[rbridge] VLAN tags, inner/outer, revisted and summarized
Radia.Perlman at sun.com
Fri Dec 1 11:58:42 PST 2006
Silvano explained a reason for an "outer" vs an "inner" VLAN tag, which is really to accomplish making
a 24-bit VLAN tag, hierarchically assigned by 12 bits for customer, and 12 bits for use by that customer.
The only changes we'd need to the base spec is as follows:
a) the VLAN tag specified in the per-VLAN IS-IS instance would be 24 bits instead of 12 (the per-VLAN instance
is the thing where R1 says what endnodes are attached, and whether R1 has an IP multicast router
attached, and what IP multicast groups have members attached).
b) For unicast traffic: the ingress RBridge R1 looks up the egress RBridge R2 based on
the 24-bit VLAN tag, (using the 12 bits in the frame indicating the customer-defined VLAN, plus 12 bits R1 infers
based on which port R1 received the frame from)
R1 puts the "which customer" portion of the VLAN tag in the outer header. The reason for this is
in case R2 has ports to two different customers, and there are overlapping endnode address spaces, R2 will
need the outer VLAN tag to determine which port to decapsulate the frame onto.
c) for unknown destination/multicast: the ingress RBridge R1 puts the "which customer" portion of the VLAn
tag into an outer VLAN tag, and RBridges in the core filter based on the 24-bit VLAN by using both the inner
and outer 12 bits.
This proposal still treats the infrastructure (all the transit links) as shared by all VLANs, which I like the
robustness and simplicity of.
----- Original Message -----
From: Radia Perlman <Radia.Perlman at sun.com>
Date: Thursday, November 30, 2006 7:36 pm
Subject: [rbridge] VLAN tags, inner/outer, revisted and summarized
> There's been a lot of discussion, and I believe this is what is
> on: In this email I will attempt to just
> explain, and not advocate. If I want to express opinions, I'll
> reply to
> The first question we have to ask is what things people are doing
> VLANs. The next is to ask
> which subset of these (possibly "all") we want to support with
> and to answer that we have
> to also answer what the cost/benefit of solving each with TRILL is.
> Things VLANs can provide:
> a) separate endnodes into communities, to enforce that only VLAN A
> can talk to VLAN A nodes
> b) scoping things like ARP, so an ARP for a VLAN A node only gets
> on VLAN A links
> c) security -- making sure that VLAN A nodes cannot snoop on VLAN B
> trafficd) provisioning -- making sure that the only traffic on a
> VLAN A link is
> VLAN A traffic, or
> perhaps BGP-policy-like, as in, "this link is willing to carry
> VLANs A,
> B, and Q, but not D".
> Perhaps this is not an exhaustive list, but I hope it's close enough.
> What are the costs of providing these things?
> The solution that I'd been assuming solves a) and b). That solution
> summarized as follows:
> If RBridges R1 and R2 are on the same link, they are neighbors, and
> can send transit traffic to each other,
> regardless of the VLAN on which it originated. This can be thought
> of as
> RBridges create a cloud,
> which keeps VLAN traffic segregated at the endpoints, but is a
> shared infrastructure for all
> VLANs within the cloud.
> That solution does not solve c) and d), though if the transit links
> all point-to-point links
> between RBridges, this is moot. The case that isn't solved is when
> link is both a transit link
> and a shared link with a bunch of endnodes in a VLAN.
> Suppose we want to solve those?
> What I think people would be asking for is to have the VLAN
> not just the destination, but what
> path the packet takes. So some links would only allow certain VLAN
> traffic on them, even for transit.
> Which would mean multiple forwarding tables, since paths would have
> be VLAN-dependent.
> So, I think the basic strategies are:
> a) create as much connectivity as possible between RBridge
> neighbors. If
> R1, R2, and R3 are on the same
> shared/bridged link, and R1 can only talk to R2 if it puts "VLAN X"
> the header, and R1 can only
> talk to R3 if it puts "VLAN Y" into the header, R1 discovers this
> by being configured that the
> link needs either VLAN X or VLAN Y tags, sends IS-IS Hellos with
> and wdiscovers that on the
> adjacency to R2, R1 has to stick "VLAN X" and to R3, R1 has to
> "VLAN Y". So R1 does whatever
> is necessary to talk to its neighbors, but it is only relevant on
> hop. R1 reports in its link state packet that
> it has a neighbor R2, and R3. All RBridges can use the link for
> for all VLANs.
> b) only allow R1 and R2 to be IS-IS neighbors if they can talk to
> other with a null VLAN tag. A link
> that requires a VLAN tag can only be used as an ingress or egress
> from the cloud.
> c) copy the VLAN tag to the outer header, assume any link that
> a particular VLAN tag wants to exclude
> transit traffic for all other VLANs, or even for null tags, on the
> Run separate core instances of IS-IS for
> each VLAN tag. Perhaps announcing in the VLAN A instance, all VLAN
> links, plus links that allow
> for null tags.
> d) like with c), but allow a link to be configured as "there are
> VLAN A
> endnodes here, but transit traffic for any VLAN
> is fine".
> Solutions c) and d) require separate forwarding tables per VLAN,
> either separate instances of IS-IS, or
> a link attribute that lists legal VLAN tags for the link. VLAN A
> segments might become disconnected
> because although there is RBridge connectivity, it isn't through
> that say it's OK to have VLAN A traffic.
> rbridge mailing list
> rbridge at postel.org
More information about the rbridge