17 Connecting networks, Virtual LAN and 802.1Q

 

Introduction

 

We have looked at both wired and wireless MAC layers. In this module, we will look at different ways to connect different networks at MAC layer. We will also see the needs for having such interconnection. Once we learn about this, we will look at virtual LAN which allows a logical membership of a network instead of physical membership. We will conclude with the Ethernet standard for virtual LAN, the 802.1Q.

 

Need to interconnect LANs

 

The data link layer has one more critical job to perform, connecting different LANs. Many devices are used for interconnection. Older networks favor devices known as bridges but they are almost everywhere replaced by layer-2 switches now. The bridge, like a hub, is a broadcast device and used when hubs used to connect network nodes. MAC layer is used as a connecting point in both cases.

 

Before we learn how can we connect LANs, you may think, why we need to connect LANs? Unlike connecting other networks, LANs are owned by a single organization and instead of connecting, one can have a larger network connecting all those nodes which normally belong to different LANs and the problem is solved. However, it is not as easy as it seems, and keeping these LANs separate is a must in most cases. Let us try to understand why.

 

Every department network in a company or organization grows by adding new machines and allocate them to new users. These users need to communicate with each other so they become part of their own departmental network. In fact, different departments also need to communicate with each other and thus they also need to communicate with the rest of the organization. Thus a node which belongs to one network might need to communicate with a node belonging to another network. For example, the accounting department needs to endorse every order, and thus purchase department need to communicate with account department. An employee, seeking leave, need to communicate to HR department and HR department might need to communicate back to the head of the department for approval of leaves. Sales department needs to look at production schedule to promise delivery of sold product is another example. Thus these separate networks of different departments need to be connected.

 

One attractive solution an administrator would like to propose is to have a single network for the entire organization and abolish all separate departmental networks. Will that work? Here are a few reasons why it cannot.

 

1. Every department has something which they do not want to share with other departments. When the networks are separate, that was automatically done. Having departments and divisions is important to isolate and separate different business functions so the better focus can be provided and business processes can be optimized. The separate network for every department allows that department to have exclusive access to the classified information belongs to that department.

 

2. Different departments have different needs, for example, a management college students need office suit and reasonably good printing service. The design college students need access to drawing software and High Bandwidth multimedia access. The computer science department students need access to research sites and software other users hardly need. Departments like accounts may be paranoid about security and usually need plain vanilla network services with a lot of robustness. On the contrary, the department of research and development need state of the art software and hardware and like to work with beta versions of the software. In this case, both these departments better have their own network with their own needs fulfilled.

 

3. When the networks are of different types, for example, one is wired and another is wireless, it is not possible to merge them.

 

4. Some departments have to manage classified information and they need to be keeping it to as remote place as they can. Keeping their network connected to all others may not attract them.

 

For example, everybody’s actual salary is with HR which do not and should not share.

 

5. The single network design could be a big problem in the case of a server going down. One or more of the individual departmental network may fail but other networks in the organization are not affected. In the case of a single network having a server being a single point of failure, it is going to affect the entire organization if it goes down.

 

6.Routers connecting departmental networks can detect and stop malicious traffic. Even when one department network is infected by some malicious content of an employee laptop, when the networks are separate, is confined to that network. When it tries to cross the departmental boundary, it would be caught by the interconnecting routers. In the case of a single network, once the virus or any other malware creeps in, the entire network may come to a grinding halt.

 

7. An attacker who would like to learn about entire network can easily perform its job by just connecting his machine to the network when we have a single network. In the case of departmental boundaries, he can only spoof into his departmental network.

 

8. Every department has some policies. For example, accounts department has “one can see his salary details but not others”, “HR department can poke into every department but can only look at the information they need for their work, for example, recommendations of the supervisors, leaves the employee has taken, and so on. Managing such different set of policies for different organizations is straight forward in case of separate networks.

 

9. Computer science students may run some assignments which misbehave and start broadcasting information of some sort. This uncontrolled process might swamp the entire network. In the case of such departments consuming more loads and sometimes to an unbearable level, we cannot keep them with other departments. Thus confining CS students to their own department is a very good idea if you ask management students.

