1. Module 1 Ethernet-Vlan Technology 3FL15001BBADWBZZ Edition 01
Section 1 Technology
Module 1 Ethernet-Vlan Technology 3FL15001BBADWBZZ Edition 01

2. Blank Page
This page is left blank intentionally

3. Objectives
An understanding of the basics of the Ethernet Frame Format and VLANs

4. Objectives [cont.]
This page is left blank intentionally

5. Table of Contents Switch to notes view! Page 1 Ethernet Framing 7
1.1 Ethernet: Ethernet and Ethernet 8
1.2 Common fields in the Ethernet 9
1.3 IEEE Ethernet frame interpretation 10
1.4 IEEE frame with type field 11
1.5 IEEE frame with LLC header 12
1.6 IEEE SNAP header 13
1.7 IEEE frame with LLC/ SNAP header 14
1.8 IP over Ethernet/IEEE 802 – example 15
2 VLAN: Virtual Local Area Network 17
2.1What is a LAN? 18
2.2 What is VLAN? 19
2.3 How VLANs Work 20
2.4 Layer 1 VLAN: Membership by port 21
2.5 Layer 2 VLAN : Membership by MAC address 22
2.6 Layer 3 VLAN: Membership by Protocol type 23
2.6 Layer 3 VLAN: Membership by Protocol type 24
2.7 VLAN types - Glossary/Terminology 25
2.8 VLAN Link types: Access Link 26
2.8.2 Trunk Link 27
2.8.3 Hybrid Link 28
2.9 Q-VLAN tag (IEEE 802.1Q) 29
Q Tag-based- Glossary/Terminology 30
2.11 Forwarding engine - Glossary/Terminology 31
Q Process 32
2.13 Ingress Rule 33
2.14 Forwarding Process 34
2.15 Egress Rule 35
2.16 Principles of operation in a VLAN Bridge 36
2.17 Objective of VLAN stacking 37
2.18 IEEE 802.1ad - Systems 38
2.19 IEEE 802.1ad - Tags 39
2.20 IEEE 802.1ad - Ports 40
2.21 Operation in a provider edge bridge: single tag 41
2.22 Operation in a Provider Edge Bridge: single tag 42
2.23 Dual VLAN – VLAN Stacking 43
2.24 Dual VLAN – VLAN Stacking 44
2.25 Operation in a Provider Bridge: VLAN stacking 45
Switch to notes view!

6. Table of Contents [cont.]
This page is left blank intentionally
Table of Contents [cont.]
Switch to notes view!

7. 1 Ethernet Framing

8. 1 Ethernet Framing 1.1 Ethernet: Ethernet and Ethernet
IEEE protocol: based on Xerox Network Standard (XNS)=Eth V1
IEEE protocol: commonly called Ethernet. 3 different versions exist:
IEEE frame with Type field and any protocol in payload
IEEE frame with Length field and LLC header
IEEE frame with Length field and LLC/SNAP header
Ethernet v2 is a valid IEEE frame
Used in Local Area Networks
Uses CSMA/CD
LAN
When somebody says that they are running Ethernet on their network, inevitably you have to ask: "Which Ethernet?". Currently, there are many versions of the Ethernet Frame Format in the commercial marketplace, all subtly different and not necessarily compatible with each other.
The explanation for the many types of Ethernet Frame Formats currently on the marketplace lies in Ethernet's history.
In 1972, work on the original version of Ethernet, Ethernet Version 1, began at the Xerox Palo Alto Research Center. Version 1 Ethernet as released in 1980 by a consortium of companies comprising DEC, Intel, and Xerox. In the same year, the IEEE meetings on Ethernet began. In 1982, the DIX (DEC/Intel/Xerox) consortium released Version 2 Ethernet and since then it has almost completely replaced Version 1 in the marketplace. In 1983 Novell NetWare '86 was released, with a proprietary frame format based on a preliminary release of the spec. Two years later, when the final version of the spec was released, it had been modified to include the LLC Header, making NetWare's proprietary format incompatible. Finally, the SNAP format was created to address backwards compatibility issues between Version 2 and Ethernet.
As you can see, the large number of players in the Ethernet world have created a number of different choices. The bottom line is this: either a particular driver supports a particular frame format, or it doesn't. Typically, Novell stations can support any of the frame formats, while TCP/IP stations will support only one although there are no hard and fast rules in Networking.
CSMA/CD: Carrier Sense Multiple Access with Collision Detection

9. 1 Ethernet Framing 1.2 Common fields in the Ethernet7B 1B 6B 6B 4B
pre-
amble
SFD DA SA
XXX
FCS
Frame Check Sequence, CRC
Source MAC address
In the following slides we will outline the specific fields in the different types of Ethernet frames. But first let’s look at the fields that are common for each type of Ethernet frame.
The Preamble and SFD (Start Frame delimiter) Regardless of the frame type being used, the means of digital signal encoding on an Ethernet network is the same. While a discussion of Manchester Encoding is beyond the scope of this course, it is sufficient to say that on an idle Ethernet network, there is no signal. Because each station has its own oscillating clock, the communicating stations have to have some way to "synch up" their clocks and thereby agree on how long one bit time is. The preamble facilitates this. The preamble with SFD consists of 8 bytes of alternating ones and zeros, ending in 11.
A station on an Ethernet network detects the change in voltage that occurs when another station begins to transmit and uses the preamble to "lock on" to the sending station's clock signal. Because it takes some time for a station to "lock on", it doesn't know how many bits of the preamble have gone by. For this reason, we say that the preamble is "lost" in the "synching up" process. No part of the preamble ever enters the adapter's memory buffer. Once locked on, the receiving station waits for the 11 that signals that the Ethernet frame follows.
The Destination MAC address and Source MAC address fields are 6-bytes in length. The first three bytes of the MAC Address are assigned by the IEEE to the vendor of the Ethernet card and the last three bytes are assigned by the vendor.
FCS = Frame Check Sequence
Destination MAC address
Fixed sequence to alert the receiver

