Http://www.h3c.com.cn/Products___Technology/Technology/LAN/Other_technology/Technology_book/200804/603079_30003_0.htm
Isolate-user-vlan Technical white Paper
Keywords: isolate-user-vlan,secondary VLAN
Summary: The Isolate-user-vlan uses a two-tier VLAN structure: Isolate-user-vlan and secondary VLANs. The upstream device recognizes only Isolate-user-vlan, not the secondary VLAN included in the Isolate-user-vlan, thus saving VLAN resources and simplifying network configuration. This paper introduces the technical principle of Isolate-user-vlan and the application of network.
Abbreviations:
Abbreviations |
English full Name |
Chinese explanation |
Vlan |
Virtual Local Area Network |
Virtual Local Area Network |
Arp |
Address Resolution Protocol |
Address Resolution Protocol |
Directory
1 overview
1.1 Creating the background
1.2 Technical advantages and application scenarios
2 Isolate-user-vlan Implementation Mechanism
2.1 Related terms
2.2 Isolate-user-vlan Technology principle
2.2.1 Isolate-user-vlan Configuration synchronization
2.2.2 Isolate-user-vlan's MAC address synchronization
2.3 Isolate-user-vlan's Message forwarding
2.4 Application Restrictions
3 Typical networking applications
3.1 Group Network Diagram
3.2 Networking Environment
1 Overview 1.1 Creating a background
In the campus network, based on user security and management billing considerations, operators generally require access to the user two layers of isolation from each other. The VLAN is a natural means of isolation, so the natural idea is that each user is a VLAN. As shown in 1, switch b and switch C are connected to three users, and if you divide a VLAN for each user, you need to occupy six VLAN resources on device A.
Figure 1 Flat Network Group diagram
According to the IEEE 802.1Q protocol, the maximum available VLAN resource for a device is 4,094. For core tier devices, it is not enough if each user vlan,4094 a VLAN. In order to solve the problem of VLAN resource shortage, Isolate-user-vlan was born.
After supporting the Isolate-user-vlan feature, you can configure the VLAN (VLAN 10~15) of the user in Figure 1 as the secondary VLAN, and VLAN 2 and VLAN 3 are configured as Isolate-user-vlan (2). In this way, you only need to configure VLAN 2 and VLAN 3 on Device A, saving four of the VLAN resources.
Figure 2 Isolate-user-vlan function
1.2 Technical advantages and application scenarios
The Isolate-user-vlan uses a hierarchical structure: upstream Isolate-user-vlan and downlink secondary VLANs. For upstream devices, it is only necessary to identify the Isolate-user-vlan, rather than the secondary VLAN in the Isolate-user-vlan, thereby saving the VLAN resources of the upstream device. At the same time, the access user is zoned into different secondary VLAN, which can realize the isolation of two beginning between users.
Iisolate-user-vlan is mainly used in campus network or enterprise network access, to achieve two beginning isolation while saving VLAN resources.
2 Isolate-user-vlan Implementation Mechanism 2.1 related terms
L Isolate-user-vlan: Uplink device-aware user VLAN, which is not a real VLAN for users.
L Secondary VLAN: The VLAN that the user really belongs to.
L Uplink Port: Port connected to upstream device, responsible for communication with uplink device. The default VLAN ID of the upstream port must be configured as the VLAN ID of Isolate-user-vlan, otherwise the port cannot forward messages from the secondary VLAN.
L downlink Port: A port connected to the user, responsible for communication with the terminal. The default VLAN ID of the downstream port must be configured as the VLAN ID of the secondary VLAN, otherwise the port cannot forward messages from Isolate-user-vlan.
2.2 Isolate-user-vlan Technology principle
How does Isolate-user-vlan technology block secondary VLAN information and conserve VLAN resources? To implement this function, it requires:
L Messages from different secondary VLANs can be sent to upstream devices via upstream ports and cannot carry secondary VLAN information.
L messages from Isolate-user-vlan can be sent to the user via the downstream port and cannot carry Isolate-user-vlan information.
