Monday, December 22, 2008

A Very Short Guide to VLANs

More correctly, this note is about the use of VLANs in carrier Open Access Metropolitan Ethernet Networks. An Open Access network is an access network which is independent of any particular national carrier, and which provides last mile Ethernet services in its area on a non-discriminatory basis.

VLANs - virtual LANs - were originally a method of partitioning enterprise LANs into distinct forwarding segments. A VLAN switch forwards on both the normal Ethernet destination address (DA) and the VLAN tag. A switch associates a VLAN with a specific port so that a VLAN-tagged frame can only be forwarded along a port which has enabled that tag. There is space for 4,094 different usable tags in the 12 tag-bits available (see diagram).

VLANs have local significance within a routed domain, so that if a network is partitioned into a number of layer-2 segments each connecting to its own port on a PE router (which interconnects them all at layer-3) then each of the segments can reuse the 4,094-sized tag space.

VLAN (Q-in-Q) Ethernet header

In an equal access metro network, there is a requirement to separate traffic on a per-service (VoIP, Internet, IPTV), per-user (= the final switch port facing the customer premises) or in the most fine-grained mode, a separate VLAN per-service per-user. In this case we have almost recreated a point-to-point virtual circuit.

The reason for VLAN segregation is predominantly stability and security. Broadcast traffic, e.g. ARP messages, are constrained within a VLAN thereby avoiding uncontrollable broadcast 'storms'. A positive security advantage is that broadcast traffic from one carrier's customers are not accessible by customers of rival carriers. Also, the possibilities of malicious attack are reduced.

If customers are already using VLAN tags themselves in their own enterprise networks, then carrier VLAN separation may be implemented by a second, overlaid tag. This is called "Q-in-Q" after the 802.1Q standard defining VLANs.

VLAN Q-in-Q can also be used in the metro network as a way of managing a proliferation of user-specific VLAN tags - a form of tag aggregation similar to the VC-VP usage in ATM. However, since all forwarding is done on the combination of destination address (DA) and outermost VLAN tag, scalability resulting from Q-in-Q is limited.

Getting Ethernet to the levels of manageability and scalability expected of a carrier transport layer remains a work in progress.