MINT Switching

VLAN description

VLAN technology is a tool for dividing an Ethernet network into logical segments. VLAN using allows to combine devices into groups on the link layer. At the same time, connection between devices is possible only within the group, which allows reducing the broadcast traffic on the network, as well as separating the devices traffic from each other. Take into account that the devices grouping is performed on the link layer, so devices will maintain connectivity at higher levels, such as network.

VLAN support on the network involves using a different Ethernet frame. The figure below shows an Ethernet frame format without and with using VLAN. In the second case, a 4-byte VLAN ID field is added to the Ethernet frame, it includes the following fields:

• Tag Protocol Identifier - the protocol ID used for the VLAN. The default value is "0x8100". 16 bits are used for the field.
• Priority code point - parameter used to specify the QoS of transmitted frames. 3 bits are used for the field.
• Drop eligible indicator - parameter indicates the MAC address format. 1 bit is used for the field.
• VLAN Identifier -  12 bits are used for the field, those ID value range is 0...4094. Usually, depending on the network equipment manufacturer, some identifiers are reserved and not used by the local network administrator during configuration. As a rule, VLAN ID 0 is reserved for service traffic and VLAN ID 1 as the native VLAN. Generally, an administrator can organize 4095 VLANs above a single physical infrastructure.

User devices usually do not support frame with VLANs processing; therefore, non-VLAN Ethernet frames are used in network segments with such equipment. To perform this, when a frame is distributed across a network, a VLAN tag can be placed inside a frame and removed from it. Such manipulations are called tagging and untagging.

Let's look at the example (see figure) to demonstrate frame manipulations: PC1 sends an Ethernet frame to PC2.
 

1. PC1 forms the Ethernet frame and sends it to the Switch 1. Since PC1 does not support VLAN, the frame is transmitted without a corresponding tag.
    
2. Switch 1 receives an Ethernet frame from PC1, performs a tagging operation and adds a VLAN tag to the received frame.
3. Switch 1 sends the tagged frame to Switch 2.
    
4. Switch 2 receives the tagged frame from Switch 1, decides whether to redirect frame to PC2.
    
5. PC2 does not support VLAN, therefore Switch 2 removes the VLAN tag from the received frame and sends it to PC2.

In the previous example, the switches ports, to which PC1 and PC2 are connected, are tagging / untagging transmitted frames. Such ports are called access ports. The access port can be associated with only one VLAN ID: a VLAN field with this ID will be added to the frame received by the port, and for the frames sent by the port, the VLAN tag will be removed.

Ports that connect switches to each other do not manipulate the VLAN field in frames. Such ports are called trunk ports. Trunk port may be associated with a set of VLANs. In this case, received frames which VLAN identifiers are not specified in the trunk port configuration will be discarded. Only frames with VLAN IDs specified in the port configuration can be sent from the port.

Some equipment manufacturers allow configuration of hybrid ports. This is the trunk port for which one VLAN is allocated, in relation to which the port will work as access. In this case, frames with VLAN tags specified in the configuration as trunk can be sent and received from the port, and all frames received by the port without a tag will be tagged by the access-VLAN. Also frames processed with the access-VLAN identifier will be sent through the hybrid port without a VLAN tag.

Let's look at the example, to demonstrate the isolation of devices traffics from each other using VLAN. All user devices are in the same IP network 192.168.10.0/24, but in different virtual networks (VLANs): for PC1 and PC4 VLAN 20 is allocated, for PC2 and PC3 - VLAN 10. Switch ports to which user devices are connected should be configured in access mode, ports connecting switches in the trunk mode for VLANs 10 and 20.

1. PC1 needs to transfer data to PC4, but its database does not contain the PC4 MAC address.
    
2. In order to learn the MAC address of PC4, PC1 generates a broadcast ARP request and sends it to the Switch 1.
    
3. Switch 1 have received a frame from PC1 and tagged it with VLAN 20.
    
4. Since the frame is broadcast, Switch 1 must transmit a frame to all ports where VLAN 20 is allowed, excluding the port through which this frame was received. Switch 1 sends the frame to Switch 2.
   1. Although PC2 and PC3 are on the same subnet as PC1 - 192.168.10.0/24, they will not receive the ARP request, since these devices are placed in another local network virtual segment.
5. Switch 2 receives the tagged frame from Switch 1, removes the tag and forwards it to PC4.