10. 1 Ethernet Framing 1.3 IEEE 802.3 Ethernet frame interpretation
Based on type or length field
Frame size : Min 64 bytes , Max 1518 bytes 6B 6B 2B 4B DA SA
Length or Type
XXX
FCS
Data Link Header
Frame length (<=1500) or type information (>1500)
In the case of IEEE Ethernet Frame, frame interpretation is based on the Type of Length field in the frame. If the type or length field is less than or equal to 1500 (decimal value) (1500 = 05-DC hex.), then the field is interpreted as length field. If the value is greater than 1500 then it is interpreted as type field.

11. 1 Ethernet Framing 1.4 IEEE 802.3 frame with type field
Commonly called Ethernet v2 Frame
Frame size : Min 64 bytes , Max 1518 bytes 6B 6B 2B 4B DA SA
Type
P A Y L O A D (46–1500 Bytes)
FCS
Data Link Header
0800
IP Datagram (46–1500 Bytes)
TYPE> 1500
0x0800=IP
0x0806 = ARP
0x8035 = RARP
0x888E = 802.1X
0x8863=PPPoE Control frames
0x8864 = PPPoE Data frames
0806
ARP Req ARP Reply (28 Bytes)
PAD (18 Bytes)
The specifications include the possibility to have a frame with type field and any protocol in the payload. This way the Ethernet II frame defined by DIX (DEC, Intel, and Xerox) is also a valid frame.
Like the spec (see later), the Version II spec defines a Data Link Header consisting of 14 bytes (6+6+2) of information, but the Version II spec does not specify an LLC header.
The Type field is 2-bytes and contains the value that defines the protocol that is being encapsulated in the data payload. This Ethertype is expressed in hexadecimal (all these values are greater than 1500 (decimal))
At the physical layer, the DST MAC field could be preceded by a 7-byte preamble and 1-byte start of frame delimiter.
At the end of the Data field is a 4-byte FCS..
The minimum frame size for Ethernet media without the preamble and SFD is 64 bytes and the maximum frame size without the preamble is 1518 bytes. Hence the minimum frame size on Ethernet with the preamble and SFD is 72 bytes and the maximum is 1526 bytes
Note: Preamble and SFD are not shown on the slide.
8035
RARP Req RARP Reply (28 Bytes)
PAD (18 Bytes)

12. 1 Ethernet Framing 1.5 IEEE 802.3 frame with 802.2 LLC header
Defining Service Access Points (SAPs)
SAPs ensure that the same Network Layer protocol is used at the source and at the destination.
TCP/IP talks to TCP/IP, IPX/SPX talks to IPX/SPX,…
Destination SAP/Source SAP
Frame size : Min 64 bytes , Max 1518 bytes DA SA
length
DSAP 1B
SSAP 1B
CONTR 1B
P A Y L O A D (43–1497 Bytes)
FCS
Data Link Header
802.2 LLC
02 = Individual LLC Sublayer Management Function 03 = Group LLC Sublayer Management Function 04 = IBM SNA Path Control (individual) 05 = IBM SNA Path Control (group) 06 = ARPANET Internet Protocol (IP) AA = SubNetwork Access Protocl (SNAP) E0 = Novell NetWare F0 = IBM NetBIOS
Frame length (<=1500)
The following describes the LLC frame format. The Destination MAC address and Source MAC-address fields are 6-bytes in length.
The length field is 2-bytes and contains the length of the frame, not including the preamble, 32 bit CRC, Datalink connection addresses, or the Length field itself. An Ethernet frame can be no shorter than 64 bytes total length, and no longer than 1518 bytes total length
The DSAP and SSAP fields are used to identify the type of the protocol that is encapsulated in the payload.
The DSAP, or Destination Service Access Point, is a 1 byte field that simply acts as a pointer to a memory buffer in the receiving station. It tells the receiving network interface card in which buffer to put this information. This functionality is crucial in situations where users are running multiple protocol stacks, etc...
The SSAP, or Source Service Access Point is analogous to the DSAP and specifies the Source of the sending process.
Following the SAPs is a one byte control field that specifies the type of LLC frame that this is.

13. 1 Ethernet Framing 1.6 IEEE 802.3 SNAP header
Due to growing number of applications using the IEEE LLC header, an extension was made.
Introduction of the IEEE Sub Network Access Protocol (SNAP) header
SSAP=H’AA, DSAP=H’AA indicates that a SNAP-header is used
LLC
AA 1B AA 1B
03 1B B
TYPE 2B
SNAP
While the original specification worked well, the IEEE realized that some upper layer protocols required an Ethertype to work properly. For example, TCP/IP uses the Ethertype to differentiate between ARP packets and normal IP data frames. In order to provide this backwards compatibility with the Version II frame type, the SNAP (SubNetwork Access Protocol) format was created.
The SNAP Frame Format consists of a normal Data Link Header followed by a LLC Header and then a 5 byte SNAP field, followed by the normal user data and FCS.
The Sub-Network Access Protocol (SNAP) Header The first 3 bytes of the SNAP header is the vendor code, generally the same as the first three bytes of the source address although it is sometimes set to zero. Following the Vendor Code is a 2 byte field that typically contains an Ethertype for the frame. This is where the backwards compatibility with Version II Ethernet is implemented.