We know that the Isolate-user-vlan and secondary VLANs use different VLAN numbers, each containing different ports, usually the packets between different VLANs are two layers isolated from each other, to achieve the above requirements, need two aspects of coordination:
(1) Configuration synchronization and MAC address synchronization are required on this device. For more information, see 2.2.1 and 2.2.2.
(2) Upstream equipment needs to be configured:
L Create a VLAN ID that Vlan:vlan ID equals Isolate-user-vlan.
L Configure Port parameters: Set the port type to hybrid, set the port default VLAN value to the Isolate-user-vlan ID, and configure the ports to allow messages of the default VLAN to be passed in untagged manner.
2.2.1 Isolate-user-vlan Configuration synchronization
When the Isolate-user-vlan feature is configured, the ports that are contained in the Isolate-user-vlan and secondary VLANs are automatically configured for synchronization:
For upstream ports, the port type is modified to hybrid, and messages from the secondary VLAN are allowed to pass in untagged manner. The uplink device's incoming port is configured by hand to set the port's default VLAN value to Isolate-user-vlan ID, so when the uplink device receives such a message, it is considered that the messages are from Isolate-user-vlan, and add tags to them, The VLAN ID in the tag equals the Isolate-user-vlan ID. Thus, the secondary VLAN information is masked.
For downstream ports, the port type is modified to hybrid, and messages from Isolate-user-vlan are allowed to pass in untagged manner.
In the network shown in 3, the port defaults to the access port, port ETHERNET1/2 belongs to VLAN 2, port ETHERNET1/3 belongs to VLAN 3, port ETHERNET1/5 belongs to VLAN 5, and the related properties of the port are shown in table 1. Then configure VLAN 5 for Isolate-user-vlan,vlan 2, 3, 4 for both secondary VLANs. After configuring synchronization, the related properties of the port have changed, as shown in table 2.
Figure 3 Isolate-user-vlan Configuring the Synchronization Network Diagram
Table 1 Configuring the related properties of the synchronization front end port
Port |
Type |
Port Default VLAN |
Allowed VLAN to pass |
Eth1/5 |
Access |
5 |
Only VLAN 5 messages are allowed through |
Eth1/2 |
Access |
2 |
Only VLAN 2 messages are allowed through |
Eth1/3 |
Access |
3 |
Only VLAN 3 messages are allowed through |
Table 2 Configuring the related properties of a post-sync port
Port |
Type |
Port Default VLAN |
Isolate-user-vlan role |
Allowed VLAN to pass |
Eth1/5 |
Hybrid |
5 |
Isolate-user-vlan |
Allow packets of VLAN 2, VLAN 3, VLAN 5 to be passed in untagged manner |
Eth1/2 |
Hybrid |
2 |
Secondary VLAN |
Allow VLAN 2, VLAN 5 messages to be passed in untagged manner |
Eth1/3 |
Hybrid |
3 |
Secondary VLAN |
Allow VLAN 3, VLAN 5 messages to be passed in untagged manner |
2.2.2 Isolate-user-vlan's MAC address synchronization
By configuring synchronization, messages from the secondary VLAN can be sent untagged from the upstream port, and messages from Isolate-user-vlan can be sent from the downstream port in untagged manner. How do these messages find the corresponding out-of-interface?
Learning from the MAC address, switch in the network shown in 3 generates and maintains a table of MAC addresses (as shown in table 3). If the device sends a delivery message to host 2 (the source Mac is mac_a, the destination Mac is mac_2), switch adds a Tag,vlan ID of 5 (that is, the port's default VLAN ID) and then queries the MAC Address Table with "Mac_2+vlan 5". Because the corresponding table key cannot be found, the message is broadcast within VLAN 5 and eventually sent out from ETH1/2 and ETH1/3.
Similarly, each uplink and downlink message needs to be broadcast to reach its destination. When the secondary VLAN and the Isolate-user-vlan contain more ports, such processing can consume a large amount of bandwidth resources and are not secure (broadcast messages are easy to intercept and listen to). This problem can be solved by the MAC address synchronization mechanism.
The Isolate-user-vlan MAC address synchronization mechanism is:
L Secondary VLAN-to-Isolate-user-vlan synchronization, where the downstream ports learn the dynamic MAC addresses within the secondary VLAN are synchronized to Isolate-user-vlan.