 

10. When networks are combined, bandwidth issues may increase. For example, design students might download huge design files and consume most of the network bandwidth; other students who feel starved of bandwidth may come and complain about the slow network.

 

11. Many networking protocols operate using broadcasting, for example, mobile IP. A mobile node, when enters a new network, announces its presence and ask if there is router who can help. Similarly, every router announces its presence every now and then. The routing protocols based on DV or LS also demand to exchange of packets continuously. For a large network, the traffic is much higher. For example, if your router gets information about 10 neighbors in your own network and 1000 neighbors in a combined network every 10 ms, you will start feeling the load.

 

12. Sometimes the networks are physically apart also and it is infeasible for those machines to connect to a single network.

 

We are left with one choice, keeping the networks as they are and interconnect them. We needed a design where each network can still preserve their own identity as well as connected to others.

 

Interestingly, the problem does not end here. The membership of any LAN is no longer confined to a physical location. Machines which are far away from each other may be part of the same network. For example, on a big university campus, it is possible for students belonging to CS department to roam around anywhere and still be connected to their own network. Another example is, even when an account department employee is visiting some other department, looking at the budgetary information and entering that information online, might need to access his own network from the department he is visiting. Such a mechanism is known as Virtual LAN and is the central theme of this module. Virtual LAN is about interconnecting networks in a way that members of different networks are logically grouped. The members of a logical LAN can be segregated in physically different segments of the network but get the feeling that they have an exclusive connection to their own network.

 

Self-learning switches

 

The switches have an important property of learning about networks and their nodes. When a new switch connects networks, it just broadcasts every message coming in as it has no idea where the destination is. However, with every incoming packet from a typical node and the interface from where it comes, it learns that node is part of the network and is connected to the specific interface. For example, if a switch gets a packet from node A to Network N on the port 5, it learns that network N is connected to port 5. Now onwards, it will send any packet destined for Network N over port 5 and won’t broadcast. This mechanism is known as reverse path forwarding and helps the switch learn about the network and the nodes on its own. In fact, this scheme is more powerful than it looks at the first sight. Whenever a node switches over from one network to another and transmits a packet from there, the switch automatically learns about its new location of the node with the new network and sends packets destined for that node over the new location. For example, assume a node A now joins network M. When it sends a packet from network M which may be connected to, for example, port 7, the switch learns about that node being part of the new network and updates its knowledge. Similarly, if there is no traffic from a specific node for a certain period of time, the switch assumes that node has changed location and start broadcasting the packet destined for that node. For example, the node A after joining M has not yet transmitted a packet. The switch, when there is no response from that node from its usual port 5, assume that the node is no longer part of network N and start broadcasting for it. Now, when the node A responds back and its reply comes via port 7, the switch learns about its new location and the problem is solved.

 

This sweet property of switches to learn about the location of nodes without user intervention is a boon for the administrators who do not want to manually configure switches for providing locations of each node. These switches are also called plug and play switches or transparent switches. Moreover, the administrative issues are minimized by providing a self-learning routine so much so that the administrators have to just place the switch in the network and connect it. Once that is done, the switch starts functioning on its own. That is why these switches are also called unmanaged switches. This nomenclature is provided to differentiate with other high-end switches which can be managed by an administrator for higher end functions like changing the topology of the network and adding or removing a node logically from different networks etc. such switches are known as managed switches.

 

Interconnecting LANs

 

There are a few ways in which multiple LAN can be interconnected. A most common method is to use a switch to connect all nodes of a network and different networks themselves. The older method to do so was using a device called a bridge. The process of interconnection is not different as one of the ports of the network is connected to a switch or a bridge. A bridge broadcasts in the entire network it connects to while the switch specifically sends data to a port where the receiver is connected. We have a few figures in this module where some interconnecting devices are shown. These switches are self-learning and thus making multiple networks connection easy to administer.

 

Look at figure 19.1. It describes how switches connect networks. The switch-1 connects two networks connected by two different switches switch-2 and switch-3.

 

Look at figures 19.2 and 19.3. Both represent switches. In 19.2 the middle square is a switch which connects four nodes and also connects to another network by a line going out. This figure does not show the ports but physically it is like switch-1 of figure 19.1. Four of its ports connect its computers and one is to another network.