14. Frame size : Min 64 bytes , Max 1518 bytes
1 Ethernet Framing 1.7 IEEE frame with LLC/ SNAP header
Type field provides backwards compatibility with Ethernet v2 frame
Frame size : Min 64 bytes , Max 1518 bytes DA SA
length AA 1B AA 1B 03 3B
Type 2B
P A Y L O A D (38–1492 Bytes)
FCS
802.2 LLC
802.2 SNAP
Data Link Header
TYPE
0x0800=IP
0x0806 = ARP
0x8035 = RARP
0x888E = 802.1X
0x8863=PPPoE Control frames
0x8864 = PPPoE Data frames
The following describes the SNAP frame format. The Destination MAC address and Source MAC address fields are 6-bytes in length. The length field is 2-bytes and contains the length of the frame. The DSAP and SSAP fields are used to identify the type of the protocol that is encapsulated in the payload. In this case the value remains as constant and is 0xAA. The header that follows the LLC header is called the SNAP header. This contains a 2-byte type field that contains the value that defines the protocol that is being encapsulated in the data payload.

15. 1 Ethernet Framing 1.8 IP over Ethernet/IEEE 802 – example
0800
Destination
Address
(6 bytes)
Source
Address
(6 bytes)
Preamble
(8 bytes)
IP datagram
FCS
(4)
ETHERNET II
Length
(2 bytes)
Destination
Address
(6 bytes)
Source
Address
(6 bytes)
Preamble
(8 bytes) 06 06
IP datagram
FCS
(4)
IEEE 802.3/ IEEE LLC
LLC
Length
(2 bytes)
Destination
Address
(6 bytes)
Source
Address
(6 bytes)
Preamble
(8 bytes)
0800 IP
datagram
FCS
(4) AA AA 03 00
IEEE 802.3/ IEEE LLC/SNAP
LLC
SNAP

16. Summary Ethernet version 2 (Xerox) MAC frame
has Ethertype field
indicates which protocol is inside the data section
Value always > 05-DC hex.
802.3 has a Length or/and Type field
if < 05-DC IEEE802.3 Length field
if >= 05-DC IEEE802.3 Type field
Type field gives a protocol identification (same as Ethertype)
802.3 incorporates aspects of Ethernet version 2 and will replace it for high-speed Ethernet networks
Ethernet v2 is a valid frame

17. 2 VLAN: Virtual Local Area Network

18. 2 VLAN: Virtual Local Area Network 2.1 What is a LAN?
Everyone can communicate with each other on the LAN
Local Area Network (LAN)
Single Broadcast domain
Same Subnet
No routing between members of a LAN
Routing required between LANs
Corporate LAN
To understand VLAN, you need to understand LAN first. A Local Area Network (LAN) can generally be defined as a broadcast domain. Hubs, bridges or switches in the same physical segment connect all end node devices. End nodes can communicate with each other without the need for a router. However communications with devices on different LAN segments requires the use of a router.

19. 2 VLAN: Virtual Local Area Network 2.2 What is VLAN?
Virtual Local Area Network VLAN
Used to separate the physical LAN into logical LANs
Logical broadcast / multicast domain
Virtual
Inter-VLAN communication: only via higher-layer devices (e.g. IP routers)
LAN membership defined by the network manager
Corporate LAN
Marketing LAN Engineering LAN Administration LAN
VLAN allows a network manager to logically segment a LAN into different broadcast domains. Since this is a logical segmentation but not a physical one, workstations do not have to be physically located together. Users on different floors of the same building, or even in different buildings can now belong to the same LAN.
VLAN also allows broadcast domains to be defined without using routers. Bridging software is used instead to define which workstations are included in the broadcast domain. Routers would only have to be used to communicate between two VLANs.
Communication between nodes that are attached to a single physical LAN infrastructure is only possible if they are member of the same VLAN. Inter-VLAN communication requires a higher layer packet forwarder like a router to forward packets packets between the VLANs it belongs to.
A router that only routes packets and does not bridge frames is said to terminate the VLAN. This means that a router uses VLANs to partition a single Ethernet interface in a number of logical sub-interfaces, one for each VLAN. Such a logical interface is called a VLAN terminated (sub-)interface.

20. 2 VLAN: Virtual Local Area Network 2.3 How VLANs Work
VLAN can be distinguished by the method used to indicate membership when a packet travels between switches.
Implicit
Explicit
VLAN membership can be classified by
Port
Protocol type
MAC address
IP address
IEEE 802.1Q
802.1Q tag
Port based
Port and Protocol based
In order to understand how VLANs work, we need to look at the types of VLANs, the types of connections between devices on VLANs, the filtering database which is used to send traffic to the correct VLAN, and tagging, a process used to identify the VLAN originating the data.
A first and important distinction between VLAN implementations is the method used to indicate membership when a packet travels between switches. Two methods exist – implicit and explicit.
When a LAN bridge receives data from a workstation, it tags the data with a VLAN identifier indicating the VLAN from which the data came. This is called explicit tagging. A tag is added to the packet to indicate VLAN membership. The IEEE 802.1Q VLAN specifications use this method. Tagging can be based on the port from which it came, the source Media Access Control (MAC) field, the source network address, or some other field or combination of fields. VLANs are classified based on the method used.
It is also possible to determine to which VLAN the data received belongs using implicit tagging. In implicit tagging the data is not tagged, but the VLAN from which the data came is determined based on information like the port on which the data arrived or VLAN membership is indicated by the MAC address. In this case, all switches that support a particular VLAN must share a table of member MAC addresses.
VLAN classification according to IEEE 802.1Q is done based on the tag (explicit), the port (implicit), or port-and-protocol (implicit). Other criteria ( such as MAC address, IP address) are non-standard

