1. 國立清華大學資訊系黃能富教授 1 Virtual LAN and Dynamic Multicast Filtering Technologies  All rights reserved. No part of this publication and file may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of Professor Nen-Fu Huang (E-mail: nfhuang@cs.nthu.edu.tw). 國立清華大學資訊工程學系 黃能富教授 Tel: 03-573-1063 Fax: 03-572-3694 E-mail: nfhuang@cs.nthu.edu.tw URL:http://www.cs.nthu.edu.tw/~nfhuang

2. 國立清華大學資訊系黃能富教授 2 Outline  IEEE 802.1Q : Virtual Bridged LANs  IEEE 802.1p : Traffic Class Expediting and Dynamic Multicast Filtering  GVRP : GARP VLAN Registration Resolution Protocol  GMRP : GARP Multicast Registration Protocol  GARP : Generic Attribute Registration Protocol

3. 國立清華大學資訊系黃能富教授 3 GARP GVRPGMRP ??? VLAN Priority + Multicast Filtering GVRP + GARP = No VLAN Multicast GVRP + GMRP + GARP = Support VLAN Multicast GMRP + GARP = Priority/Multicast Filtering ES_REGISTER_GROUP_MEMBER ES_DEREGISTER_GROUP_MEMBER ES_REGISTER_MODE ES_DEREGISTER_MODE

4. 國立清華大學資訊系黃能富教授 4 VLAN Topology H VLANA VAB VLANA VLANC H H H H VLANB VAB Hybrid Link VLANB Access Link VLANA B VLANC 802.1D BLAN VLANC H H H H H B H H Access Link H H Trunk Link Spanning Tree H Group in VLANA H

5. 國立清華大學資訊系黃能富教授 5 Virtual Bridged LANs (IEEE 802.1Q)

6. 國立清華大學資訊系黃能富教授 6 Overview of Virtual LAN  Virtual LAN Services in Bridged LANs.  Forwarding Process required to support VBLANs.  Filtering Database needed to support VBLANs.  Protocols and Procedures required to provide VLAN services and distribute the VLAN membership information.  Management services and Operations required to configure and administer VBLANs.

7. 國立清華大學資訊系黃能富教授 7 VLAN Aims and Benefits  Easy administration of logical group of stations. Also moves, adds, and changes in members of theses groups.  Traffic between VLANs is firewalled. The propagation of multicast and broadcast traffic between VLANs is limited.  Supported over shared and point-to-point media.  Each VLAN is uniquely identified (VID).  Maintain compatibility with existing bridges/switches and stations.  In the absence of VLAN configuration, bridges work in Plug-and-Play.

8. 國立清華大學資訊系黃能富教授 8 VLAN Architecture Overview  Based on a 3-level model:  Configuration  Distribution/Resolution  Relay MIBs Declaration Protocols Req/Resp Protocols Ingress Rules Forwarding Rules Egress Rules

9. 國立清華大學資訊系黃能富教授 9 Configuration  The means whereby the VLAN configuration is specified in the first place.  Assignment of VLAN configuration.

10. 國立清華大學資訊系黃能富教授 10 Virtual LANs Technologies  Port-based VLAN  MAC-based VLAN  IP-subnet based VLAN  Layer-3 Protocol based VLAN  Rule based VLAN

11. 國立清華大學資訊系黃能富教授 11 VLAN 1 VLAN 3 VLAN 2 橋接器 / 交換器 1 橋接器 / 交換器 2 橋接器 / 交換器 3 1 12 1 1 Port-based Virtual LANs

12. 國立清華大學資訊系黃能富教授 12 VLAN 1VLAN 2 VLAN 3 VLAN 4 1 2 3 4 56 7 8 9 10 11 12 1314 15 16 橋接器 / 交換器 1 橋接器 / 交換器 2 橋接器 / 交換器 3 MAC-based Virtual LANs

13. 國立清華大學資訊系黃能富教授 13 VLAN 1 VLAN 2 VLAN 3 VLAN 4 1 2 3 4 5 6 7 8 9 10 11 12 1314 15 16 橋接器 / 交換器 1 橋接器 / 交換器 2 橋接器 / 交換器 3 MAC-based Virtual LANs -- MAC 5 moves

14. 國立清華大學資訊系黃能富教授 14 VLAN 1 = IP subnet 140.114.76 VLAN 2 = IP subnet 140.114.77 VLAN 3 = IP subnet 140.114.78 橋接器 / 交換器 1 2 3 4 56 7 8 9 10 11 12 1314 15 16 140.114.76.xx 140.114.77.xx 140.114.78.xx 140.114.76.xx 140.114.77.xx IP Subnet-based Virtual LANs

15. 國立清華大學資訊系黃能富教授 15 VLAN 1 (IPX) VLAN 2 (IP) 橋接器 / 交換器 1 2 3 4 56 7 8 9 10 11 12 1314 15 16 Layer-3 Protocol based Virtual LANs

16. 國立清華大學資訊系黃能富教授 16 Rule-based Virtual LANs 所有使用某一個 IP 子網路網址的工作站 所有使用某一個特定網址的 IPX 工作站 所有使用由 abc 公司生產之網路卡的工作站 所有 Ethernet type 欄位等於某特定值的訊框 所有 SNAP 欄位等於某特定值的訊框 所有 TCP, Source port 欄位等於某特定值的訊框 所有 UDP, Source port 欄位等於某特定值的訊框

17. 國立清華大學資訊系黃能富教授 17 Distribution  Distribute information for Bridges to determine on which VLAN a given packet should be forwarded.  Various possibilities exist for achieving this: Declaration Protocols for distributing VLAN associations (such as GARP to distribute membership information among Bridges) Request/Response protocols to request a specific VLAN association (SNMP).

