Lecture 3
VLANs
VLANs work like multiple virtual switches
Can be used to:
- Split broadcast domain
- Increase access control (and possible security)
Subnet vs VLAN
Subnet: IP address space (layer 3) that defines which hosts can directly communicate w/o a router. The boundary is the router
VLAN: a way of grouping physical switch ports into groups. The boundary is the switch
Usually 1 VLAN is mapped to 1 subnet
Multiple subnets on 1 switch:
Broadcasts still get flooded
Need a router to go from one subnet to the other
Multiple VLANs on 1 subnet:
Devices will get confused, since they cannot talk to devices in their subnet, while they expect that to be possible
Again, need a router in between
Can technically be done, but bad design
You can span multiple VLANs over multiple switches by using trunk ports
They carry data of multiple VLANs between switches
The trunk port is not actually a member of VLAN1, it never is part of a VLAN
%20Inter-Networking%20and%20Routing/Attachments/Pasted%20image%2020250909104542.png)
SAT: Source Address Table
802.1q is used to facilitate the trunk line
If going from PC 1 to PC 4, step 6 would send it to the router
From PC 1 to PC 3, it will go trunk -> router -> trunk -> PC3
VLAN cheat sheet:
Scaling considerations
• How big is the network and how far does the traffic have to go?
Physical location - Static versus Dynamic
• Do the nodes occupy the same office? Floor? Building? Are there nodes outside of a
location that should be part of the same VLAN? Are the nodes moving around or are they
stationary?
Traffic patterns and applications
• Over what pathways do packets/frames travel? Why is the traffic there? What are the
hosts trying to do? Is most of the flow internal or external? Is this pattern changing? What
do nodes have in common? Are there shared resources or traffic patterns?
Network management
• Is SNMP or some other management protocol running? How will you get to all of
the nodes?
IP addressing scheme
• What does the IP address space look like? How many nodes will be in each VLAN?
Common security requirements
• Are these nodes servers? End nodes? Wireless? Do the nodes represent vital company
resources? Are these public facing machines?
Quality of service
• Are there quality of service concerns?
Network Loops
Broadcast storms can occur when there are multiple L2 paths between nodes
There is no TTL to stop the looping frame
%20Inter-Networking%20and%20Routing/Attachments/Pasted%20image%2020250909105424.png)
Multiple routes from A -> F, B, C, D, E do not know the destination and will keep flooding, creating a storm
Multiple routes can be used for redundancy or capacity, not always a mistake
Spanning Tree Protocol (STP)
I think that I shall never see
A graph more lovely than a tree.
A tree whose crucial property
Is loop-free connectivity.
A tree that must be sure to span
So packets can reach every LAN.
First, the root must be selected.
By ID, it is elected.
Least-cost paths from root are traced.
In the tree, these paths are placed.
A mesh is made by folks like me,
Then bridges find a spanning tree
Eliminate edges until the result is loop free
Transform the graph into a tree
Changes in the physical topology will cause the tree (logical topology) to change
A root bridge is elected as the root of the tree
Tree
- Restricted form of graph
- One vertex called the root
- All vertices have a path to the root
- The graph is undirected and acyclic
Tree terminology
- Each vertex (except the root) has a parent, the adjacent vertex closer to the root
- Adjacent vertices further from the root are child vertices
- A vertex with no children is a leaf
LAN segments
Shared-media networks in which each device shares the network bandwidth with other devices on the same network
Configuration messages
Layer 2 messages
Each bridge has an ID based on:
- A configurable priority (2 bytes)
- One of its MAC addresses (6 bytes)
A bridge transmits the following information on all attached LAN segments:
- The ID of the currently perceived root (initially it's own ID)
- Cost of the best path to the root (initially 0, path to self)
- Its own ID (as a first tie breaker)
- The port ID of the transmission (as a second tie breaker)
This is control traffic, not data traffic
This data only goes 1 hop, it is not forwarded
Devices create their own, new/updated, messages and send those to their neighbours
Port States
Blocking:
- A port that would cause a loop if it were active
- No user data, still listens for control data
Listening: - Processes control data and await information that might cause it to return to blocking state
- Does not populate MAC table
- No user data
Learning: - Start learning source addresses into the MAC table
- No user data
Forwarding: - Normal operation
- Monitors for control data indicating it should return to blocking
- Forwards user data
Disabled: - Manually disabled by sysadmin