21. Does not allow user mobility
2 VLAN: Virtual Local Area Network 2.4 Layer 1 VLAN: Membership by port
Membership in a VLAN is defined based on the ports that belong to the VLAN.
Also refered to as Port switching
Does not allow user mobility
Does not allow multiple VLANs to include the same physical segment (or switch port)
PORT
VLAN 1 2 5 7 1 2 3 4 5 6 7 8 9
In this implementation, the administrator assigns each port of a switch to a VLAN.
The switch determines the VLAN membership of each packet by noting the port on which it arrives.
The primary limitation of defining VLANs by port is that the network manager must reconfigure VLAN membership when a user moves from one port to another. He needs to reassign the new port to the user’s old VLAN. The network change is then completely transparent to the user, and the administrator saves a trip to the wiring closet.
Another significant drawback is in case of a repeater attached to a port on the switch. In that case, all of the users connected to that repeater must be members of the same VLAN

22. Membership in a VLAN is based on the MAC address of the workstation.
2 VLAN: Virtual Local Area Network 2.5 Layer 2 VLAN : Membership by MAC address
Membership in a VLAN is based on the MAC address of the workstation.
The switch tracks the MAC addresses which belong to each VLAN
Provides full user movement
Clients and server always on the same LAN regardless of location
Disadvantages
Too many addresses need to be entered and managed
Notebook PCs change docking stations 1 2 3 4 5 6 7 8 9
VLAN
The VLAN membership of a packet in this case is determined by its source or destination MAC address. Each switch maintains a table of MAC addresses and their corresponding VLAN memberships.
A key advantage of this method is that the switch doesn’t need to be reconfigured when a user moves to a different port. However, assigning VLAN membership to each MAC address can be a time consuming task. Also, a single MAC address cannot easily be a member of multiple VLANs. This can be a significant limitation, making it difficult to share server resources between more than one VLAN.
The main problem with this method is that VLAN membership must be assigned initially. In networks with thousands of users, this is no easy task. Also, in environments where notebook PCs are used, the MAC address is associated with the docking station and not with the notebook PC. Consequently, when a notebook PC is moved to a different docking station, its VLAN membership must be reconfigured.

23. Membership implied by MAC protocol type field
2 VLAN: Virtual Local Area Network 2.6 Layer 3 VLAN: Membership by Protocol type
Membership implied by MAC protocol type field
This is the most flexible method and provides the most logical grouping of users
SFD
pre-
amble DA SA
P A Y L O A D (46–1500 Bytes)
FCS
Length or Type
PROTOCOL
VLAN IP 1
IPX 2
VLANs based on layer 3 information take into account protocol type (if multiple protocols are supported) and possibly network-layer address (e.g., subnet address for TCP/IP networks) in determining VLAN membership. An IP subnet or an IPX network, for example, can each be assigned their own VLAN.
Although these VLANs are based on layer 3 information, this does not constitute a “routing” function and should not be confused with network-layer routing.
When the VLAN membership is based only on the protocol type field found in the Layer 2 header we talk abouth protocol-based VLANs

24. 2 VLAN: Virtual Local Area Network 2
2 VLAN: Virtual Local Area Network 2.6 Layer 3 VLAN: Membership by IP Subnet Address [cont.]
The network IP subnet address (layer 3 header) can be used to classify VLAN membership
SUBNET /MASK
VLAN
/24
/24 1 2 3 4 5 6 7 8 9
In this method, IP addresses are used only as a mapping to determine membership in VLAN's. No other processing of IP addresses is done. No route calculation is undertaken, RIP or OSPF protocols are not employed, and frames traversing the switch are usually bridged according to implementation of the Spanning Tree Algorithm. Therefore, from the point of view of a switch employing layer 3–based VLANs, connectivity within any given VLAN is still seen as a flat, bridged topology..
Having made the distinction between VLANs based on layer 3 information and routing, it should be noted that some vendors are incorporating varying amounts of layer 3 intelligence into their switches, enabling functions normally associated with routing.
Nevertheless, a key point remains: no matter where it is located in a VLAN solution, routing is necessary to provide connectivity between distinct VLANs. There are several advantages to defining VLANs at layer 3. First, it enables partitioning by protocol type. This may be an attractive option for network managers who are dedicated to a service- or application-based VLAN strategy. Secondly, users can physically move their workstations without having to reconfigure each workstation’s network address—a benefit primarily for TCP/IP users.
One of the disadvantages of defining VLANs at layer 3 (vs. MAC- or port-based VLANs) can be performance. Inspecting layer 3 addresses in packets is more time consuming than looking at MAC addresses in frames.

25. Port based VLAN classification
2 VLAN: Virtual Local Area Network 2.7 VLAN types - Glossary/Terminology
Port based VLAN classification
VID based on port of arrival
Frame receives Port VLAN identifier – PVID
Default VID
Not standardized within 802.1Q
Interpretation according to context
Often equals PVID
Port-and-protocol-based VLAN classification
VID based on port of arrival and the protocol identifier of the frame
Multiple VLAN-Ids associated with port of the bridge – VID set
A VLAN bridge supports port-based VLAN classification, and may, in addition, support port-and-protocol-based VLAN classification
In port-based VLAN classification within a bridge, the VLAN-ID associated with an untagged or priority tagged frame is determined based on the port of arrival of the frame into the bridge. This classification mechanism requires the association of a specific Port VLAN Identifier, or PVID, with each of the bridge’s ports. In this case, the PVID for a given port provides the VLAN-ID for untagged and priority tagged frames received through that port.
For bridges that implement port-and-protocol-based VLAN classification, the VLAN-ID associated with an untagged or priority-tagged frame is determined based on the port of arrival of the frame into the bridge and on the protocol identifier of the frame. For port-and-protocol based tagging, the VLAN bridge will have to look at the Ethertype, the SSAP, or the SNAP-type of the incoming frames. When the protocol is identified, the VID associated with the protocol group to which the protocol belongs will be assigned to the frame. This classification mechanism requires the association of multiple VLAN-IDs with each of the ports of the bridge; this is known as the “VID Set” for that port.