18. 國立清華大學資訊系黃能富教授 18 Relay  Mapping received frames to VLANs: determined by a set of ingress rules.  Where received frames should be forwarded: determined by a set of forwarding rules.  Mapping frames for output Ports and format (tagged or untagged): determined by a set of egress rules.  VLAN frame format to carry VLAN IDs (VIDs).  The procedure to tag frames, modify tagged frames, and untag frames.

19. 國立清華大學資訊系黃能富教授 19 Relay  The Port-based approach specifies ingress, forwarding and egress rules based on VLAN membership, which allow bridges to: Classify all received untagged frames as belonging to particular VLAN(PVID). Recognize the VID associated with received tagged frames. Make use of this VID to forwarding/filtering. Transmit frames in tagged or untagged format, as defined for a given Port/VLAN pairing.

20. 國立清華大學資訊系黃能富教授 20 Frame Tagging  Implicit tagging A frame is classified to a particular VLAN based on the data content of the frame (MAC address, Layer 3 Protocol ID, etc) and/or the receiving Port.  Explicit tagging A frame carries an explicit identification of the VLAN to which it belongs.

21. 國立清華大學資訊系黃能富教授 21 Ingress Rules/Egress Rules  Each frame received is classified as belonging to exactly one VLAN by associating a VID with it.  The classification is achieved as follows Explicit Tagging : the VID value it carries Implicit Tagging : the PVID associated with the port it is received.  Frames shall be filtered if Outgoing port is not preset in the Member Set of the VLAN; or Frames is in 802.5 format and the outgoing port is preset in the Untagged Set of the VLAN, and the Bridge does not support frame format translation.

22. 國立清華大學資訊系黃能富教授 22 Port-Based VLAN Definitions  VLAN aware devices understand VLAN membership and VLAN frame format.  VLAN unaware devices.  An Access Link is a LAN segment used to multiplex one or more VLAN unaware devices into a Port of a VLAN Bridge. All frames on an access link are implicitly tagged. No VLAN tagged frames on an access link. Viewed as being on the edge of the network. Can be attached to other 802.1D-conferment Bridges (BLAN).

23. 國立清華大學資訊系黃能富教授 23 Definitions  A Trunk Link is a LAN segment used to multiplex VLANs between VLAN Bridges. All devices connect to a Trunk Link must be VLAN aware. All frames (including end station frames) on a Trunk Link are explicitly tagged with a VLAN ID.  A Hybrid Link is a LAN segment that has both VLAN aware and unaware devices. There can be a mix of Tagged Frames and Untagged Frames but they must be from different VLANs.

24. 國立清華大學資訊系黃能富教授 24 VLAN Topology H VLANA VAB VLANA VLANC H H H H VLANB VAB Hybrid Link VLANB Access Link VLANA B VLANC 802.1D BLAN VLANC H H H H H B H H Access Link H H Trunk Link Spanning Tree H Group in VLANA H

25. 國立清華大學資訊系黃能富教授 25 Rules for Tagging Frames  For each VLAN, all frames traversing a particular hybrid link must be tagged the same way: All implicitly tagged or All carrying the same explicit tag.  There can be a mix of implicitly and explicit tagged frames but they must be for different VLANs.  All the frames for VLANs A and B are explicit tagged on the hybrid link.  All frames for VLAN C on the hybrid link are implicitly tagged.  On the trunk link all frames are tagged.

26. 國立清華大學資訊系黃能富教授 26 Spanning Tree  Eliminate loops in a bridged LAN.  Improve scalability in a large network.  Spanning tree formed in a virtual LAN environment need not be identical to the topology of the VLAN(S).  Each VLAN may be overlaid on different segments or entirely separate from each other.  All VLANs are aligned along the Spanning Tree from which they are formed.  A VLAN is defined by a subset of the Spanning Tree.  The topology of the VLAN is dynamic.

27. 國立清華大學資訊系黃能富教授 27 Bridge Operation  A Bridge filters frames to ensure that traffic destined for a given VLAN is forwarded only on segments that form a path to members of that VLAN.  For each VLAN, the bridge needs to keep: Member set (Port IDs) Untagged set (Port IDs)

28. 國立清華大學資訊系黃能富教授 28 Addressing Learning  Shared VLAN Learning (SVL)  Independent VLAN Learning (IVL)  In most cases, SVL or IVL produces the same result. But in some special cases, we need to specify the learning mode of bridge.

29. 國立清華大學資訊系黃能富教授 29  Server (Bridge-Router, or Connector) connecting multiple independent VLANs.  Connector and stations are VLAN unaware (untag).  Connector did not turn on spanning tree algorithm.  VLAN Red (A) VLAN Blue (B) should be delivered to Connector (firewalled).  The Filtering databases should be independent. Otherwise, MAC A(B) will be learned from different ports 1,4 (2,3) alternatively.  The frames from A (B) to B(A) will be delivered in a wrong way. IVL Example -- Multiple Independent VLANs

30. 國立清華大學資訊系黃能富教授 30 虛擬網路 橋接器 PVID = Red PVID = Red PVID = Blue PVID = Blue 傳統橋接路徑器 （連接器） Port XPort Y Port 4 Port 3 Port 2Port 1 A B A X B Y MAC Port A 1 B 3 MAC Port VLAN Red A 4 B 2 MAC Port VLAN Blue 成員集合： Red - Ports 1,3 Blue - Ports 2,4 無標籤集合： Red - Ports 1,3 Blue - Ports 2,4 過濾資料庫 IVL Example -- Multiple Independent VLANs Correct paths For A->B and B->A

