLANs must be reconfigured for
every network topology change
GVRP Simplifies All This! GVRP creates dynamic VLANs
No manual configuration needed GVRP is maintained by the devices
themselves Topology change? No problem, GVRP
recreates the dynamic VLAN automatically
What can GVRP do for you? Allows the creation of VLANs with a
specific VID and a specific port, based on updates from GVRP-enabled devices.
Advertises manually configured VLANs to other GVRP-enabled device. As a result of this the GVRP-enable devices in the core of the network need no manual configuration in order to inter-operate.
GVRP Info GVRP is a GARP application that
registers attributes for dynamic VLANs
GVRP deals only with the management of dynamic VLANs
Everything that you have learned about static VLAN packet format and transmission applies
How GVRP does all this: The method of advertisement used
by GVRP-enabled devices consists of sending Protocol Data Units (PDUs), similar to Spanning Tree BPDUs, to a known multicast MAC address (01 80 C2 00 00 21) to which all GVRP-enabled devices listen to for updates. GVRP advertisement follows the definition of GARP.
What do these PDUs contain?
A single PDU may contain several different messages telling the GVRP-enabled device to perform a specific action. Join: register the port for the specified VLAN Leave: de-register the port for the specified
VLAN LeaveAll: de-register all VLAN registrations on that
port Empty: request to re-advertise dynamically
and statically configured VLANs
Industry Implementation Example 3Com manufactures Network Interface Cards that
take advantage of GVRP Accessed via the Control Panel (DynamicAccess
®
) Extremely easy to configure
Windows screenshot —>
Vendors (current): Cisco Systems, 3Com and Hewlett Packard
Several others are developing working implementations also.
Example: GARP/GVRP
S
SS
E ERED GOLD
EE
THE END
Any Questions?