26. 2 VLAN: Virtual Local Area Network 2.8 VLAN Link types: Access Link
Link that is a member of only one VLAN
Contain VLAN unaware devices
All frames on access link are untagged
Normal ports to which we connect our network devices such as PCs.
VLAN aware Bridge
VLAN unaware workstation
Access Link
Inside the world of VLANs there are three types of interfaces / links. These links allow us to connect multiple switches together or just simple network devices e.g PC, that will access the VLAN network. Depending on their configuration, they are called Access Links, Trunk Links or Hybrid Links.
The division is based on whether the connected devices are VLAN-aware or VLAN-unaware. Recall that a VLAN-aware device is one which understands VLAN memberships (i.e. which users belong to a VLAN) and VLAN formats.
The type of link, where only traffic for a single VLAN is passed, is referred to as an "Access Link".
When configuring ports on a switch to act as Access Links, we configure only one VLAN per port, that is, the VLAN our device will be allowed to access. An access link is a link that belongs to one, and only one VLAN. The port is not capable of receiving information from another VLAN unless the information has been routed. The port is not capable of sending information to another VLAN unless the port has access to a router.
The access link connects a VLAN-unaware device to the port of a VLAN-aware bridge. Any device connected to an Access Link (port) is totally unaware of the VLAN assigned to the port. The device simply assumes it is part of a single broadcast domain, just as it happens with any normal switch. During data transfers, any VLAN information or data from other VLANs is removed so the recipient has no information about them
All frames on access links must be implicitly tagged (untagged). The VLAN-unaware device can be a LAN segment with VLAN-unaware workstations or it can be a number of LAN segments containing VLAN-unaware devices (legacy LAN).

27. 2.8 VLAN Link Types 2.8.2 Trunk Link
Capable of carrying multiple VLANs
Used at links between switches
Allowing VLANS to span over all network switches
VLAN aware Bridge
VLAN aware workstation
Trunk Link
What we've seen so far is a switch port configured to carry only one VLAN, that is, an Access Link port. Another type of port configuration is the Trunk port.
While an access link does the job for a single VLAN environment, multiple access links would be required if you wanted traffic from multiple VLANs to be passed between switches. Having multiple access links between the same pair of switches would be a big waste of switch ports. Obviously another solution is required when traffic for multiple VLANs needs to be transferred across a single trunk link. The solution for this comes through the use of VLAN tagging.
When you want traffic from multiple VLANs to be able to traverse a link that interconnects two switches, you need to configure a VLAN tagging (explicit tagging) method on the ports that supply the link. A trunk link is capable of transferring frames from many different VLANs through the use of technologies like 802.1Q.
A Trunk Link, or 'Trunk' is a port configured to carry packets for any VLAN. These type of ports are usually found in connections between switches. These links require the ability to carry packets from all available VLANs because VLANs span over multiple switches.
All the devices connected to a trunk link, including workstations, must be VLAN-aware. All frames on a trunk link must have a special header attached (tagged frames).

28. 2.8 VLAN Link Types 2.8.3 Hybrid Link
Contain both VLAN aware and VLAN unaware devices
All frames for specific VLAN are tagged or untagged
VLAN aware workstation
VLAN aware Bridge
VLAN aware Bridge
Hybrid Link
The Hybrid Link is a combination of the previous two links. This is a link where both VLAN-aware and VLAN-unaware devices are attached. A hybrid link can have both tagged and untagged frames, but all the frames for a specific VLAN must be either tagged or untagged
VLAN unaware workstation

29. 2 VLAN: Virtual Local Area Network 2.9 Q-VLAN tag (IEEE 802.1Q)
Also referred to as C-VLAN tag
Customer VLAN tag
VLAN Bridge
Q-VLAN aware bridge
comprising a single Q-VLAN component
Frame size : Min 68 bytes , Max 1522 bytes
pre-
amble
SFD DA SA
TPID
TCI
length
type
P A Y L O A D (46–1500 Bytes)
FCS
2 bytes
2 bytes
802.1Q tag-type (value 81 00)
Tag Control Information
We saw that when frames are sent across the network, there needs to be a way of indicating to which VLAN the frame belongs, so that the bridge will forward the frames only to those ports that belong to that VLAN, instead of to all output ports as would normally have been done. This information is added to the frame in the form of a tag header and there are different ways to determine VLAN membership
Tagging of an Ethernet frame consists in adding a 4-byte tag that allows to specify the VLAN-ID and the priority. Since a VLAN tag is 4 bytes for a frame that is tagged, the frame size ranges between 68 and 1522 bytes. When padding has to be used to reach minimum frame size, tagged frames can be of 64 bytes.
TPID is the tag protocol identifier which indicates that a tag header is following. TPID has a defined value of 8100 in hex. When a frame has the Ethertype equal to 8100, this frame carries the tag IEEE 802.1Q / 802.1P.
The TCI (Tag Control Information) contains three parts. the user priority, canonical format indicator (CFI), and the VLAN ID.
User priority is a 3 bit field which allows priority information to be encoded in the frame. Eight levels of priority are allowed, where zero is the lowest priority and seven is the highest priority. How this field is used is described in the supplement 802.1p.
The CFI bit is used to indicate that all MAC addresses present in the MAC data field are in canonical format. This field is interpreted differently depending on whether it is an Ethernet-encoded tag header or a SNAP-encoded tag header..
The VID field is used to uniquely identify the VLAN to which the frame belongs. There can be a maximum of 2^12-2 = 4094 VLANs! Zero is used to indicate no VLAN ID, and FFF is reserved. Zero is used to indicate no VLAN ID, but that user priority information is present. This allows priority to be encoded in non-priority LANs.
Tag protocol Identifier
3 bits
12 bits
CFI
Priority ”p-bits” (802.1p)
# 8
Vlan_ID ”Q-TAG” (802.1Q)
# 4096