31. 國立清華大學資訊系黃能富教授 31 PVID = Red PVID = Red PVID = Blue PVID = Blue 傳統橋接路徑器 （連接器） Port XPort Y Port 4 Port 3 Port 2Port 1 A B A X B Y MAC Port A 4 B 3 MAC Port SVL (Red, Blue) 成員集合： Red - Ports 1,3 Blue - Ports 2,4 無標籤集合： Red - Ports 1,3 Blue - Ports 2,4 過濾資料庫 If SVL is used for this case ? Incorrect path For B->A

32. 國立清華大學資訊系黃能富教授 32  Server (Bridge-Router, or Connector) connecting multiple independent VLANs.  Server is VLAN aware (tagging frames) and stations are VLAN unaware.  VLAN Red : A Server  VLAN Blue : B Server  The Filtering databases should be independent. Otherwise, MAC A(B) will be learned from different ports alternatively.  The frames from server with tag Blue or Red may be filtered. IVL Example (2) -- Multiple Independent VLANs

33. 國立清華大學資訊系黃能富教授 33 虛擬網路 橋接器 PVID = Discard PVID = Red PVID = Blue 虛擬橋接路徑器 （連接器） Port 1 Port 3 Port 2Port 1 A B A 1 B 1 MAC Port 成員集合： Red - Ports 1,3 Blue - Ports 2,3 無標籤集合： Red - Port 1 Blue - Port 2 共享過濾資料庫 (Red, Blue) A 1 B 3 MAC Port VLAN Red A 3 B 2 MAC Port VLAN Blue IVL Example (2) -- Multiple Independent VLANs B A

34. 國立清華大學資訊系黃能富教授 34 PVID = Discard PVID = Red PVID = Blue 虛擬橋接路徑器 （連接器） Port 1 Port 3 Port 2Port 1 A B A 1 B 1 MAC Port 成員集合： Red - Ports 1,3 Blue - Ports 2,3 無標籤集合： Red - Port 1 Blue - Port 2 共享過濾資料庫 (Red, Blue) If SVL is used for this case B A A 1 3 B 2 3 MAC Port SVL (Red, Blue)

35. 國立清華大學資訊系黃能富教授 35  Stations A and B use the same MAC address X.  Server is VLAN aware (tagging frames) and stations are VLAN unaware.  VLAN Red : A Server  VLAN Blue : B Server  The Filtering databases should be independent. Otherwise, MAC X will be learned from different ports alternatively.  The frames from server with tag Blue (Red) may be forwarded to wrong destination A (B). IVL Example (3) -- Duplicate MAC addresses

36. 國立清華大學資訊系黃能富教授 36 虛擬網路 橋接器 PVID = Discard PVID = Red PVID = Blue 伺服器 (VLAN-aware) Port 3 Port 2Port 1 A B X 1 MAC Port VLAN Red X 2 MAC Port VLAN Blue 成員集合： Red - Ports 1,3 Blue - Ports 2,3 無標籤集合： Red - Port 1 Blue - Port 2 MAC X IVL Example (3) -- Duplicate MAC addresses

37. 國立清華大學資訊系黃能富教授 37 PVID = Discard PVID = Red PVID = Blue 伺服器 (VLAN-aware) Port 3 Port 2 Port 1 A B 成員集合： Red - Ports 1,3 Blue - Ports 2,3 無標籤集合： Red - Port 1 Blue - Port 2 MAC X If SVL is used for this case X 1 2 MAC Port SVL (Red, Blue) Incorrect path For Server ->A ? ?

38. 國立清華大學資訊系黃能富教授 38  Typically, two stations A and B belong to the same VLAN use the same VID to communicate.  Asymmetric VLAN: A->B and B -> A use different VIDs.  All server and stations are VLAN unaware (untagging frames)  A -> S and S->B but not A B for security reason.  VLAN Purple : Server --> A or B  VLAN Red : A --> Server  VLAN Blue : B --> Server Asymmetric VLAN

39. 國立清華大學資訊系黃能富教授 39 Asymmetric VLAN  If the Filter databases of VLAN Red and Purple are independent, then the frame from the server to B will be forwarded to both A and B due to A is not learned by VLAN Purple. Broadcast the frame in VLAN Purple for this case.  SVL is required for Asymmetric VLAN !!

40. 國立清華大學資訊系黃能富教授 40 虛擬網路 橋接器 PVID = Purple PVID = Red PVID = Blue 伺服器 S (VLAN-unaware) Port 3 Port 2Port 1 A B A 1 MAC Port 成員集合： Purple - Ports 1,2 Red - Port 3 Blue - Port 3 無標籤集合： Purple - Ports 1,2 Red - Port 3 Blue - Port 3 B 2 S 3 共享過濾資料庫 (Purple, Red, Blue) Red Blue Purple Asymmetric VLAN

41. 國立清華大學資訊系黃能富教授 41 PVID = Purple PVID = Red PVID = Blue 伺服器 S (VLAN-unaware) Port 3 Port 2Port 1 A B 成員集合： Purple - Ports 1,2 Red - Port 3 Blue - Port 3 無標籤集合： Purple - Ports 1,2 Red - Port 3 Blue - Port 3 Purple If IVL is used for this case S  A or S  B, but will S  A and B S 3 MAC Port VLAN Purple A 1 MAC Port VLAN Red B 2 MAC Port VLAN Bule

