VLAN Aggregation
Background of VLAN Aggregation
VLAN is widely applied to switching networks because of its flexible control of broadcast domains and convenient deployment. On a Layer-3 switch, the interconnection between the broadcast domains is implemented using one VLAN to correspond to one Layer 3 logic interface. However, this can waste IP addresses. Figure 5-10 shows the VLAN division in the device.
VLAN |
Subnet |
Gateway Address |
Number of Available Addresses |
Number of Available Servers |
Practical Requirements |
|---|---|---|---|---|---|
2 |
10.1.1.0/28 |
10.1.1.1 |
14 |
13 |
10 |
3 |
10.1.1.16/29 |
10.1.1.17 |
6 |
5 |
5 |
4 |
10.1.1.24/30 |
10.1.1.25 |
2 |
1 |
1 |
As shown in Table 5-4, VLAN 2 requires 10 server addresses. The subnet 10.1.1.0/28 with the mask length as 28 bits is assigned for VLAN 2. 10.1.1.0 is the address of the subnet, and 10.1.1.15 is the directed broadcast address. These two addresses cannot serve as the host address. In addition, as the default address of the network gateway of the subnet, 10.1.1.1 cannot be used as the host address. The other 13 addresses ranging from 10.1.1.2 to 10.1.1.14 can be used by the servers. In this way, although VLAN 2 needs only 10 addresses, 13 addresses need to be assigned for it according to the division of the subnet.
VLAN 3 requires five server addresses. The subnet 10.1.1.16/29 with the mask length as 29 bits needs to be assigned for VLAN 3. VLAN 4 requires only one address. The subnet 10.1.1.24/30 with the mask length as 30 bits needs to be assigned for VLAN 4.
In above, 16 (10+5+1) addresses are needed for all the preceding VLANs. However, 28 (16+8+4) addresses are needed according to the common VLAN addressing mode even if the optimal scheme is used. Nearly half of the addresses is wasted. In addition, if VLAN 2 is accessed to three servers instead of 10 servers later, the extra addresses will not be used by other VLANs and will be wasted.
This division is inconvenient for the later network upgrade and expansion. Assume that two more servers need to be added to VLAN 4 and VLAN 4 does not want to change the assigned IP addresses, and the addresses after 10.1.1.24 has been assigned to others, a new subnet with the mask length as 29 bits and a new VLAN need to be assigned for the new customers of VLAN 4. Therefore, the customers of VLAN 4 have only three servers, but the customers are assigned to two subnets and are not in the same VLAN. As a result, this is inconvenient for network management.
In above, many IP addresses are used as the addresses of subnets, directional broadcast addresses of subnets, and default addresses of network gateways of subnets. These IP addresses cannot be used as the server addresses in the VLAN. The limit on address assignation reduces the addressing flexibility, so that many idle addresses are wasted. To solve this problem, VLAN aggregation is used.
Principle
The VLAN aggregation technology, also known as the super-VLAN, provides a mechanism that partitions the broadcast domain using multiple VLANs in a physical network so that different VLANs can belong to the same subnet. In VLAN aggregation, two concepts are involved, namely, super-VLAN and sub-VLAN.
- Super-VLAN: It is different from the common VLAN. In the super-VLAN, only Layer 3 interfaces are created and physical ports are not contained. The super-VLAN can be viewed as a logical Layer 3 concept. It is a collection of many sub-VLANs.
- Sub-VLAN: It is used to isolate broadcast domains. In the sub-VLAN, only physical ports are contained and Layer 3 VLANIF interfaces cannot be created. The Layer 3 switching with the external network is implemented through the Layer 3 interface of the super-VLAN.
A super-VLAN can contain one or more sub-VLANs retaining different broadcast domains. The sub-VLAN does not occupy an independent subnet segment. In the same super-VLAN, IP addresses of servers belong to the subnet segment of the super-VLAN, regardless of the mapping between servers and sub-VLANs.
The same Layer 3 interface is shared by sub-VLANs. Some subnet IDs, default gateway addresses of the subnets, and directed broadcast addresses of the subnets are saved and different broadcast domains can use the addresses in the same subnet segment. As a result, subnet differences are eliminated, addressing becomes flexible and idle addresses are reduced.