L Isolate-user-vlan to Secondary VLAN synchronization, that is, the upstream port in Isolate-user-vlan learns to synchronize the dynamic MAC address within all secondary VLANs.
When many secondary VLAN,MAC address synchronizations are configured under Isolate-user-vlan, the MAC Address table is too large to affect the forwarding performance of the device. At the same time, considering the user's downstream traffic is much larger than upstream traffic, downlink traffic needs to be unicast, uplink traffic can be broadcast, so, secondary VLAN to Isolate-user-vlan synchronization of all products are supported, The Isolate-user-vlan to the secondary VLAN is not supported by the synchronous part of the product.
In the network shown in 3, the MAC address that is generated after synchronization of MAC addresses is shown in table 4.
Table 3 Pre-sync MAC address forwarding
Purpose mac |
Vlan |
Out Port |
mac_2 |
2 |
Eth1/2 |
Mac_3 |
3 |
Eth1/3 |
Mac_a |
5 |
Eth1/5 |
Table 4 post-sync MAC address forwarding
Purpose mac |
Vlan |
Out Port |
mac_2 |
2 |
Eth1/2 |
mac_2 |
5 |
Eth1/2 |
Mac_3 |
3 |
Eth1/3 |
Mac_3 |
5 |
Eth1/3 |
Mac_a |
5 |
Eth1/5 |
Mac_a |
2 |
Eth1/5 |
Mac_a |
3 |
Eth1/5 |
2.3 Isolate-user-vlan's Message forwarding
The implementation mechanism of Isolate-user-vlan is described below through the message flow of host 2 in Figure 3.
(1) Host 2 first issued a unicast uplink message, the message is untagged message, the source MAC address is mac_2, the destination MAC address is mac_a.
(2) switch through the downstream port ETHERNET1/2 received the message, the message hit the port default VLAN label 2, and learn the MAC address, record the MAC Address table entry (MAC_2+VLAN2+ETH1/2) (for the destination MAC address is mac_ The 2,vlan label is a 2 message with an interface of ETHERNET1/2).
(3) According to the MAC address synchronization principle, the MAC address simultaneously learns to VLAN 5, the device simultaneously records the MAC Address table entry (MAC_2+VLAN5+ETH1/2).
(4) Because switch does not currently have a Mac_a Mac table entry, the device broadcasts the message within VLAN 2.
(5) Because of the configuration synchronization, the ETHERNET1/5 port allows the packet of VLAN 2 to pass through the untagged way, so the message is sent out via ETHERNET1/5 after removing the tag.
(6) Device a responds after receiving the message.
(7) switch receives the message via the upstream port ETHERNET1/5, the label 5 of the default VLAN for the message, and learns the MAC address to record the MAC Address table entry (MAC_A+VLAN5+ETH1/5). With MAC address synchronization, two MAC Address table entries (MAC_A+VLAN2+ETH1/5) and (MAC_A+VLAN3+ETH1/5) are generated.
(8) Switch to "Mac_2+vlan 5" as a condition to query the MAC Address table, find out the interface ETHERNET1/2, and send the message to the host 2 after removing the tag.
Thus, the message interaction between host 2 and device is realized.
2.4 Application Restrictions
For interoperability between secondary VLANs, it is necessary to configure the local ARP proxy on the upstream device, which will greatly increase the burden on the three-tier device.
3 Typical Networking Application 3.1 Network Diagram
Figure 4 Isolate-user-vlan Application Group Network Diagram
3.2 Networking Environment
The community has a large number of users and users support different businesses (such as video, voice, data, etc.), in order to ensure user security and distinguish between different business flows, using VLAN technology to the user's two beginning text isolation. However, because the device VLAN resources are limited, the Isolate-user-vlan feature can be configured on the access switch to conserve device VLAN resources. Configure multiple ports at the same time as Isolate-user-vlan upstream ports and combine ACLs and QoS configurations to allow different upstream ports to transport different businesses and simplify network management.
Isolate-user-vlan Technical white Paper