30. Priority-tagged frame VLAN-tagged frame 802.1Q Tag VLAN
2 VLAN: Virtual Local Area Network Q Tag-based- Glossary/Terminology
Untagged frame
A frame doesn’t contain a tag header
Priority-tagged frame
A frame with tag header carries priority but no VID (VID=0)
VLAN-tagged frame
A frame with Q-tag header carries both priority and VID.
802.1Q Tag VLAN
Each VLAN group has unique VID
Each member of VLAN group can talk to each other
VLAN-aware
The device can recognize and support VLAN-tagged frame
VLAN-unaware
The device can't recognize VLAN-tagged frame
Untagged frame: An untagged frame is a frame that does not contain a tag header immediately following the Source MAC Address field of the frame or, if the frame contained a Routing Information field, immediately following the Routing Information field.
Priority-tagged frame : A tagged frame whose tag header carries priority information, but carries no VLAN identification information.
VLAN-tagged frame : A tagged frame whose tag header carries both VLAN identification and priority information.
An untagged frame or a priority-tagged frame does not carry any identification of the VLAN to which it belongs. Such frames are classified as belonging to a particular VLAN based on parameters associated with the receiving port, or, through proprietary extensions to this standard, based on the data content of the frame (e.g., MAC Address, layer 3 protocol ID, etc.- implicit tagging).
Priority tagged frames, which, by definition, carry no VLAN identification information, are treated the same as untagged frames.
A VLAN-tagged frame carries an explicit identification of the VLAN to which it belongs; i.e., it carries a tag header that carries a non-null VID. Such a frame is classified as belonging to a particular VLAN based on the value of the VID that is included in the tag header.
Each VLAN group has unique VID and the ports with the same VID can communicate with each other. It is important for a LAN bridge (switch) to determine what devices are VLAN-aware or VLAN-unaware. VLAN-aware devices can recognize and support VLAN-tagged frames but VLAN-unaware device can't. So it can decide whether to forward tagged packets (to a VLAN-aware device) or first strip the tag from a packet and then forward it (to a VLAN-unaware device).

31. Ingress Egress Upstream Downstream Towards the forwarding Engine
2 VLAN: Virtual Local Area Network Forwarding engine - Glossary/Terminology
Ingress
Towards the forwarding Engine
Egress
Out of the forwarding engine
Upstream
From user to network
Downstream
From network to user
Forwarding engine
End-user
Ethernet port
End-user
Ingress
Egress
Downstream
Upstream

32. 2 VLAN: Virtual Local Area Network 2.12 802.1Q Process
Ingress Rule
Classify the received frames belonging to a VLAN
Forwarding Process
Decide to filter or forward the frame
Egress Rule
Decide if the frames must be sent tagged or untagged
Packet Receive
Filtering Database
Packet Transmit
When the bridge receives the data/Ethernet frames, it determines to which VLAN the data belongs either by implicit or explicit tagging. In explicit tagging a tag header is added to the data.
According to the VID information the switch forwards and filters the frames among ports . The bridge keeps track of VLAN members in a filtering database which it uses to determine where the data is to be sent.
The ports with the same VID can communicate with each other.
IEEE 802.1Q VLAN function contains the following three tasks, ingress process, forwarding process and egress process.
While a frame goes to the tag VLAN switch, the ingress process classifies the received frame first and then passes the frame to the forwarding process. After the forwarding process, it goes to the egress process where it will be decided how the frame will leave the switch (tagged or not).
Ingress Rule
Forwarding Process
Egress Rule

33. 2 VLAN: Virtual Local Area Network 2.13 Ingress Rule
VLAN-aware switch can accept tagged and untagged frames
Tagged frame:
is directly sent to the forwarding engine
Untagged frame:
A tag is added onto this untagged frame (with the PVID)
Then the tagged frame is sent to the forwarding engine
PVID
Default Port VLAN ID for incoming untagged frames
Tagged frame
Tagged frame
VID
VID
Towards Forwarding Process
Each port is capable of passing tagged or untagged frames. The ingress process identifies if the incoming frames contain a tag, and classifies the incoming frames belonging to a VLAN. Each port has its own ingress rule. If the ingress rule accepts tagged frames only, the switch port will drop all incoming untagged frames. If the ingress rule accepts all frame types, the switch port simultaneously allows incoming tagged and untagged frames :
When a tagged frame is received on a port, it carries a tag header that has a explicit VID. The ingress process directly passes the tagged frame to the forwarding process.
An untagged frame does not carry any VID to which it belongs. When a untagged frame is received, the ingress process inserts a tag containing the PVID into the untagged frame. Each physical port has a default VID called PVID (Port VID). This PVID is assigned to untagged frames or priority tagged frames received on this port.
After the ingress process, all frames have a 4-bytes tag including VID information and the frames will go to the forwarding process.
Untagged frame
Ingress Rule
Tagged frame
PVID

