From: "Norman W. Finn" Subject: External and Internal Addresses in Explicit Tags To: p8021@NIC.HEP.NET Date: Thu, 25 Jan 96 0:03:04 PST Here is the text of the contribution presented, today, at the interim meeting. External and Internal Addresses in Explicit Tags 1.0 Explicitly Tagged Frames The following definition of "explicit tagging" is used in another contribution by this author. An explicitly-tagged, encapsulated frame contains: 1. Source and destination MAC addresses. The destination MAC address may be the same as that of the encapsulated frame, a multicast address identifying "interested VLAN switches", the MAC address of a particular VLAN switch, or the MAC address of a subsection of a VLAN switch. (These issues are presented in a separate contribution.) 2. A tag value which identifies which VLAN the encapsulated frame belongs to. 3. An indication of at least whether the encapsulated frame is in 802.3/Ethernet format or 802.5 format. (The question of whether other formats are to be supported is TBD.) This indication may be explicit, or may be implicit in the VLAN tag value (again, TBD). 4. The encapsulated frame, bit-for-bit identical to its native un-encapsulated form on its native medium (802.3/Ethernet, 802.5, etc.). 5. Whether the frame contains one or more FCS fields is TBD. 6. A frame may be encapsulated on a LAN type (802.3/Ethernet, 802.5, etc.) that is different from its frame type before encapsulation. In this case, the encapsulated frame undergoes no change. The type of the encapsulation, including at least the source/destination MAC addresses and tag fields, matches the type of the medium over which the encapsulated frame is carried. This contribution addresses only the first point, the addresses used in the exterior frame. 2.0 802.10 Address Export Problem When encapsulating a frame in an 802.10 wrapper, the source and destination addresses of the unencapsulated frame are exported to the enclosing encapsulation. 1. We may wish to encapsulate 802.5 frames and carry them across 802.3 media. It is common to have two endstations with identical MAC addresses on two different token rings which are source-route bridged together. 2. We may wish to encapsulate 802.3 frames for different VLANs across a single 802.3 medium. It is common to have an endstation that uses the same MAC address on two different physical media, or two different VLANs, in our case. In both of these situations, a 48-bit MAC address alone is insufficient to direct the encapsulated frame to its intended destination. Additional information, RIF information in the first case, and VLAN identity in the second, is required. 3.0 Possible Solutions There are several possible addresses one could use for the encapsulated frame. 3.1 Two-Layer Bridging One way to tackle this problem is to assign a MAC address to each physical port on each VLAN switch that is used for sending or receiving explicitly-tagged frames. Whenever a VLAN switch encapsulates a frame, it uses the port's MAC address as the source MAC address. For each VLAN, for "user level" destination MAC address in its bridging table, the VLAN switch maintains the MAC address of the bridge which sourced the last frame received from that user level MAC address. Thus, each VLAN switch keeps track of the VLAN switch that each user-level MAC address is "behind". This is similar to the way that transparent bridges now keep track of the port on which a given MAC address was last received; it is additional information to be learned. When the bridge MAC address is not known, a standard, fixed, "all 802.1 bridges" multicast address is used for the outer destination MAC address. The VLAN switch must, of course, receive frames addressed to this multicast MAC address. One advantage of this scheme is that it improves the scaling properties of the bridged network; a VLAN switch needs to know the MAC addresses of its local users, the MAC addresses of the users to which they are conversing, and the MAC addresses of the other bridges. It does not need to know the MAC addresses of all of the users in the network. Another advantage is that the encapsulated and enclosed MAC address spaces are kept separate. The MAC address spaces of the different VLANs and the backbone may overlap arbitrarily. 3.2 MAC Address encoding of exit port Let us start with the two-layer bridging plan just described (Section 3.1). Now, suppose that a VLAN switch assigns multiple MAC addresses to be used by each port sending or receiving explicitly-tagged frames. It dedicates each MAC address to traffic coming from one particular other physical port on the VLAN bridge. That is, traffic bridged from port n to explicitly-tagged port m uses source MAC address MAC[m,n]. To the other VLAN switches, this VLAN switch now appears to consist of a number of different VLAN switches, one for each of this VLAN switch's other ports. This scheme has the advantage that, when receiving frames, the VLAN switch can behave like multiple transparent bridges. This may cut down the amount of computation performed by the receiving VLAN switch on unicast traffic, and may enable certain physical architectures that would otherwise be difficult to implement. It has the disadvantage, of course, that the scaling properties of the two-layer bridging scheme are reduced. 3.3 Exporting MAC addresses In the absence of the duplicate MAC problems mentioned in Section 2.0, the exit port addressing of Section 3.2 can be extended to the user endstation level by exporting the inner addresses to the encapsulated packet, as is done in 802.10. This is possible only when duplicate addresses, RIFs, etc., are not a problem. The entire VLAN network then has the same scaling properties as a single VLAN. 4.0 Hybrid Solution At this point, it is only necessary to point out that each VLAN switch can make its own decision as to whether to assign one or more MAC addresses for the use explicit tagging, and whether to assign those addresses on a one-per-port, many-per-port, or export-user-address basis. This choice is subject only to the desire of the system administrator to reduce the size of the backbone switches' bridging tables, and to accommodate duplicate MAC addresses. 4.1 Peeking inside frames It is important to choose the MAC addresses assigned to the VLAN switches in such a manner that they do not overlap among the different VLANs. As long as a single spanning tree is used for all VLANs, a VLAN switch should be able to determine whether to look beyond the source and destination MAC addresses solely based on whether the destination MAC address is one of its own. 4.2 Compatibility with existing implementations The requirement to maintain both the port number and the bridge MAC address from which a given user MAC address was last received could be an insurmountable burden to place on existing bridges. Fortunately, the scheme still works if a VLAN switch places the "all 802.1 bridges" multicast MAC address on all outgoing encapsulated frames. This hurts the scalability of the VLAN network, but makes it no worse than it was before the advent of VLANs. The essential point is that the impact on existing bridge implementations can be limited to the actual encapsulation, and not extend to the bridge table format, itself. Norman Finn, Cisco Systems, Jan 24 1996