42. 國立清華大學資訊系黃能富教授 42  Static Filtering Entry  Static VLAN Registration Entry  Dynamic Filtering Entry  Dynamic VLAN Registration Entry  Group Registration Entry The Filtering Database

43. 國立清華大學資訊系黃能富教授 43 Static Filtering Entry MAC VLAN ID Port MAP MACa 2 MACb 3 MACc 3 MACd 2 MACe 4 Control Element Individual MAC, Group MAC, All Group MAC, All Unregistered Group MAC Forward, Filter, According to dynamic FD

44. 國立清華大學資訊系黃能富教授 44 Static VLAN Registration Entry VLAN ID Port MAP 2 3 4 5 6 Control Element GVRP Registrar Administrative Control : Registration Fixed, Forbidden, Normal. Tagged/Untagged

45. 國立清華大學資訊系黃能富教授 45 Dynamic Filtering Entry (By Learning Process) MAC FID Port (MAP) Time MACa 2 MACa 3 MACb 3 MACb 2 MACc 4 Individual MAC 200 120 100 250 60

46. 國立清華大學資訊系黃能富教授 46 Group Registration Entry (by GMRP Protocol) MAC VLAN ID Port MAP MACa 2 MACb 3 MACc 3 MACd 2 MACe 4 Control Element Group MAC, All Group MAC, All Unregistered Group MAC Forward (Registered), Filter (Unregistered)

47. 國立清華大學資訊系黃能富教授 47 Dynamic VLAN Registration Entry VLAN ID Port MAP 2 3 4 5 6 Control Element VID is registered on this port ?

48. 國立清華大學資訊系黃能富教授 48 VLAN Tag Structure  Tag Protocol Identifier (TPID)  Tag Control Information (TCI) User-Priority Canonical Format Indicator VID Ethernet-encoded TPID TCI SNAP-encoded TPID TCI 3 1 12 Bits Canonical Format Indicator User-Priority VLAN Identifier (VID) 2222 8282

49. 國立清華大學資訊系黃能富教授 49 3 1 12 位元 VLAN Identifier (VID) Canonical Format Indicator (CFI) User Priority (0-7) Ethernet-encoded TPID (81-00) TCI LEN RIF 2 2 2 2-30 位元組 Tag Format (Ethernet-encoded)

50. 國立清華大學資訊系黃能富教授 50 3 5 1 6 1 位元 NCFI RC Route Descriptors 2 0-28 位元組 RT (X) LTH D LF Tag Format (Ethernet-encoded) RIF RT (Routing Type): Transparent bridges or Source-routing bridges Length: 2 for no route descriptors Direction: Largest Frame : <= 1470 bytes Non-canonical Format Indicator

51. 國立清華大學資訊系黃能富教授 51 SNAP Header (AA-AA-03) SNAP-encoded TPID TCI 8 2 位元組 Tag Format (SNAP-encoded) SNAP PID (00-00-00) Tag Type (81-00) 3 位元組 2 位元組

52. 國立清華大學資訊系黃能富教授 52 Network Dependency  E-C-T (Ethernet, Canonical, Transparent)  E-C-R (Ethernet, Canonical, Source-Routed)  E-N-T (Ethernet, Non-Canonical, Transparent)  E-N-R (Ethernet, Non-Canonical, Source- Routed)  L-C-T (LLC, Canonical, Transparent)  L-C-R (LLC, Canonical, Source-Routed)  L-N-T (LLC, Non-Canonical, Transparent)  L-N-R (LLC, Non-Canonical, Source-Routed)

53. 國立清華大學資訊系黃能富教授 53 Frame Types E-C-T/E,T Ethernet frame or LLC frame (E,L) Canonical or Non-canonical (C, N) Transparent or Source-routed (T,R) Ethernet or Token-Ring (E,R) Tagged frame (T)

54. 國立清華大學資訊系黃能富教授 54 DA SA Tag 標頭 (ETPID+TCI) CFI = C PT N 位元組 C-Data 46 <= N <= 1496 FCS DA SA Tag 標頭 (ETPID+TCI) CFI = C LEN N 位元組 LLC+C-Data+Pad 42 <= N <= 1496 FCS E-C-T/E,T L-C-T/E,T VLAN Tagged Frames on 802.3/ Ethernet Media

55. 國立清華大學資訊系黃能富教授 55 DA SA Tag 標頭 (ETPID+TCI) CFI = 1 PT FCS N 位元組 C-Data or N-Data 46 <= N <= 1470 E-N-T/E,T E-C-R/E,T E-N-R/E,T RIF (0 <= R <= 30) CFI = C or N DA SA Tag 標頭 (ETPID+TCI) CFI = 1 PT FCS N 位元組 LLC+C-Data+Pad or LLC+N-Data+Pad 42-R <= N <= 1470 L-N-T/E,T L-C-R/E,T L-N-R/E,T RIF (0 <= R <= 30) CFI = C or N VLAN Tagged Frames on 802.3/ Ethernet Networks

56. 國立清華大學資訊系黃能富教授 56 DA SA Tag 標頭 (STPID+TCI) CFI = C or N RIF (0 <= R <= 30) SPT + N 位元組 C-Data or D-Data 46 <= N <= 1470 FCS AC (TR only) FC DA SA RIF (0 <= R <= 30) N 位元組 LCC + C-Data or D-Data FCS AC (TR only) FC E-C-T/R,T E-N-T/R,T E-C-R/R,T E-N-R/R,T L-C-T/R,T L-N-T/R,T L-C-R/R,T L-N-R/R,T Tag 標頭 (STPID+TCI) CFI = C or N VLAN Tagged Frames on Token- Ring/ FDDI Networks