34. 2 VLAN: Virtual Local Area Network 2.14 Forwarding Process
Forwarding decision is based on the filtering database
Filtering database contains two tables.
- MAC table and VLAN table
First, check destination MAC address based on the MAC table
Second, check the VLAN ID based on the VLAN table
Egress port is the allowed outgoing member port of VLAN
Filtering Database
MAC Table
VLAN Table
Port
MAC Address
Aging
VID
Egress
Port
Register
Egress frame type 2
00:A0:C5:11:11:11
The forwarding process decides to forward  the received frames according to the filtering database. The filtering database contains two tables: a MAC table and a VLAN table. The frames coming from the ingress process will be bridged first according to the MAC table and then forwarded based on the VLAN table. The egress port of the VLAN table is the allowed outgoing member port of the VLAN. If you want to forward the tagged frames to any port, this port must be the egress port of this VID. 2
00:A0:C5:22:22:22 20 1 2
Static
Untag 3
00:A0:C5:33:33:33 30 1 3
Static
Tag 10
00:A0:C5:44:44:44
100
100 3
Static
Untag

35. 2 VLAN: Virtual Local Area Network 2.15 Egress Rule
Tagged frame
Tagged frame
VID
VID
Tagged frame
Egress Rule
Untagged frame
VID
The egress process decides if the outgoing frames should be sent with tag or without tag. The egress rule refers to the egress tag control in the filtering database. If the value is tagged, the outgoing frame on the egress port is tagged. If the value is untagged, the tag will be removed before the frame leaves the egress port.

36. C-VID of incoming frames is determined:
2 VLAN: Virtual Local Area Network Principles of operation in a VLAN Bridge
= Q/C-VLAN tag
Security check that VLAN id is allowed on that access line
VLAN tag added by CPE
e.g. outgoing port supports only tagged
VLAN tag added by access node
C-VID of incoming frames is determined:
If C-TAG is present, C-VID is taken from tag (no translation!)
If C-TAG is not present,
If supported : port and protocol are used for C-VID classification.
else, the default C-VID for that port is used (PVID);
The standard leaves room for proprietary assignment of C-VID based on other parameters
Incoming frame is forwarded according to forwarding information base associated with the C-VLAN.
Outgoing frame may carry C-TAG or not, depending on egress rule.
The bridging entity of a VLAN Bridge consists of a single “Customer-VLAN aware Bridge component”.
Each port is capable of connecting to an 802 LAN.
Adding/removing of Q/C-TAGs is supported on all ports.

37. 2 VLAN: Virtual Local Area Network 2.17 Objective of VLAN stacking
The existing Ethernet technology is not enough to satisfy carrier-grade requirements
Q/C-VLAN tag
only 4094 VIDs
Scalability issue
Business customers typically have one-to-one mapping
Problem if different customers are using the same VID!
no customer traffic segregation
Enhancement: new Service Provider VLAN tag (S-VLAN) to become a carrier solution
IEEE ad
Does not only describe S-VLAN for use in VLAN-stacking
The number of VLAN identifiers is limited to 4K. Since the VLAN is a E-MAN wide identifier, we end up with a scalability issue : in case of one-to-one mapping (Cross-connect mode) there cannot be more than 4K end users connected to the whole E-MAN. To solve this issue, two VLANs are stacked and the cross-connection is then performed on the combination (S-VLAN, C-VLAN) allowing to theoretically reach up to 16M end users.
It is impossible to allocate the same VID to different customers. There’s no customer traffic segregation! VLANs of different customers with the same VID will be managed as the same VLAN in the carrier network.

38. 2 VLAN: Virtual Local Area Network 2.18 IEEE 802.1ad - Systems
VLAN Bridge = Customer Bridge = .1Q Bridge
Treats C-TAG only
Provider Bridge (new)
Treats S-TAG only
Provider Edge Bridge (new)
Contains a Provider Bridge component and a Customer Bridge component
Treats C-TAG and S-TAG
VLAN Bridge = Customer Bridge = .1Q Bridge
A customer bridge = a VLAN-aware bridge as we used to know them before people started to talk about VLAN stacking.
A Provider Bridge (new) is a bridge to be used in provider networks. It provides the same functionality as a Customer Bridge, but it uses a different tag: the S-TAG (instead of the C-TAG);
comprising a single S-VLAN component
If the customer is sending untagged Ethernet frames, these are sent toward the carrier network as a single S-VLAN tagged frames. A provider bridge cannot add a C-TAG to an untagged frame!
Provider Edge Bridge (new)
Thanks to the 2-in-1 paradigm, a Provider Bridge can additionally contain a Customer VLAN aware Bridge component, which duplicates the functionality of a VLAN Bridge;
comprising configuration of both C-VLAN and S-VLAN components.
If the customer is sending Q-VLAN tagged Ethernet frames, these are sent toward the carrier network as dual tagged frames