The answer to the ARP request is perfomed the way below:

1. PC4 responds to the request, encapsulates it in the Ethernet frame with PC1 MAC address as the receiver and sends to the Switch 2.
    
2. Switch 2 tags the received VLAN 20 frame and sends to the Switch 1.
    
3. Switch 1 untags the received frame and sends it to PC1.
    

Thus, despite the fact that user devices are on the same subnet, their interaction is limited by the virtual segment.

Tag operations
 

Switch groups allows flexible processing of frames with VLAN tags, and to configure the access and trunk ports, as well as forcibly change the received frames tags value. Frames with a specific VLAN tag can be sent to a specific switch group. In common configuration switch group number corresponding with the VLAN tag.

Let's look at the scheme in which 2 subscribers are connected to the BS1 Base Station sector. Switch group settings for device management will not be taken into account in this example since they were reviewed in the previous lesson.

One "Trunk" switch group will be created on BS1, VLANs with identifiers 10, 20, and 30 will be included. To perform this, the following steps are used:

To create switch group go to the "Basic Settings → MAC Switch" section and click the "Create switch group" button.

1. Set the switch group number #1.
2. Add eth0 and rf* interfaces.
3. Set the "Trunk" mode.
4. Create the rule "vlan 10,20,30" for this group.

Trunk port configuration

When CPE1 is configured in the Trunk mode for VLAN with ID 10, the radio device will only accept MINT frames that contain Ethernet frames with VLAN 10 tags, decapsulate and transmit them intact. Frames with other or without VLAN identifiers on CPE1 will not be transmitted. Thus, the switch 2 will receive frames with VLAN 10.

Trank port configuration on CPE1 is following:

Step 1: to create switch group go to "Basic Settings → MAC Switch" section and click the "Create switch group" button.

Step 2: set the switch group number #10, the switch group number must match the VLAN ID.

Step 3: add eth0 and rf* interfaces.

Step 4: set the "In-Trunk" mode and select trank group number 1 (in accordance with the switch group number on BS1).

Step 5: create the rule "vlan 10".

VLAN range configuration on the subscriber device

When CPE2 is configured in trunk mode for VLANs with IDs 20 and 30, the radio device will only accept MINT frames that contain Ethernet frames with VLAN 20 and 30 tags, decapsulate and transmit them intact. Frames with other or without VLAN identifiers on CPE2 will not be transmitted. Thus, the switch 3 will receive frames with VLAN 20 and 30.

To implement such a scheme, it is necessary to create a separate switch group for each VLAN identifier on the radio equipment. If the set of VLANs is extensive, then the subscriber configuration becomes complicate, however, from 1.90.29 software version, this can be realized using one "Trunk" type switch group. The switch group logic will be similar to the mode "In-Trunk", but with support of VLAN tags 20 and 30.
 

CPE2 configuration is following:

Step 1: to create switch group go to "Basic Settings → MAC Switch" section and click the "Create switch group" button.

Step 2: set the switch group number #1, in accordance with the switch group number on BS1.

Step 3: add eth0 and rf* interfaces.

Step 4: set the "Trunk" mode.

Step 5: create the rule "vlan 20,30".

Access port configuration

Let's look the scheme BS1 and CPE1 connection, in which the CPE1 Ethernet port should be configured in access mode. Such configuration may be necessary in situations when a device connected to CPE1 (Switch 2 in the example), does not support VLAN. In such configuration, CPE1 will send to Switch 2 and receive from it frames without a VLAN tag.

In order to configure a switch group on BS1 as an access port, it is necessary to create a logical VLAN interface with a parent Ethernet port, which will strip VLAN tags from packets entering the switch group from wired network segment, and will tag packets during transmission to Switch1. In the radio segments the packets are passed untagged.

Devices configuration is following:

Step 1: to create switch group on BS1 and CPE1 go to "Basic Settings → MAC Switch" section and click the "Create switch group" button.