 

The 19.3 is another switch with 3 ports. It is a switch which only connects to three networks but no nodes; it can but not in this case. The switch is represented as a circle instead of square to indicate that it is interconnecting.

 

 

These two different notations are used just for explanations and both types of switches are actually similar to a switch shown in 19.1. Moreover, there is no rule that a switch only connects nodes or networks as we did so here. It is done here to simplify the representation.

 

The word B however, suggests that if we use bridge here, we can connect in the same fashion. However, if we use bridges to connect to networks, no node can be directly connected to it.

 

Please observe figure 19.4 carefully. It shows how the switches learn about locations of the nodes. Here the switches are shown using rectangles and switches connecting networks is shown using a circle with lines as interfaces.

 

 

Connecting networks of heterogeneous types

 

When one needs to connect networks of heterogeneous types, it is important to learn the issues and resolve them if there is a real need to do so. This section throws some light on the issue.

 

 

To understand the issues, we will take an example setup depicted in figure 19.5. One network that we have not yet discussed is called 802.16 or Wi-Max. We have already looked at its physical layer but will not be discussing its MAC layer. Here are some of the issues.

 

1. N1, the Ethernet network, and N2, a fast Ethernet network uses the same frame type but 802.11 and 802.16 use very different types with the incompatible number and types of fields. The job B1 or B2 needs to do is to convert those frames into an appropriate format which is more or less the same as the original. This is really a hard job and no good answer is known. The actual practice is to provide dummy values in fields which are not provided in the source network but exists in the destination network, for example, four addresses one needs in 802.11 but an incoming Ethernet frame only has two addresses, same as the frame control information in 802.11. The other thing is to ignore fields which do not exist in the destination network; for example, duration field from 802.11 to Ethernet. The harder part is, what to provide in the value of duration field when the response comes back.

 

2. When data is being transferred from one network to another of the same type, some problems may still occur. For example, if N2 is sending to N1, N1 cannot receive frames as fast as the N2 is sending. We need to have flow control implemented.

 

3. We have already seen the 802.11 and Ethernet frame format. Ethernet frame maximum size is 1500 bytes while wireless frame can be as long as 2212 bytes. If ever a wireless frame sent is of larger size than 1500, the Ethernet cannot manage that. In most cases, the frame content is truncated. Looking at above problems you can understand that interconnecting at MAC layer is hard and not a good solution. We will see in subsequent modules when we study network layer why interconnection at the network layer is better. In short, Ethernet has no mechanism to either fragment the frame at the sender or collecting different fragments at the receiver and get the complete frame out of it, while IP can do both.

 

4. Wireless traffic is prone to eavesdropping and thus both 802.11 and 802.16 provides some form of encryption to prevent that. Ethernet neither has any mechanism to decrypt the packet nor encrypt when the destination is a wireless network. Thus it is vulnerable to spoofing while sending over the wireless link and it cannot even receive an encrypted packet from a wireless sender, forcing it to send without encryption.

 

5. The Wi-Fi extensions and 802.16 have elaborate schemes for QoS but not similar. The service classes of 802.16 are neither compatible with 802.11 not have the same size and placement in the frame. Ethernet has no idea of QoS. Sending frames with these values set to run into trouble while sent from one network into another.

 

We will see that network layer has a ubiquitous solution, the IP and no such problems exist there for conversion. That simplifies the job of moving a packet from one network to another. It does not need any conversion as the receiver also uses the same IP.

 

Virtual LAN (VLAN)

 

All the above discussion that we had is related to connecting nodes in a network and connecting networks themselves in a physical sense. When a node A is physically connected with other machines of network N, it is part of network N. When a switch has one network connected to a specific port, for example, refer to the figure 19.1. The network of four nodes that switch-2 connects, let us call it network-2, is connected to the 6th port of switch-1. Now the 6th port only understands that all four nodes are part of that network-2. Any packet coming for network-2 is forwarded to port 6. All four nodes of network-2 are physically connected by the single switch, the switch-2 and physically adjacent to each other. That means all nodes of network-1 are connected with switch-1, all nodes of network-2 are connected with switch-2 and all nodes of network-3 are connected with switch-3. When a node is located at location X, it is the member of the network at that location X.

