HCIP - VLAN Aggregation

OBJECTIVE

The purpose of this post is to present an introduction to VLAN Aggregation.

Background of VLAN Aggregation

VLAN is widely applied to switching networks because of its flexible control of broadcast domains and convenient deployment. On a Layer-3 switch, the interconnection between the broadcast domains is implemented using one VLAN to correspond to one Layer-3 logic interface.

However, this can waste IP addresses. Figure 1 shows the VLAN division in the device.

Figure 1 - Figure 1 Diagram of a common VLAN

Table 1 - Example of Assigning Host Addresses on a common VLAN

As shown in Table 1, VLAN 2 requires 10 host addresses. The sub-network 1.1.1.0/28 with the mask length as 28 bits is assigned for VLAN 2. 1.1.1.0 is the address of the subnetwork, and 1.1.1.15 is the directed broadcast address. These two addresses cannot serve as the host address. In addition, as the default address of the network gateway of the subnetwork, 1.1.1.1 cannot be used as the host address. The other 13 addresses ranging from 1.1.1.2 to 1.1.1.14 can be used by the hosts. In this way, although VLAN 2 needs only ten addresses, 13 addresses need to be assigned for it according to the division of the sub-network.

VLAN 3 requires five host addresses. The sub-network 1.1.1.16/29 with the mask length as 29 bits needs to be assigned for VLAN 3. VLAN 4 requires only one address. The sub-network 1.1.1.24/30 with the mask length as 30 bits needs to be assigned for VLAN 4.

In the above, 16 (10+5+1) addresses are needed for all the preceding VLANs. However, 28 (16+8+4) addresses are needed according to the common VLAN addressing mode even if the optimal scheme is used. Nearly half of the addresses are wasted. In addition, if VLAN 2 is accessed to three hosts instead of ten hosts later, the extra addresses will not be used by other VLANs and will be wasted.

This division is inconvenient for the later network upgrade and expansion. Assume that two more hosts need to be added to VLAN 4 and VLAN 4 does not want to change the assigned IP addresses, and the addresses after 1.1.1.24 have been assigned to others, a new sub-network with the mask length as 29 bits and a new VLAN need to be assigned for the new customers of VLAN 4. Therefore, the customers of VLAN 4 have only three hosts, but the customers are assigned to two subnetworks and are not in the same VLAN. As a result, this is inconvenient for network management.

In above, many IP addresses are used as the addresses of sub-networks, directional broadcast addresses of sub-networks, and default addresses of network gateways of sub-networks. These IP addresses cannot be used as the host addresses in the VLAN. The limit on address assignation reduces the addressing flexibility so that many idle addresses are wasted. To solve this problem, VLAN aggregation is used.

Principle

The VLAN aggregation technology, also known as the super-VLAN, provides a mechanism that partitions the broadcast domain using multiple VLANs in a physical network so that different VLANs can belong to the same subnet. In VLAN aggregation, two concepts are involved, namely, super-VLAN and sub-VLAN.

1. Super-VLAN: It is different from the common VLAN. In the super-VLAN, only Layer 3 interfaces are created and physical ports are not contained. The super-VLAN can be viewed as a logical Layer 3 concept. It is a collection of many sub-VLANs.

2. Sub-VLAN: It is used to isolate broadcast domains. In the sub-VLAN, only physical ports are contained and Layer 3 VLAN interfaces cannot be created. The Layer 3 switching with the external network is implemented through the Layer 3 interface of the super-VLAN.

A super-VLAN can contain one or more sub-VLANs retaining different broadcast domains. The sub-VLAN does not occupy an independent subnet segment. In the same super-VLAN, IP addresses of hosts belong to the subnet segment of the super-VLAN, regardless of the mapping between hosts and sub-VLANs.

The same Layer 3 interface is shared by sub-VLANs. Some subnet IDs, default gateway addresses of the subnets, and directed broadcast addresses of the subnets are saved and different broadcast domains can use the addresses in the same subnet segment. As a result, subnet differences are eliminated, addressing becomes flexible and idle addresses are reduced.