Step 2: set the switch group number #20, switch group number must be same as VLAN ID.

Step 3a: on the BS1 create vlan20 iterface, set an eth0 as a parent and add "VLAN ID" 20. Add the vlan20 and rf* interfaces to the created switch group. No additional rules are required.

Step 3b: on the CPE1 add the eth0 and rf* interfaces to the created switch group. No additional rules are required.

In BS1 configuration, any frame that enters through the eth0 interface with VLAN 20 will be untagged, encapsulated into the MINT frame with the switch group # 20 tag and sent via the radio interface. A MINT frame with a switch group # 20 tag received via the radio interface from CPE1 will be sent through the eth0 interface, as an Ethernet frame with the VLAN tag 20.

Tag replacement

Let's take a scheme in Figure 3.9, but change the goal. PC1 works in VLAN 100, and PC2 in VLAN 200. It is necessary to achieve connectivity between these devices at the L2 level using the Infinet equipment configuration.

To complete the task, it is necessary to obtain a configuration in which frames from the PC1 will be transmitted to the CPE1 untagged (the original tag 100 will be forcibly replaced), and the CPE1 during transmission to the PC2 will tag them with VLAN 200. The BS1 will tag all frames received from the CPE1 with a tag 100 and will transmitt them to the PC1.

The devices configuration is following:

Step 1: to create switch group on the BS1 and CPE1 go to the "Basic Settings → MAC Switch" section and click the "Create switch group" button.

Step 2: set the same switch group number on both devices (in example is number 2), add an rf* interface.

Step 3a: on the BS1 create vlan100 iterface, set an eth0 as a parent and add "VLAN ID" 100.

Step 3b: on the CPE1 create vlan200 iterface, set an eth0 as a parent and add "VLAN ID" 200.

Step 4a: on the BS1 add the vlan100 interface to the created switch group. No additional rules are required.

Step 4b: on the CPE1 add the vlan200 interface to the created switch group. No additional rules are required.

QinQ

As it was mentioned the VLAN identifiers range is limited to 12 bits and is in the range of 0-4094. When providers are scaling networks and organizing communication through leased L2 channels, there may be a problem of a VLAN identifiers dedicated number lack. In this case, QinQ technology is the way to solve the problem.

QinQ technology involves two VLAN fields using in an Ethernet frame (see figure). Also, the EtherType field is set to "0x88a8" or "0x9100" for the external header, and "0x8100" for the internal header. Not all devices support dual tagging, so when processing a frame, they use only external VLAN tag. Double tagging allows to use 24 bits for VLAN IDs, i.e. the possible values range increases to 16777216.

Let's look at the situation when the ISP provides the L2 channel through VLAN 605. If it is necessary to transfer several user VLANs through this channel the QinQ technology must be used. In this case, the VLAN 605 assigned by the provider is called a Service VLAN (standard 802.1ad), and the set of user-defined VLANs, in our example VLAN 5 and 6, is a Customer VLAN (standard 802.1q).

Master confiuration
 

Step 1: go to the "Basic Settings → Network settings" section and click the "Create VLAN" button.

Step 2: configure the created vlan605 interface, define its parent interface, VLAN tag and encapsulation type:

Step 3: go to the "Basic Settings → MAC Switch" section, create switch group #605 and add rf* and vlan605 interfaces:

Slave device confiuration

Step 1: go to the "Basic Settings → MAC Switch" section, create switch group #605 and add rf* and eth0 interfaces:

In addition to InfiNet equipment settings, it is necessary to configure switches.

The data transmission will be the following:

• PC3 generates a message for PC1, encapsulates it into an Ethernet frame with the VLAN tag 5 and transmits it to the switch;
• the switch receives the generated frame and adds another S-VLAN 605 label to it;
• then the switch sends the frame to the Master device;
• the Master device removes the S-VLAN tag, encapsulates the frame to the MINT frame and transmits it via the radio link;
• the Slave device decapsulates the Ethernet frame and sends it to the switch;
• the switch deletes the VLAN tag and sends an Ethernet frame to PC1.