 

We have seen a few examples before to illustrate the need for logical and not physical membership of a node. Such a membership provides a convenient solution to users and thus preferred. However, providing such solution demands a lot of additional work at the network designer’s level. Our ensuing discussion will throw more light on how a logical membership, irrespective of the location of the node, can be provided for any network. We call that kind of LAN a virtual LAN.

 

Let us recap the example we discussed before. A student with his laptop can roam around and physically may be attached to any network of the university campus. He would still like to be connected to the network of his own department logically. He should be able to login to his own network and no other network. Anything broadcasted to his own network must reach him as well. Point is, irrespective of where the node is situated, it should be the part of the network it wants to be or assigned by the administrator. We will look at the problems one needs to address for solving such problems.

 

With virtual LAN, a student may be physically part of some other network which is determined by the AP or the switch his laptop is connected to; even though, he can access all his own network related data and receive messages back as well. The term virtual LAN may be clear now. The student is not a physical member of the departmental network here, but a virtual member, hence the name.

 

The virtual LAN must fulfill two important conditions.

 

1. The user should be able to enjoy the same level and amount of rights over his data as he would if physically part of the network.

 

2. The user receives all messages of the home network, either destined for him or broadcasted in the network.

 

Let us try to understand the same with an example. Consider figure 19.6. We want to move the node A, from Network-2 to Network-3. The solution is to move the machine to nework-3, run a cable from any switch-3 port which is not occupied right now to this machine and connects it there. Hopefully, the switch is able to learn about this movement and can now onwards be able to consider the new location of the node in further communication. The virtual LAN solution does not require moving this node physically. It will only mark it as part of the network-3. No movement of the machine, no need for additional connection at switch-3! Virtual LAN makes it possible. Let us see how that is done.

 

The node, in virtual LAN, can decide the network it would like to belong to, and inform that to the switch. A VLAN-aware switch can remember that choice and act accordingly. While they move data, they do so according to such membership status information that they have.

 

We have already seen that even though the different departmental networks are physically separate, they are already interconnected, which is the need of the hour. That means, the nodes are physically connected to each other and thus they can send and receive information from anywhere in an organization. Thus connecting to his own network and access data from his own network is technically possible. The only problem is to make this process seamless and transparent to the user.

 

It is important to understand that the problem is not confined to only laptops. An accountant moving from accounts department to some other department and work on some machine there for one week during the audit is an example where the membership is semi-permanent and does not involve a laptop. He is out of his department and using a machine which is physically not located in the accounts department. He should still be able to access his files on the server of his own network and receive new income tax related notification or new organizational policy about investment, issued by the accounts department head.

 

As mentioned before, this problem is solved by VLAN-aware switches. A VLAN aware switch knows both, the physical connection as well as the logical connection of each port. Assume a switch with 8 ports, Port-1 to port-8. Older switches assume each port belongs to a single network and stores information about the node connected to a specific port only. The VLAN-aware switches remember additional information about the network the machine connected to a specific port. Thus the VLAN-aware switches can associate every port with a specific network; port-1 is connected with a node belongs to network-5, port-2 is connected with a node belongs to network-4, port-3 is connected to a node belongs to network -3 and so on.

 

Sometimes managed switches are used in VLANs, which are locally or remotely configurable. Clients running on local machines can be used to configure switches as if these switches are servers. Adding a new virtual network, making a specific node member of a specific virtual LAN etc. can be done remotely for such switches. A user remotely logs into this switch and change the port and its connection to specific network etc. Manageable switches are usually VLAN aware. Nowadays, a user can get the VLAN-aware switches almost at the same cost of a conventional switch.

 

Ethernet provided a standard for VLAN-aware switches. It is known as 802.1Q. Let us study about that standard.

 

IEEE 802.1Q VLAN standard for Ethernet

 

The original Ethernet Frame is extended with two additional fields to provide the support for VLAN. They are known as VLAN Protocol ID and VLAN tag. That means the sender sends the frame with this additional information. The new header is depicted in figure 19.7.