57. 國立清華大學資訊系黃能富教授 57 E-C-T/R,T E-N-T/R,T E-C-R/R,T E-N-R/R,T L-C-T/R,T L-N-T/R,T L-C-R/R,T L-N-R/R,T 802.3/Ethernet ( 無標籤 ) Token-Ring/FDDI ( 無標籤 ) 802.3/Ethernet ( 貼標籤 ) Token-Ring/FDDI ( 貼標籤 ) E-C-T/R,U E-N-T/R,U E-C-R/R,U E-N-R/R,U L-C-T/R,U L-N-T/R,U L-C-R/R,U L-N-R/R,U E-C-T/C,U E-N-T/C,U E-C-R/C,U E-N-R/C,U L-C-T/C,U L-N-T/C,U L-C-R/C,U L-N-R/C,U E-C-T/C,T E-N-T/C,T E-C-R/C,T E-N-R/C,T L-C-T/C,T L-N-T/C,T L-C-R/C,T L-N-R/C,T Q Q H Q+H

58. 國立清華大學資訊系黃能富教授 58 VLAN System Example -Cisco  Inter-Switch Link Protocol (ISL) for Fast Ethernet-based Backbone networks  Modified IEEE 802.10 Security Protocol for FDDI-based Backbone networks

59. 國立清華大學資訊系黃能富教授 59 Cisco 交換器 C Cisco 交換器 A Cisco 交換器 B 原訊框 ISL 訊框 Fast Ethernet 骨幹網路 原訊框 VLAN 1 VLAN 2 VLAN 3 2/1 2/2 3/1 2/1 2/2 3/2 1/1 1/2 1/1 1/2 Inter-Switch Link Protocol (ISL)

60. 國立清華大學資訊系黃能富教授 60 Address Constant (AA-AA-03) VLAN ID 包裝 訊框 Destination Type User Source Length Address Address High-Bits Source Address (00-00-0C) BPDU Index Resv CRC 40 4 4 48 16 位元 24 24 15 1 16 16 8-196,600 32 位元 ISL 標頭 ISL Frame Format (01-00-0C-00-00) Type : Ethernet (0000) Token-Ring (0001) FDDI (0010) ATM (0011) Port index

61. 國立清華大學資訊系黃能富教授 61 使用修改過之 IEEE 802.10 通訊協定之 FDDI 骨幹網路 Cisco 交換器 Cisco 交換器 Cisco 交換器 Cisco 路徑器 原訊框 IEEE 802.10 訊框 IEEE 802.10 Security Protocol

62. 國立清華大學資訊系黃能富教授 62  IEEE 802.10 was developed in 1992 for security service over shared LANs.  Encryption and Authentication services.  Secure Data Exchange Protocol Data Unit (SDE PDU).  The IEEE 802.10 header and ICV (Integrity Check Value) are inserted into the original frame. Modified 802.10 Frame Format

63. 國立清華大學資訊系黃能富教授 63 MAC 標頭 802.10 LSAP SAID MDF Station ID Frag Flag 資料 ICV Destination Source Length Address Address (+16) 802.10 標頭 可加密範圍 未保護標頭 受保護標頭 Modified 802.10 Frame Format LSAP : Logical SAP (0A-0A-03) SAID: Security Association ID -> VLAN ID Station ID: Source Address (duplicate) Fragment Flag: False 

64. 國立清華大學資訊系黃能富教授 64 GARP VLAN Registration Protocol (GVRP)

65. 國立清華大學資訊系黃能富教授 65 GVRP Overview  A GARP application using GARP GID ( GARP Information Declaration) and GIP (GARP Information Propagation ).  GVRP provides a mechanism for: dynamic maintenance of the Member Sets for each VLAN of a Bridge; propagates the information they contain to other Bridges; allows GVRP-aware devices to dynamically establish and update which VLANs are currently have active members, and through which Ports they can be reached.  Similar to GMRP, but attribute values carried is 12-bit VID values, rather than 48-bit MAC addresses.

66. 國立清華大學資訊系黃能富教授 66 區域網路 1 區域網路 2 LLC 訊框接收 / 傳送程式 埠 1埠 1 埠 2埠 2 GVRP Application GID GVRP Participant 訊框轉送程式 GIP GVRP Application GID 過濾 資料庫 訊框接收 / 傳送程式 GVRP in Bridges/Switches

67. 國立清華大學資訊系黃能富教授 67 區域網路 LLC 訊框接收 / 傳送程式 埠 GVRP Application GID GVRP Participant 過濾 資料庫 GVRP in Host Station

68. 國立清華大學資訊系黃能富教授 68 VLAN Registration Service Definition  ES_REGISTER_VLAN_MEMBER(VID): MAC service user wishes to receive frames destined for the VID.  ES_DEREGISTER_VLAN_MEMBER(VID): MAC service user no longer wishes to receive frames destined for the VID.  On receipt of above message, GVRP issues a GID_Join.request/ GID_Leave.request service primitive with attribute_type = VID Attribute Type, attribute_value = VID.  On receipt of a GID_Join.indication/GID_Leave.indication from GID with attribute_type = VID Attribute Type, the GVRP adds/remove the port concerned to the Member Set of the VLAN.