Take Table 1 to explain the implementation theory. Suppose that user demands are unchanged. In VLAN 2, 10 host addresses are demanded; in VLAN 3, 5 host addresses are demanded; in VLAN 4, 1 host address is demanded.

According to the implementation of VLAN aggregation, create VLAN 10 and configure VLAN 10 as a super-VLAN. Then assign a subnet address 1.1.1.0/24 with the mask length being 24 to VLAN 10; 1.1.1.0 is the subnet ID and 1.1.1.1 is the gateway address of the subnet, as shown in Figure 2. Address assignments of sub-VLANs (VLAN 2, VLAN 3, and VLAN 4) are shown in Table 2.

Figure 2 - Schematic diagram of VLAN aggregation

Table 2 - Example for assigning Host addresses in VLAN aggregation mode 

In VLAN aggregation implementation, sub-VLANs are not divided according to the previous subnet border. Instead, their addresses are flexibly assigned in the subnet corresponding to the super-VLAN according to the required host number.

Table 2 shows that VLAN 2, VLAN 3, and VLAN 4 share a subnet (1.1.1.0/24), a default gateway address of the subnet (1.1.1.1), and a directed broadcast address of the subnet (1.1.1.255). In this manner, the subnet ID (1.1.1.16, 1.1.1.24), the default gateway of the subnet (1.1.1.17, 1.1.1.25), and the directed broadcast address of the subnet (1.1.1.5, 1.1.1.23, and 1.1.1.24) can be used as IP addresses of hosts.

Totally, 16 addresses (10 + 5 + 1 = 16) are required for the three VLANs. In practice, in this subnet, a total of 16 addresses are assigned to the three VLANs (1.1.1.2 to 1.1.1.17). A total of 19 IP addresses are used, that is, the 16 host addresses together with the subnet ID (1.1.1.0), the default gateway of the subnet (1.1.1.1), and the directed broadcast address of the subnet (1.1.1.255). In the network segment, 236 addresses (255 - 19 = 236) are available, which can be used by any host in the sub-VLAN.

Communications Between VLANs

VLAN aggregation ensures that different VLANs use the IP addresses in the same subnet segment. This, however, leads to the problem of Layer 3 forwarding between sub-VLANs.

In common VLAN mode, the hosts of different VLANs can communicate with each other based on the Layer 3 forwarding through their respective gateways. In VLAN aggregation mode, the hosts in a super-VLAN use the IP addresses in the same network segment and share the same gateway address. The hosts in different sub-VLANs belong to the same subnet. Therefore, they communicate with each other based on the Layer 2 forwarding, rather than the Layer 3 forwarding through a gateway. In practice, hosts in different sub-VLANs are separated in Layer 2. As a result, sub-VLANs fail to communicate with each other.

To solve the preceding problem, you can use the ARP proxy.

For details of ARP proxy, refer to the chapter ARP in the IP Services.

• Layer 3 Communications Between Different Sub-VLANs

As shown in Figure 3, the super-VLAN, namely, VLAN 10, contains the sub-VLANs, namely, VLAN 2 and VLAN 3.

Figure 3 - Networking diagram of Layer 3 communications between different sub-VLANs based on ARP proxy

Suppose that the ARP table of Host A has no corresponding entry of Host B, and the gateway is enabled with the ARP proxy between sub-VLANs. Then the communication process between Host A in VLAN 2 and Host B in VLAN 3 is shown as below:

1. After comparing the IP address of Host B 1.1.1.3 with its IP address, Host A finds that both IP addresses are in the same network segment 1.1.1.0/24, and its ARP table has no corresponding entry of Host B.

2. Host A initiates an ARP broadcast to request the MAC address of Host B.

3. Host B is not in the broadcast domain of VLAN 2, and cannot receive the ARP request.

4. The gateway is enabled with the ARP proxy between sub-VLANs. Therefore, after receiving the ARP request from Host A, the gateway finds that the IP address of HostB 1.1.1.3 is the IP address of a directly-connected interface. Then the gateway initiates an ARP broadcast to all the other sub-VLAN interfaces to request for the MAC address of Host B.

