VLAN 개념정리

* 아 어렵네... 

  그냥 이런게 있다는.. 것만 아는 사람과... 

  해야 하는 상황은.. 참 다른 듯.. 

=================

VLAN 개념정리

1 VLAN 등장배경

l LAN은 single broadcast domain, LAN상의 모든 컴퓨터가 broadcast 패킷을 받음으로서 traffic 발생

l LAN상에서 router를 사용하면 broadcast가 안됨

l router는 bridge나 switch에 비해 비쌈

l VLAN은 broadcast traffic을 제한하는 대안으로 나옴

2 VLAN이란

l LAN을 다른 broadcast domain로 논리적으로 segment하도록 하는 것

l 네트웍을 서브넷 단위로 나눠서 각 서브넷에 속한 장비들간에만 통신이 가능하도록 해줌

l IP 서브넷을 만듬

l 다른 VLAN에 속한 호스트 간에 통신을 하려면 반드시 라우터를 거쳐야 함

l IEEE 802.1Q : Layer 1, 2 VLAN만 정의

l the maximum number of VLAN : 4094 (0, 0xFFF are reserved), 스위치에 따라 VLAN Table 유지하는 메모리와 관련하여 주로Dynamic/Static VLAN node 개수를 256개를 지원하는 것이 많음

l IEEE 802.1Q를 완전히 지원하기 위해 GARP(Generic Attribute Registration Protocol) 과 GVRP(GARP VLAN Registration Protocol) 필요

l VLAN by port가 주로 사용됨 : Port-based VLAN

l VLAN의 동작을 이해하기 위해 필요한 것들 : VLAN 타입, VLAN상의 device들간의 connection type, filtering database, tagging, VLAN식별하는 process

2.1 VLAN에서 세가지 형태의 frame 형태

l Untagged frames, Priority-tagged frames, VLAN-tagged frames

l Untagged/Priority-tagged frames

- VLAN정보 없음

- mac address, layer 3 protocol id등으로 분류

l VLAN-tagged frame

- VID를 가진 tag header를 가지고 있음

- VID로 분류

- VLAN을 구분하기 위하여 이더넷프레임에 송신노드가 속한 VLAN정보(tag)에 대한 정보를 삽입하는 방식

- 주로 여러 개의 스위치가 연결되어 있는 다중 스위치 네트웍에서 스위치 간에 동일한 VLAN을 공유할 "FONT-FAMILY: 굴림체; mso-hansi-font-family: 'Courier New'; mso-ascii-font-family: 'Courier New'">때 주로 사용

- 스위치가 옆 스위치에게 데이타를 넘길때 송신노드가 속한 VLAN 정보(tag)가 추가된 프레임(tagged frame)을 넘긴다. "FONT-FAMILY: 굴림체; mso-hansi-font-family: 'Courier New'; mso-ascii-font-family: 'Courier New'">그러면 받은 스위치가 tag를 빼고목적지로 보낸다.

- ethernet frame tag header : tag protocol id(2 bytes) + tag control information(2 bytes)

- tag control information : user priority(3 bit) + CFI(Canonical format indicator, 1 bit) + VID(VLAN ID, 12 bits)

2.2 VLAN상의 device 종류 : VLAN-aware device & VLAN-unaware device

l VLAN-aware device

- tagged frame을 이해할 수 있는 디바이스(스위치, 라우터, PC등)

- VLAN-aware device로 데이타를 보내는 경우에는 VLAN id를 데이타에 붙여서 보낸다.

l VLAN-unaware device

- tagged frame을 이해하지 못하는 디바이스

- VLAN-unaware device로 데이타를 보내는 경우에는 VLAN id없이 데이타만 보낸다.

2.3 Ingress/Egress Rules

l Ingress rules : 받은 frame 분류하기 위해 적용

- VID가 frame에 있냐없냐에 따라, VID에 따라

l egress rules : 어떤 port frame이 어떤 format으로 전송될지.