39. 2 VLAN: Virtual Local Area Network 2.19 IEEE 802.1ad - Tags
Customer TAG (C-TAG)
C-TAG is used to identify a Customer VLAN (C-VLAN) by means of a Customer VLAN ID (C-VID).
Service TAG (S-TAG) (new)
S-TAG is used to identify a Service VLAN (S-VLAN) by means of a Service VLAN ID (S-VID).
Pre-standard synonyms: VMAN-tag, P-VLAN tag.
IEEE802.1ad:
Draft 3 in Oct 25/2004, approved Dec 8/2005 and published May 26/ bit priority 1 bit CFI 12 bit VID
Tag-Type: as C_Vlan
Frame size : Min 68 bytes , Max 1526
pre-
amble
SFD DA SA
TPID
TCI
length
type
P A Y L O A D (46–1500 Bytes)
FCS
Customer TAG (C-TAG) is the ‘traditional’ VLAN-tag (.1Q-tag) as we used to know it before people started talking about VLAN stacking.
IEEE P802.1ad specifies “Provider Bridges”; it is an amendment to .1Q
2 bytes
2 bytes
802.1Q tag-type (value 81 00)
Tag Control Information

40. 2 VLAN: Virtual Local Area Network 2.20 IEEE 802.1ad - Ports
S-VLAN aware Bridge component
Provider Network Port
C-VLAN aware Bridge component
Provider Edge Port
to provider equipment
Customer Network Port
Internal EISS
to customer equipment
Provider Bridge
Yellow ports can read C-TAGs, or assign a C-VID to untagged frames.
Green ports can read S-TAGs, or assign an S-VID to untagged frames.

41. S-VID of incoming frames is defined:
2 VLAN: Virtual Local Area Network Operation in a provider edge bridge: single tag
Customer NW Port
S-VLAN aware Bridge component
C-VLAN aware Bridge comp
Provider Edge Port
Provider NW Port
Customer NW Port
Internal EISS
= S-VLAN tag
S-VID of incoming frames is defined:
If S-TAG is present, S-VID is taken from tag
If S-TAG is not present,
Same rules as for C-TAG in VLAN bridge.
Incoming frame is forwarded according to forwarding information base associated with the S-VLAN.
Outgoing frame may carry S-TAG or not (egress rule).

42. C-VLAN aware bridge comp
2 VLAN: Virtual Local Area Network Operation in a Provider Edge Bridge: single tag
= Q/C-VLAN tag
= S-VLAN tag
Customer NW Port
S-VLAN aware bridge component
e.g. Outgoing port supports only tagged
C-VLAN aware bridge comp
Provider Edge Port
Provider NW Port
Customer NW Port
Internal EISS
An incoming frame on a provider edge port is forwarded internally depending on the C-TAG. This two-step approach enables a translation of C-VID to S-VID.
Incoming frame is forwarded according to forwarding information base associated with respectively the C-VLAN / S-VLAN to which the frame belongs.
Outgoing frame may carry S-TAG or not (egress rule)

43. 2 VLAN: Virtual Local Area Network 2.23 Dual VLAN – VLAN Stacking
IEEE 802.1ad
Most vendors apply today 1Q-in-Q VLAN Tag
Cisco, Alcatel-Lucent,…
Single VLAN tag
Frame size : Min 68 bytes , Max 1522 bytes
pre-
amble
SFD DA SA
TPID
TCI
length
type
P A Y L O A D (46–1500 Bytes)
FCS
Dual VLAN tag” (“Vlan stacking”)
Frame size : Min 72 bytes , Max 1526
S-Vlan
C-Vlan
pre-
amble
SFD DA SA
TPID
TCI
TPID
TCI
length
type
P A Y L O A D (46–1500 Bytes)
FCS
Depending on the application, a single VLAN-tag or double VLAN-tags (also called VLAN stacking) can be present or be absent on the Ethernet interface. In case of VLAN stacking, the first VLAN tag (the outer VLAN) is called S_VLAN (Service-Provider VLAN) tag and the second VLAN tag (the innermost VLAN) is called C_VLAN tag (Customer VLAN) .
2 bytes
2 bytes
802.1Q tag-type (value 81 00)
Tag Control Information

44. 2 VLAN: Virtual Local Area Network 2.24 Dual VLAN – VLAN Stacking
Q-in-Q VLAN
The second VLAN tag protocol identifier is 802.1Q tag type just like in Single VLAN tagged frames
Dual VLAN tag” (“Vlan stacking”)
Frame size : Min 72 bytes , Max 1526 bytes
S-Vlan
C-Vlan
pre-
amble
SFD DA SA
TPID
TCI
TPID
TCI
length
type
P A Y L O A D (46–1500 Bytes)
FCS
2 bytes
2 bytes
tag-type (value 81 00)
Tag Control Information
Tag protocol Identifier
"Q-in-Q" is really the same thing as VLAN stacking, using the same Ethertype for both tags. It has the advantage that existing .1Q bridges can be used as a "provider bridge"..
3 bits
12 bits
CFI
Priority ”p-bits” (802.1p)
# 8
Vlan_ID ”Q-TAG” (802.1Q)
# 4096

45. C-VLAN aware bridge comp
2 VLAN: Virtual Local Area Network Operation in a Provider Bridge: VLAN stacking
= Q/C-VLAN tag
= S-VLAN tag
Customer NW Port
S-VLAN aware bridge component
C-VLAN aware bridge comp
Provider Edge Port
Provider NW Port
Customer NW Port
Internal EISS
We now have two tags
The S-TAG may be added and removed independently of the C-tag.
A Provider Bridge ignores C-tags, except on Provider Edge Ports
VLAN-stacking can occur even if the incoming frame is untagged (at provider edge port).
VLAN-stacking occurs when …
a previously C-tagged frame enters the provider-owned portion of a network via a Provider Bridge, and receives an S-TAG.
a previously untagged frame enters the provider-owned portion of a network via a Provider Edge Port on a Provider Bridge, receiving a C-TAG and then an S-TAG.

46. End of Module
Ethernet-Vlan Technology