Designated Bridge for LAN Segment
Each segment "chooses" the best route to the root by the following criteria:
- Lower advertised root ID
- Lower advertised cost to root
- Lower transmitting bridge ID
- Lower port ID
The bridge advertising the best route becomes the LAN segment's designated bridge and designated port
Designated Port for a Bridge
Every bridge chooses the best route towards the root by the following criteria:
- Lower advertised root ID
- Lower advertised cost to root
- Lower transmitting bridge ID
- Lower port ID
The port corresponding to the best route is called the bridge's root port
Example
Numbered boxes are bridges with their bridge ID
Lettered clouds represent LAN segments
- Start:
%20Inter-Networking%20and%20Routing/Attachments/Pasted%20image%2020250909113311.png)
- Electing root bridge:
The bridge with the lowest bridge ID is root, in this case 3
%20Inter-Networking%20and%20Routing/Attachments/Pasted%20image%2020250909113358.png)
- Choosing root ports
If every LAN segment has a cost of 1, bridge 4 -> bridge 3 goes throughc
Therefore, the root port for bridge 4 is the one on LAN segmentc
%20Inter-Networking%20and%20Routing/Attachments/Pasted%20image%2020250909113559.png)
- Assigning designated ports
The least cost path to the root from a LAN segment
The least cost fromegoes through bridge 92
%20Inter-Networking%20and%20Routing/Attachments/Pasted%20image%2020250909113737.png)
- Remaining ports (not root nor designated) are blocked
%20Inter-Networking%20and%20Routing/Attachments/Pasted%20image%2020250909113842.png)
- Link-failure causes recomputations
%20Inter-Networking%20and%20Routing/Attachments/Pasted%20image%2020250909114005.png)
This does not optimise for performance
E.g. traffic from 4 to 5 needs to go up and down, instead of directly
Timing parameters
Message Age:
- The age of the message since the root bridge was created/selected
Max Age: - Discard config messages older than max age
Hello Time: - Time between configuration messages
Forward Delay: - Half of the delay before transitioning from blocking to forwarding
TL;DR
Every bridge waits for some period (twice the forward delay) to let the configuration
messages spread and the topology converge, and in the meantime...
– ...it does not forward frames (this is very important)
– ...it listens to neighbouring bridges in the first half
– ...it learns the location of MAC addresses in the second half
After this period, it starts forwarding data frames
– The root port and the designated ports are put into the forwarding state
– All the other ports are kept or put in a blocking state for the data plane
Station Learning and Caching
Entries in the Source Address Table time out
Usually 300 seconds
When no frame is received within that time, the entry is removed
Cache time is shorter when the topology of the tree has changed
Around 15s
Old data may be outdated, so flush it, except if frame received, indicating it is still correct
Notified through Topology Change Notification, which is propagated through the network
- A bridge notices a topology change
- This bridge (and recursively, upstream bridges), sends Topology Change Notification messages on their root ports
- TCN reaches root bridge
- Root bridge sets the TC flag in its configuration messages for a period of forward delay + max age
- If a bridge sees the TC flag it uses the short SAT cache time
- Equal to the forward delay
- Until the topology is stable again
BPDU
BPDU: Bridge Protocol Data Unit
Has two types:
- Configuration message, sent to destination ...
- Group (multicast) address, but not forwarded to other segments
%20Inter-Networking%20and%20Routing/Attachments/Pasted%20image%2020250909115345.png)
%20Inter-Networking%20and%20Routing/Attachments/Pasted%20image%2020250909115451.png)
%20Inter-Networking%20and%20Routing/Attachments/Pasted%20image%2020250909115509.png)
- Topology changed notification
- To support re-learning after tree change
%20Inter-Networking%20and%20Routing/Attachments/Pasted%20image%2020250909115400.png)
RSTP (Rapid Spanning Tree Protocol)
Backwards compatible with STP
Fallback to STP mode, when a device that does not support RSTP is detected
Special RSTP BPDUs
Use incoming BPDUs as heartbeat, indicating link failures
No TCA (Topology Change Ack)
VLANS and STP
Physical topology might be loop-free but VLANs might not be
Two options:
Global STP for all VLANs
Simple to create
Slower to compute
Running STP for each VLAN
Allows different root bridge and topology per VLAN
Per-VLAN Spanning Tree; Cisco Proprietary
VLAN Spanning Tree Protocol; Juniper Proprietary
Multiple Spanning Tree Protocol; standard
Security note:
Disable STP on "host" ports (BPDU guard/BPDU block)
Disable tagged traffic on "host" ports
Multiple Spanning Tree Protocol
Divides LAN into multiple regions
Each region gets a Multiple Spanning Tree Instance (MSTI)
Defines global spanning tree between and inside region