69. 國立清華大學資訊系黃能富教授 69 Definition of the GVRP Application  GVRP Application Identifier: 0000 0000 0000 0001  GVRP Application Address: xx-xx-xx-xx-xx-x1  GVRP Attribute Type: VID Type (0000 0001)  GVRP Attribute Values: VID value (two octets).  All GARP PDUs sent and received by GVRP Participants are transmitted as Untagged Frames.

70. 國立清華大學資訊系黃能富教授 70 Traffic Class and Dynamic Multicast Filtering Services in Bridged LANs (IEEE 802.1p)

71. 國立清華大學資訊系黃能富教授 71 GMRP Introduction  GMRP provides a mechanism that allows GMRP participants to dynamically register, de- register information with the MAC Bridges attached to the same LAN segment.  For that information to be disseminated across all Bridges in the Bridged LAN.

72. 國立清華大學資訊系黃能富教授 72 GMRP Introduction Group membership information » indicates that one or more participants that are members of a particular Group exists. » result in the creation or updating of Group Registration Entries in the Filtering Database. Port Filtering Mode information » Indicates that one or more participants require Port Filtering Mode A or B operation. » Used to change the current Port Filtering Mode of the Port on which it is received.

73. 國立清華大學資訊系黃能富教授 73 Model of Operation  GMRP defines a GARP Application which makes use of: GID and GIP offered by GARP to declare and propagate information.  The Group Membership information propagated results in the formation of a directed graph. The directed graph points, from any Filtering Database to all LAN segments to which the original sources of the information are attached.

74. 國立清華大學資訊系黃能富教授 74 Model of Operation  The Forwarding Process in the Bridge makes use of the directed graph to determine the directions in which frames should be forwarded or discarded.  The directed graph defines the subtree of the Spanning Tree.  Sources of MAC frames destined for the Group do not themselves have to register membership of the Group.

75. 國立清華大學資訊系黃能富教授 75 Example of Directed Graph (For a Single Group) Filtering Database Filtering Database Filtering Database Filtering Database M M Filtering Database Filtering Database M M LAN A LAN B LAN C Hub-based

76. 國立清華大學資訊系黃能富教授 76 Propagation of Port Filtering Mode Information  If any Port in a given Bridge is operating in Port Filtering Mode A or B, this fact is propagated on all other Ports of the Bridge, resulting in Ports of adjacent Bridges switching to Port Filtering Mode A or B if they were in a higher Port Filtering Mode.  A GMRP-aware end station requiring to be able to receive all multicast traffic can achieve this end by declaring Port Filtering Mode A on the LAN segment to which it is attached. (Traffic Monitoring)

77. 國立清華大學資訊系黃能富教授 77 Definition of the GMRP Application  GMRP Application Identifier: 0000 0000 0000 0000  GMRP Application address: xx-xx-xx-xx-xx-x0  GMRP Attribute Types: Group Attribute Type (0000 0001); Port Filtering Mode Attribute Type (0000 0002).  GMRP Attribute Values: Only Group MAC address. (6 octets) Port Filtering Mode (1 octet) : Mode A (0000 0000), Mode B (0000 0001).

78. 國立清華大學資訊系黃能富教授 78 End System Registration and De-registration  ES_REGISTER_GROUP_MEMBER / ES_DEREGISTER_GROUP_MEMBER  GMRP Participant issues a GID_Join.request /GID_Leave.request service primitive (,,,).  ES_REGISTER_MODE/ES_DEREGISTER_MODE  GMRP Participant issues a GID_Join.request/ GID_Leave.request service primitive (,,,).

79. 國立清華大學資訊系黃能富教授 79 Forwarding Process Source Port State Info Dest Port State Info Filtering Database Frame Reception Frame Discard Frame Transmission a b c d e f g a : Enforcing Topology Restriction b : Filtering Frames c : Regenerating User Priority d : Queuing Frames e : Selecting Frame for Transmission f : Mapping Priority g : Recalculating FCS User Traffic Priority Class 0 - 4 0 5 - 7 1

80. 國立清華大學資訊系黃能富教授 80 Group Registration  The GMRP Application responds to registration and de-registration events signaled by GID as follows: On receipt of a GID_Join.indication whose attribute value is equal to the value of the Group Attribute Type » GMRP updates any Group Registration Entry in the Filtering Database for the address specified in the attribute_value parameter. »If such a Filtering Database entry does not exist in the Filtering Database, a new Group Registration Entry is created.

81. 國立清華大學資訊系黃能富教授 81 Group Registration On receipt of a GID_Leave.indication whose attribute value is equal to the value of the Group Attribute Type »GMRP updates any Group Registration Entry in the Filtering Database for the address specified in the attribute_value parameter. »If such a Filtering Database entry does not exist, then the indication is ignored. »If the removal of the Port identifier from the Group Registration Entry result in there being no Port identifier in the member_port_set, then the Group Registration Entry is removed. On receipt of a GID_Join.indication or a GID_Leave.indication whose attribute_type is equal to the value of the Port Filtering Mode Attribute Type, the GMRP updates the current Port Filtering Mode

82. 國立清華大學資訊系黃能富教授 82 Service Primitives for Basic Filtering Services  Dynamic Unicast Filtering Services ES_IMPLICIT_REGISTER_FOR_RECEIVE(MAC_ADDRESS) Whose operation is supported by the creation of Dynamic Filtering Entries by the learning process  Topology Enforcement Filtering Services MANAGER_ALLOCATE_STATIC_FILTER(MAC_ADDRESS,P ORT_MAP,USER_PRIORITY) MANAGER_DEALLOCATE_STATIC_FILTER(MAC_ADDRES S) Whose operation is supported by the creation of Static Filtering Entries via the management.