2.4 frame tagging 방법

l explicit tagging

- bridge가 데이타를 받으면 그 데이타가 어느 VLAN에서 온건지 VLAN id로 데이타에 tag를 부침

l implicit tagging

- data는 tag되지 않지만 어느 포트로 받았는지, MAC이 뭔지등을 보고 어느 VLAN에서 온건지 암

- implicit tagging을 위해 어느 필드가 tagging을 위해 사용되는지와 VLAN사이의 mapping을 위한 database 유지

- 예 : port로 tagging된다면 어떤 port가 어떤 VLAN에 속하는지에 대한 database 필요

2.5 VLAN의 types

l Layer 1 VLAN - Membership by port : port1=vlan1, port2=vlan1

l Layer 2 VLAN - membership by MAC address : 001122334455=vlan1, 223344556677 : vlan2, ...

l Layer 2 VLAN - membership by protocol type : ip=vlan1, ipx=vlan2

l Layer 3 VLAN - membership by IP subnet address : 23.2.24=vlan1, 26.21.35=vlan2

l Higher layer VLAN - application : ftp=vlan1, telnet=vlan2

2.6 connection types

l Trunk link : 모든 device들은 VLAN-aware, trunk link상의 모든 프레임들은 특별한 헤더가 부착된다(tagged frame)

l Access link : VLAN-aware bridge의 포트에 VLAN-unware device를 붙인 것. access link상의 모든 frame은 implicitly tagged(untagged)

l Hybrid Link

2.7 기타

l Forwarding process : filtering database, bridge port의 상태에 따라

l learning process : source address, VID를 보아서 filtering database, port state 갱신

l filtering database : filter information 유지, destination Mac address와 VID에 따라 forward할 포트

l 절차 : frame 받음 --> learning process에서 ingress ruls, port status를 참조하여 filtering database 갱신

l LAN상의 모든 bridge는 같은 database를 유지해야 한다 - GVRP(GARP VLAN Registration Protocol)이용 : GARP = Generic Attribute Registration Protocol

l filtering database : static entries(관리자가 직접 VLAN 정보 삽입), dynamic entries(GARP등으로 알게된 VLAN 정보)

l 초기에는 VLAN id = 1 , 모든 포트가 속해 있음

l vlan x개까지 가능

l vlan이 추가될때마다 해당 IP와 Mac이 정해짐(mac의 경우, 마지막 자리가 id값으로 되는 것 "FONT-FAMILY: 굴림체; mso-hansi-font-family: 'Courier New'; mso-ascii-font-family: 'Courier New'">같음)

l IVL(각 VLAN이 각각 forwarding mac table 유지, 그래서 좀더 보안에 강하며 VLAN들간에 데이터가 직접적으로 forward 될 "FONT-FAMILY: 굴림체; mso-hansi-font-family: 'Courier New'; mso-ascii-font-family: 'Courier New'">수 없음), SVL(모든 VLAN이 하나의forwarding mac table 사용, 보안에 덜 민감하고 모든 포트에 대한 mac table이 같이 "FONT-FAMILY: 굴림체; mso-hansi-font-family: 'Courier New'; mso-ascii-font-family: 'Courier New'">있으므로 VLAN들간에 forwarding이 가능)

l Default VLAN의 ID는 1

l VLAN table에 있는 각 VLAN 정보는 static(사용자가 직접 입력한 VLAN 정보)과 Dynamic(GVRP를 통하여 알게된 VLAN "FONT-FAMILY: 굴림체; mso-hansi-font-family: 'Courier New'; mso-ascii-font-family: 'Courier New'">정보)로 나뉜다.

l 같은 Protocol type을 가진 VLAN은 port를 공유할 수 없다. 단 Protocol type이 다르면 port를 "FONT-FAMILY: 굴림체; mso-hansi-font-family: 'Courier New'; mso-ascii-font-family: 'Courier New'">공유할 수 있다(예: IP Protocol type을 가진 VLAN 1이 port1~3으로하나의 VLAN 형성, IP Protocol type을 가진 VLAN 2는 port 1~3"FONT-FAMILY: 굴림체; mso-hansi-font-family: 'Courier New'; mso-ascii-font-family: 'Courier New'">을 가질 수 없다. 단 IPX Protocol type을 가진 VLAN 2는 port 1~3을 가질 수 있다)

