Managed Ethernet Switches & VLANs

Managed Bridges

Low cost consumer and office switches are typically plu and play devices that require no configuration. In contrast, enterprise grade switches and bridges often include a processor (CPU) that allows the bridge to be managed. By connecting a cable to the console port, or by accessing the CPU across the network, a network operator can remotely control the operation of the switch.

Most managed bridges can collect information about the framesthat they receive. For instance, they can count the number and types of frames received, or the umber of interface errors observed. The could also store a list of the MAC source address of equipment that was connected to a port, or to remotely capture an Ethernet frame for analysis by a network operator. All of this helps in operating a large LAN.

Address and Filter Tables

As well as being able to report on the content of the address table (e.g., using the CISCO command "show MAC address", a processor on a managed bridge can be used to configure a filter table. This additional table is checked before a bridge/switch forwards a frame. It can be used to add extra security by denying access between specified groups of Ethernet MAC addresses to enforce a security policy.

Spanning Tree

A managed switch/bridge can enable the Spanning Tree Protocol.

Tagged Ethernet Frames

A managed Ethernet switch can also be configured to read the EtherType field of a MAC frame, and perform forwarding that is based on the value of this field.

One commonly supported EtherType is used to indicate a Tagged frame. By reading and setting this field within the MAC frame, a manged switch can support:

Priority Queuing

End Hosts and Routers with sophisticated NICs can signal the priority associated with a frame. This uses the extra 4 byte "tag" field defined by 802.1Q inserted between the Ethernet frame MAC header and the Ethernet frame payload. The same header may also be used to associate the frame with a particular VLAN. In this way the systems can indicate the VLAN to which a frame should be sent. VLAN-enabled switches are able to read these tag fields and allow configuration by the system administrator to specify whether tags should be added/removed in the frames that they forward.

Virtual LANs

Most modern managed enterprise switches support virtual LANs allowing the network to be divided into a set of broadcast domains, each of which can support independently operating IP networks (i.e. multiple broadcast domains). Virtual LANs, (VLANs) are defined by IEEE 802.1Q.

When an operator decides to configure VLANs, then the management information is changed so that some ports are associated with a non-default VLAN. These configured ports can be in one of two additional modes:

End systems are typically connected to an interface port configured to be in the Default Mode or in an Access Mode. VLANs are typically used to provide traffic separation – either to enhance performance or to provide security. When used with IP, each VLAN usually corresponds to an IP networks.

A single VLAN is associated with each MAC address. More complex variations are also possible (see advanced VLAN page).

Figure showing an example LAN using a a set of switches to from the network connecting 3 groups of users to a data center switch and 3 servers.

The figure above shows a VLAN deployment scenario. In this example, the three servers (coloured orange, green and blue) are still within a data centre, connected by a high-speed enterprise switch.

The upper two switches connect work groups from multiple VLANs using managed switches. Each switch interface port on the left is operated in Access Mode, with the right interface port operating in Trunk Mode. For example, the top switch has one port connecting a NIC to the green server. using the green VLAN-ID. This needs to receive green VLAN frames. The top switch also has ports associated with other coloured VLANs. The traffic between the switches use a common Trunk cable, with transmission using tagged 802.1pQ frames (shown in red), processed inside the switch as VLANs allowing the switch to be divided internally to function as several separate switches, one for each VLAN. Each VLAN forms a seprate Layer 2 broadcast domain.

The third workgroup LAN (green) is fed by a swithc with only the “green” VLAN frames. The green switch operates as a standard Ethernet switch connecting a workgroup of servers and with a link to the data centre switch (bottom) functioning in the dedault (untagged) mode. This could be a managed Ethernet switch were all ports are placed in the Default Mode.

The data centre switch (bottom) connects to the green switch using a port in the Access Mode, associating all green traffic from the work group with the green VLAN-ID. It also provides Trunk Mode port interfaces to the two upper workgroup switches, that have been configured to support all VLANs. It provides dedicated links to each of the orange, blue and green servers. These links carry only one VLAN each, and operate in the Access Mode for their configured VLAN.

The next subsections expain these modes in more detail.