 

 

The VLAN protocol ID is a fixed value, 0x8100. This field is basically a TYPE field (or the Length Field) that we have seen during our discussion of Ethernet frame structure. This is additionally provided when VLANs are used. The original Length field is kept after these two additional fields. Though the frame indicates the length field, it could also be a type field. Thus, when the receiver processes that frame, will look at that field to process. The intermediaries, the switches, process using the tag and the VLAN protocol ID field. If ever this frame reaches a non-VLAN aware switch, this type is not understood by them and they may drop it or do something specified by admin. As this field is greater than 1500, the frame is like Ethernet II (for the receiver) but with a difference. The difference lies in the next field called VLAN tag. If the receiver card can recognize this TYPE value, it understands that next field is VLAN tag. In that case, the receiver also understands different fields that VLAN tag contains and can act accordingly. Such receiver card is VLAN aware card. Such cards are a prerequisite to have if we want the receiver to process VLAN frames. A VLAN-aware switch contains such cards. The card belongs to a node sending and receiving VLAN frame may not be VLAN aware but a switch with VLAN aware card is a must for providing VLAN functionality.

 

The VLAN tag contains information that the switch needs for moving traffic, a 12 bit VLAN identifier, which identifies the virtual LAN the frame belongs to. Additionally, the tag contains two more fields related to priority and canonical format indicator which has nothing to do with VLANs.

 

The VLAN operation

 

The process starts when the frame hits the first VLAN-aware switch. If the node itself has the VLAN-aware card, the frame has both additional fields already and the following process does not need to take place. However, it is possible for a node to have a conventional VLAN non-aware card and the VLAN-aware switch receives this frame and processes it for VLAN; calculating and adding these two fields. It needs to know two things, first, the VLAN the sender belongs to, and what if the frame is already attained the maximum size (1518 bytes including 18-byte header), how to add two additional bytes. The second problem is solved by extending the length of Ethernet frames to 1522 bytes in the new standard. Solving the first problem, however, needs elaborate explanation.

 

The LAN administrator decides the network each machine belongs to and mark them accordingly. (Normally in the LAN diagram they are shown with different colors.) For each individual machine, the marking is done. When an accountant visits some other department, the machine he is allocated is marked as part of the accounting department, irrespective of its physical location. Once such marking is done, all switches are also informed about this mapping and stored in form of configuration tables. When a frame sent by a node which does not have a VLAN aware card, the switch should attach those values. It decides the affiliation of that node by looking at the configuration table. In case the first switch the node is connected to is not VLAN aware, it will pass the frame as it is and the first VLAN-aware switch along the path takes the responsibility of adding the required information based on some methods not approved by purists but in widespread use.

 

The first method is to read the MAC address from the frame and compare that with the configuration table value. The configuration table contains MAC address <-> Port Number values which yield the port number associated with the frame, which in turn indicates the VLAN the frame associated with. Such solutions work for a case where the accountant sitting in some other department for a few weeks. The new machine’s MAC address is mapped and used. However, when a student moves around in the campus and connects to his department using different MAC addresses, such a scheme is quite ineffective.

 

The second solution is to use IP address. The roaming student problem is easily solved if the IP address <-> Port Number is available. Irrespective to the MAC address he uses, he always remains a member of his department network. Such a solution is not considered good because of this is an outright violation of the principle of independence of layers. If a VLAN is designed based on IPv4, it will fail when the network starts using IPv6. The MAC layer should not make any design decision based on information of the IP layer. Another problem with this approach is, if the machine needs to obtain IP address over the connection (it does not use the static IP address), this scheme becomes ineffective again.

 

There is a silver line though, A new protocol called MSTP (Multiple Spanning Tree) can decide the VLAN membership by using the learning method similar to self-learning switches. The protocol independence principle is not disturbed if the switches use this protocol.

 

Summary

 

We began with various reasons to showcase why we cannot solve the problem of connecting multiple networks by merging them into one. We have looked at the issues connecting networks at the MAC layer after that. We finally found a discussion on VLAN, VLAN-aware switches and the process of attaching additional information on the 802.1Q frames when the originating node does not have information about VLAN. We have seen that these solutions are not perfect but there is a protocol which can improve the situation.