3 타 스위치 장비에서의 VLAN

3.1 코어세스사 FX5224

l VLAN 생성 : vlan 이름, Id, style(port, mac, protocol, ...), stp on/off, ip address, subnet

l VLAN에 port 할당 : vlan이름, 할당할 port들

3.2 LG사 LS1216

l VLAN 생성 : VLAN 이름, Member ports, VLAN ID

l 기타 : VLAN Host Setting(ip, gateway, subnet, default vlan은 반드시 있어야 하나 그렇지 않다면 없어도 된다)

3.3 Riverstone사의 스위치라우터

l 생성 : vlan name, vlan id, port들, status(enable/disable)

해당 vlan id에 포함되어서는 안되는 포트들(GVRP등으로 요구되더라도)

tagged port들(해당 포트에 연결된 것이 VLAN호환장비인 경우, 이더넷 프레임에 tag가 항상 포함되어 있음)

l 보기 : vlan name, id, port들, learned by static/dynamic

l GARP 설정 : port id, join time, leave time, leave all time, port join GARP(enable/disable) - 포트별로 GARP 사용여부 결정(이 포트에서 들어오는 GVRP는 enable/disable ?)

* GVRP

- 이 기능은 없어도 된다. 하지만 없으면 관리자가 관련된 모든 스위치에 정보를 수동으로 설정해야 하는 "FONT-FAMILY: 굴림체; mso-hansi-font-family: 'Courier New'; mso-ascii-font-family: 'Courier New'">부담이 있다.

- Switch에서는 각 포트별로 GVRP PDU를 받았을 때 어떻게 할것인지 결정하는 설정이 필요(enable/disable), 경우에 따라 각
포트별 설정이 아니라 스위치 전체적으로 GVRP 설정을 어떻게 할 것인지 설정할 수도 있음

- Enable : GVRP PDU를 받아서 처리하여 이 포트를 통하여 타 스위치로부터 VLAN Group 정보가 넘어오면 Learn하겠다는 의미, 이"FONT-FAMILY: 굴림체; mso-hansi-font-family: 'Courier New'; mso-ascii-font-family: 'Courier New'">경우 소프트웨어적으로 처리해야 하며, GVRP PDU를 받아서 CPU에게 넘겨주면(Packet Driver) GVRP Protocol 처리 모듈이 자체적으로 처리해서 스위치 내and/or 자체에 "FONT-FAMILY: 굴림체; mso-hansi-font-family: 'Courier New'; mso-ascii-font-family: 'Courier New'">있는 VLAN Table에 learn한 VLAN 정보를 dynamic으로 설정해야 한다.

- Disable : Block의 의미, GVRP PDU를 받아도 처리하지 않겠다는 의미

- “Show gvrp”라는 명령에 의해 모든 포트에 대하여 GVRP enable/disable(혹은 block/learning)이 나타남

- GVRP를 받는 Port는 해당 GVRP가 전하는 모든 VLAN Group의 Member가 된다.

- GVRP를 송수신 하는 Port는 tagged member이어야 한다.

l GVRP Propagation

1) GVRP가 스위치에서 enable될 때, 스위치는 모든 Ports로 GVRP packets을 보낸다. GVRP Packets은 그 스위치가 알고 "FONT-FAMILY: 굴림체; mso-hansi-font-family: 'Courier New'; mso-ascii-font-family: 'Courier New'">있는 모든 VLAN 정보를 advertise한다.(Default VLAN 제외)

2) GVRP enabled 스위치가 GVRP packet을 받을 때, GVRP Packet이 넘어오는 쪽과 연결되어 Packet을 받는 Port는 advertised된 모든xml:>VLANs의 member가 된다. 그리고 넘겨받은 모든 VLAN 정보를 다시 모든 Ports로 advertising을 한다(단, 그
GVRP 정보를 받은 포트는 제외)

예)

IEEE 802.1Q Standard Document

http://egloos.zum.com/floydson/v/2978631