Default Mode Port (No VLAN configured)

End systems are typically connected to a port configured to be in the default mode. A switch is normally supplied with all ports assigned to the default VLAN, and behaves like any other plug and play switch. The switch uses the default address abd filter tables. No 802.1Q tags are added or removed by the switch.

Access Mode Port

Any interface port configured to be in the Access Mode has a configured VLAN-ID. The frames sent and received on the interface port do not use a VLAN Tag, to associate the frames with a spsicfic VLAN-ID, they are normal frames.

However, when the frame is received by the switch it associates the frame from an access mode switch port with the configured VLAN-ID and selects the corresponding address table and filter tables that are associated with this VLAN-ID. The configuration of these tables ensures that broadcast frames are only sent to interface ports that belong to the same VLAN-ID.

No frames that are forwarded by the interface port will carry a 802.1pQ Tag.

Trunk Mode Port

Any interface port configured to be in the Trunk Mode has one or more configured VLAN-IDs. The frames sent and received on the interface port can carry a VLAN tag that is present in the 12-bit VID field. Some switches allow a trunk mode interfae port to also carry normal (untagged) frames.

Equipment connected to an interface port in trunk mode needs to be able to set and read the 802.1 Tag field in Ethernet frames. Examples of this type of equipment are another switch that has also configured a Trunk Mode interface; a router that has configured a Trunk Mode interface; or a server NIC that has configured a Trunk Mode interface.

Each tagged frame that is received by the switch from an interface port in Trunk Mode is associated with the VLAN-ID that is present within the 802.1 Tag. These Tag values indicate which VLAN the frame belongs to. A frame with no tag value is associated with the default VLAN-ID.

Each frame is then forwarded based on its explicitly associated VLAN-ID. The VLAN-ID selects the corresponding address table and filter tables that are associated with this VLAN-ID. The configuration of these tables ensures that broadcast frames are only sent to interface ports that belong to the same VLAN-ID, but different frames can have different VLAN-IDs and be processed by different sets of tables.

Trunk Mode also changes the way switches send the frames to an interface port. The frames to be forwarded to an interface in the trunk mode usually carry a VLAN tag to specify the VLAN-ID. This might require the switch to a add a tag to a frame that was received from an interface port in the access or default mode. This mode allows several VLANs to be sent over the same interface, and results in several interfaces in a connected L2 bridge or IP router, one for each active VLAN.Trunk mode – the interface allows frames to be encapsulated with an 802.1Q tag. Each frame is explicitly associated with that e VLAN-ID that is present in the 12-bit VID field.

(An IP router can connect using a trunk port and be configured to forward packets between VLANs when this when needed.)

Note: Some equipment supports the idea of a native VID for a trunk port. In this case, frames that do not carry a VLAN tag are implicitly associated with the default VLAN for the interface. Some equipment does not recognise this mode and will ignore untagged frames.

The 802.1Q Tag

The IEEE 802.1Q standard defines the format of a 4 byte “tag” field. The presence of a tag is indicated by the Ethertype value of 0x8100. The remainder of the tag has 3 parts: a fixed tag protocol identifier (0x8100 in hex), a user priority value ranging from 0 to 7 (called an 802.1p value) a format identified and the Virtual LAN information (VLAN id).

Format of the 802.1pQ Tag inserted between the MAC header and the Ethernet frame payload

Note: if the VLAN id is 0, the tag contains only user priority information (this allows the 802.1Q tag to be used when VLANs are not being used). The priority information can be used by a mannaged switch to select which queue is used to buffer any packets that can not be immediately processed.

The tag is followed by the actual EtherType value for the frame payload (e.g x0800 for an IP packet). i.e. the 4-byte tag field defined by the IEEE 802.1Q standard is inserted between the MAC source address and the Ethetype field in an Ethernet frame. That is, the type of the frame becomes 0x8100, and the Tag itself is followed by the type of the frame payload.

Note: The Tag adds to the total frame size, and the Ethernet NICs that suppport the use of Tags therefore need to be able to send/receive slightly larger Frames. Trunk mode therefore requires IEEE 802.3ac, where the maximum frame size is extended to 1522 bytes.

The format of the header is:

See also:

Gorry Fairhurst - Date: 18/11/2020