83. 國立清華大學資訊系黃能富教授 83 Service Primitives for Extended Filtering Services  Group Membership Registration and De-registration ES_REGISTER_GROUP_MEMBER(MAC_ADDRESS, USER_PRIORITY) ES_DEREGISTER_GROUP_MEMBER(MAC_ADDRESS) ES_REGISTER_MODE(PORT_FILTERING_MODE) ES_DEREGISTER_PORT_FILTERING_MODE(MODE)  Static Group Registration/De-registration MANAGER_REGISTER_GROUP(MAC_ADDRESS, PORT_SET, USER_PRIORITY) MANAGER_DEREGISTER_GROUP(MAC_ADDRESS)  Filtering State Configuration MANAGER_DEFINE_DEFAULT_FILTERING_STATE(PORT,STATE) MANAGER_SET_DEFAULT_FILTERING_STATE(PORT) MANAGER_SET_FILTERING_STATE(PORT,STATE)

84. 國立清華大學資訊系黃能富教授 84 The Filtering Database  Filtering Entries Consists of MAC_address, port_specification elements. Static Filtering Information Dynamic Filtering Information A Filtering Entry shall not contain both static and dynamic filtering information.  Group Registration Entries Consists of MAC_address, member_port_set Only dynamic filtering information  Permanent Database Provides fixed storage for static entries (define the initial state of all static entries in the FD).

85. 國立清華大學資訊系黃能富教授 85 Generic Attribute Registration Protocol (GARP)

86. 國立清華大學資訊系黃能富教授 86 Generic Attribute Registration Protocol (GARP)  The GARP provides the generic attribute dissemination capability that is used by participants in GARP Applications to register and de-register attribute values with other GARP Participants within a Bridged LAN.

87. 國立清華大學資訊系黃能富教授 87 AAA A AAA A AA a a a aa a LAN 2LAN 3LAN 4 A a a a a a a a a a a LAN 1 a = Registration of attribute value A A=Declaration of attribute value A GARP Purpose

88. 國立清華大學資訊系黃能富教授 88 GARP Overview  Allows GARP Applications (GMRP, GVRP,...) to make declaration, or withdraw declaration, relative to attribute values.  Declaration/Withdraw declaration will result in the Registration/De-registration for those Attribute values to all devices within the bridged LAN.  Each attribute value has it’s own state variable.  The current registration state of an attribute value on a port is recorded by means of the state variable.  De-registration of a given attribute value occurs only if all participants connected to the same LAN segment as the port withdraw the declaration.

89. 國立清華大學資訊系黃能富教授 89 GARP Architecture LLC GIP GARP Application GARP Application GID GARP Participant Port 1Port 2 Two - Port Bridge

90. 國立清華大學資訊系黃能富教授 90 GARP Architecture (cont.)  A GARP Participant consists of GARP Application (GVRP, GMRP) GARP Information Declaration (GID)  Propagation of information between participants in a bridge is carried out by the GARP Information Propagation (GIP).  Each GARP Application has Group MAC Address used to exchange GARP PDUs between GARP Participant for that application.

91. 國立清華大學資訊系黃能富教授 91 GARP Architecture (cont.)  GARP Application is responsible for defining the semantics associated with parameter values and operators recorded in GARP PDUs, and for generating GARP PDUs for transmission.  GID is responsible for declaration and registration of attribute value, and provides primitives for GID user to use, and GID’s operation is defined by these primitives and some State Transition Table.

92. 國立清華大學資訊系黃能富教授 92 GID Primitives  Declaration GID_Join.request(attribute_type,attribute_value) GID_Leave.request(attribute_type,attribute_value) GID request can be generated both by GARP application and GIP  Registration GID_Join.indication(attribute_type,attribute_value) GID_Leave.indication(attribute_type,attribute_value) GID indication can be received both by GARP application and GIP

93. 國立清華大學資訊系黃能富教授 93 GARP Application Address AssignmentValue GMRP address GVRP address Reserved XX-XX-XX-XX-XX-X0 XX-XX-XX-XX-XX-X1 XX-XX-XX-XX-XX-X2 XX-XX-XX-XX-XX-XF.....

94. 國立清華大學資訊系黃能富教授 94 GARP Operation Overview -- End_Station High level User LLC GARP Application GID GARP Participant 1 23 4 1. End_Station issues ES_REGISTER 2. GARP Application issues GID_Join.request 3. GID responses GID_Join.indication 4. GID sends GARP PDUs

95. 國立清華大學資訊系黃能富教授 95 GARP Operation Overview -- Bridge High level User GARP Application GID LLC GARP Participant GARP Application GID GARP Participant GIP Update Data 1 2 3 3 4 4 5 1. GARP PDUs received 2. Issue GID primitive according Message within GARP PDUs 3. GID responses indication to AP and GIP 4. AP updates data what it concerned. GIP propagates info. to other ports on this bridge according to spanning tree 5. GID of other port retransmits GARP PDUs

96. 國立清華大學資訊系黃能富教授 96 GARP Protocol Operation  GARP protocol operation is based on GARP messages and two protocol components: Registrar and Applicant.  GARP messages Empty: Not trying to declare, not registered, but care any participants that wish to declare. JoinEmpty: Wish to declare, not registered, but care any participants that wish to declare. JoinIn: Wish to declare, and will behave as if there are registered. Leave: Had registered, but now in the process of de- register it. LeaveAll: All registration will shortly be de- registered

97. 國立清華大學資訊系黃能富教授 97 GARP Protocol Operation (cont.)  Registrar Used to record attribute registration declared by other participants. Does not send any protocol message.  Applicant Record the current state of declared attribute values. To ensure this participant’s declaration are registered by other participant’s registrar within the bridged LAN. To ensure that other participants have a chance to re-declare (rejoin) after anyone withdraw a declaration (Leave).