5. After receiving the ARP request, Host B offers an ARP response.

6. After receiving the ARP response from Host B, the gateway replies its MAC address to Host A.

7. The ARP tables in both the gateway and Host A have the corresponding entries of Host B.

8. To send packets to Host B, Host A first sends packets to the gateway, and then the gateway performs the Layer 3 forwarding.

The process that Host B sends packets to Host A is just the same and is not mentioned here.

Layer 2 Communications Between a Sub-VLAN and an External Network As shown in Figure 4, in the Layer 2 VLAN communications based on ports, the received or sent frames are not tagged with the super-VLAN ID.

Figure 4 - Networking diagram of Layer 2 communications between a sub-VLAN and an external network

The frame that accesses Switch 1 through Port1 on Host A is tagged with the ID of VLAN 2. The VLAN ID, however, is not changed to the ID of VLAN 10 on Switch 1 even if VLAN 2 is the sub-VLAN of VLAN 10. After passing through Port3, which is the trunk type, this frame still carries the ID of VLAN 2.

That is to say, Switch 1 itself does not send the frames of VLAN 10. In addition, switch 1 discards the frames of VLAN 10 that are sent to Switch 1 by other devices because switch 1 has no corresponding physical port for VLAN 10.

A super-VLAN has no physical port. This limitation is obligatory, as shown below:

1. If you configure the super-VLAN and then the trunk interface, the frames of a super-VLAN are filtered automatically according to the VLAN range set on the trunk interface.

As shown in Figure 4, no frame of the super-VLAN 10 passes through Port3 on Switch 1, even though the interface allows frames from all VLANs to pass through.

2. If you finish configuring the trunk interface and allow all VLANs to pass through, you still cannot configure the super-VLAN on Switch 1. The root cause is that any VLAN with physical ports cannot be configured as the super-VLAN, and the trunk interface allows only the frames tagged with VLAN IDs to pass through. Therefore, no VLAN can be configured as a super-VLAN.

As for Switch 1, the valid VLANs are just VLAN 2 and VLAN 3, and all frames are forwarded in these VLANs.

Layer 3 Communications Between a Sub-VLAN and an External Network.

Figure 5 - Networking diagram of Layer 3 communications between a sub-VLAN and an external network

As shown in Figure 5, Switch 1 is configured with super-VLAN 4, sub-VLAN 2, sub-VLAN 3, and a common VLAN 10. Switch 2 is configured with two common VLANs, namely, VLAN 10 and VLAN 20. Suppose that Switch 1 is configured with the route to the network segment 1.1.3.0/24, and Switch 2 is configured with the route to the network segment 1.1.1.0/24. Then Host A in sub-VLAN 2 that belongs to the super-VLAN 4 needs to access Host C in Switch 2.

0. After comparing the IP address of Host C 1.1.3.2 with its IP address, Host A finds that two IP addresses are not in the same network segment 1.1.1.0/24.

1. Host A initiates an ARP broadcast to its gateway to request the MAC address of the gateway.

2. After receiving the ARP request, Switch 1 identifies the correlation between the sub-VLAN and the super-VLAN, and offers an ARP response to Host A through sub-VLAN 2. The source MAC address in the ARP response packet is the MAC address of VLANIF4 for super-VLAN 4.

3. Host A learns the MAC address of the gateway.

4. Host A sends the packet to the gateway, with the destination MAC address as the MAC address of VLANIF4 for super-VLAN 4, and the destination IP address as 1.1.3.2.

5. After receiving the packet, Switch 1 performs the Layer 3 forwarding and sends the packet to Switch 2, with the next-hop address as 1.1.2.2, the outgoing interface as VLANIF10.

6. After receiving the packet, Switch 2 performs the Layer 3 forwarding and sends the packet to Host C through the directly-connected interface VLANIF20.

7. The response packet from Host C reaches Switch 1 after the Layer 3 forwarding on Switch 2.

8. After receiving the packet, Switch 1 performs the Layer 3 forwarding and sends the packet to Host A through the super-VLAN.

Understanding of VLAN - Example for Configuring VLAN Aggregation

--- End