98. 國立清華大學資訊系黃能富教授 98 Registrar behavior  Has a single timer, the leave timer, and three states: IN : I have registered the fact that this attribute value has been declared on this segment ; MT : All declarations for this attribute value on this segment have been withdraw; LV :I had registered this attribute value, but now am timing out the registration (using leave timer).  Registrar reacts to received messages as follow: A Join message causes registrar become IN; If registrar was IN, then a Leave or LeaveAll causes it to become LV. Otherwise (LV or MT) there is no effect; An Empty message has no effect.

99. 國立清華大學資訊系黃能富教授 99 Applicant behavior  If no message lost, only one message be content that all registrars would register its declaration.  In order to record the numbers of messages propagated across the bridged LAN, it maintains a state variable : V or Very Anxious, message = 0; A or Anxious, message = 1; Q or Quiet, message = 2; L or Leaving, records the pending need to send a message at the next transmission opportunity.  If a JoinEmpty, Empty, Leave, or LeaveAll message is received the counter is set to 0 (state V).

100. 國立清華大學資訊系黃能富教授 100 Members and Observers  A member is a participant that attempting to make or maintain a declaration for a given attribute value, or who has not yet sent the Leave message to allow him to leave.  A observer tracks the attribute state but does not wish to make a declaration.  We have three states for members an observers: A, or Active Member; P, or Passive Member; O, or Observer  An observer is required to become a member, it first becomes a passive member.  A passive member sends a join message, it becomes active member.  An active member received a Leave or LeaveAll message, it becomes a passive member

101. 國立清華大學資訊系黃能富教授 101 Applicant State  Combine {V,A,Q,L} and {A,P,O} we have the follow states : {VA,AA,QA,LA,VP,AP,QP,VO,AO,QO,LO}  Note that there is no LP (Leaving Passive Member) state, since a passive member can transition directly to an observer state when it wishes to withdraw a declaration.

102. 國立清華大學資訊系黃能富教授 102 GARP PDU Format PID AP ID No. of messages Msg Length Msg Atrr Message Body Type Type (May be null) 1 2 3 4 5 6 Octets Header structure Message structure Message Body structure Operator structure Operator 1 Operator N...... 1 2..... Operator length Operator Operator Operand Length Type

103. 國立清華大學資訊系黃能富教授 103 GARP PDU Format  Protocol Identifiers  Application Identifiers  No. of Message : Unsigned binary number, equal to the number of messages that follow the GARP PDU Header.  Message Length : Unsigned binary number, equal to the number of octets occupied by the message (inclusive of the message length). The minimum value of this parameter is 4.  Message Type : 0 :Identifies a Packed message; 1 :Identifies a LeaveAll message; 2 :Identifies a LeaveAllInRange message.  Attribute Type : 0 :Indicates that this message applies to all attribute types defined by the application concerned; 1 ~ N :Indicates that this message applies to a specific attribute type.

104. 國立清華大學資訊系黃能富教授 104 GARP PDU Format (cont.)  Operator length : Unsigned binary number, equal to the number of octets occupied by the operator, inclusive of the operator length field.  Operator type: 0 :LeaveAll Range operator; 1 :JoinIn operator; 2 :JoinEmpty operator; 3 :LeaveIn operator; 4 :LeaveEmpty operator; 5 :Empty operator.  Operand : A single Attribute value; or An attribute value range, consisting a start of range attribute value followed by an end of range attribute value.

105. 國立清華大學資訊系黃能富教授 105 LeaveAll Message format  Protocol Identifier = xxxx xxxx xxx xxxx  Application Identifier = xxxx xxxx xxxx xxxx  No. of Message = 1  Message Length = 4  Message Type = 1  Attribute Type = 0 or valid value for GARP application concerned.

106. 國立清華大學資訊系黃能富教授 106 LeaveAllInRange Message format  Protocol Identifier = xxxx xxxx xxx xxxx  Application Identifier = xxxx xxxx xxxx xxxx  No. of Message = 1  Message Length = 6+(2*N), N is the length in octets of an attribute value of type attribute type.  Message Type = 2  Attribute Type = Any valid value for GARP application concerned.  Operator Length = 2+(2*N), N is the length in octets of an attribute of type attribute type.  Operator Type = 0.  Operand = Carries an attribute value range for the attribute type defined in the message.

107. 國立清華大學資訊系黃能富教授 107 Packed Message format  Protocol Identifier = xxxx xxxx xxx xxxx  Application Identifier = xxxx xxxx xxxx xxxx  No. of Message =  Message Length = 4+N, N is the in octets of the set of operators contained in the packed message;  Message Type = 0;  Attribute Type = Valid value for GARP application concerned.  A set of one or more operators Operator length = 2+N, N is length in octets of the attribute value contained in the operand; Operator Type = 1,or 2,or 3,or 4,or 5; Operand = Carries the attribute value of the attribute type defined by the message in which the operator is carried.

108. 國立清華大學資訊系黃能富教授 108 Timer Values Parameter Value(centisecends) JoinTime 20 LeaveTime 60 LeaveAllTime 1000 GARP time parameter values