Table 5-4 is used to explain the implementation. Suppose that user demands are unchanged. In VLAN 2, 10 server addresses are demanded; in VLAN 3, five server addresses are demanded; in VLAN 4, one server address is demanded.
According to the implementation of VLAN aggregation, create VLAN 10 and configure VLAN 10 as a super-VLAN. Then assign a subnet address 10.1.1.0/24 with the mask length being 24 to VLAN 10; 10.1.1.0 is the subnet ID and 10.1.1.1 is the gateway address of the subnet, as shown in Figure 5-11. Address assignments of sub-VLANs (VLAN 2, VLAN 3, and VLAN 4) are shown in Table 5-5.
VLAN |
Subnet |
Gateway address |
Number of available addresses |
Number of available servers |
Practical requirements |
|---|---|---|---|---|---|
2 |
10.1.1.0/24 |
10.1.1.1 |
10 |
10.1.1.2-10.1.1.11 |
10 |
3 |
5 |
10.1.1.12-10.1.1.16 |
5 |
||
4 |
1 |
10.1.1.17 |
1 |
In VLAN aggregation implementation, sub-VLANs are not divided according to the previous subnet border. Instead, their addresses are flexibly assigned in the subnet corresponding to the super-VLAN according to the required server number.
As the Table 5-5 shows that VLAN 2, VLAN 3, and VLAN 4 share a subnet (10.1.1.0/24), a default gateway address of the subnet (10.1.1.1), and a directed broadcast address of the subnet (10.1.1.255). In this manner, the subnet ID (10.1.1.16, 10.1.1.24), the default gateway of the subnet (10.1.1.17, 10.1.1.25), and the directed broadcast address of the subnet (10.1.1.15, 10.1.1.23, and 10.1.1.27) can be used as IP addresses of servers.
Totally, 16 addresses (10 + 5 + 1 = 16) are required for the three VLANs. In practice, in this subnet, a total of 16 addresses are assigned to the three VLANs (10.1.1.2 to 10.1.1.17). A total of 19 IP addresses are used, that is, the 16 server addresses together with the subnet ID (10.1.1.0), the default gateway of the subnet (10.1.1.1), and the directed broadcast address of the subnet (10.1.1.255). In the network segment, 236 addresses (255 - 19 = 236) are available, which can be used by any server in the sub-VLAN.
Communication Between VLANs
Introduction
VLAN aggregation ensures that different VLANs use the IP addresses in the same subnet segment. This, however, leads to the problem of Layer 3 forwarding between sub-VLANs.
In common VLAN mode, the servers of different VLANs can communicate with each other based on the Layer 3 forwarding through their respective gateways. In VLAN aggregation mode, the servers in a super-VLAN use the IP addresses in the same network segment and share the same gateway address. The servers in different sub-VLANs belong to the same subnet. Therefore, they communicate with each other based on the Layer 2 forwarding, rather than the Layer 3 forwarding through a gateway. In practice, servers in different sub-VLANs are separated in Layer 2. As a result, sub-VLANs fails to communicate with each other.
To solve the preceding problem, you can use Proxy ARP.
For details about proxy ARP, see ARP in the IP Services.
Layer 3 communication between different sub-VLANs
If hosts on the same network segment of the same physical network but in different VLANs need to communicate at Layer 3, you need to enable inter-VLAN proxy ARP on the corresponding VLANIF interfaces.
As shown in Figure 5-12, Host A and Host B on the same network segment are connected to the Switch, Host A belongs to VLAN 3, and Host B belongs to VLAN 2. Host A and Host B belong to different sub-VLANs, so they cannot communicate at Layer 2.You can enable inter-VLAN proxy ARP on VLANIF 4 of the Switch to solve this problem.
- Host A sends an ARP Request packet for the MAC address of Host B.
- After receiving the ARP Request packet, the Switch detects that the destination IP address is not its IP address and determines that the requested MAC address is not its MAC address. The Switch then checks whether there is an ARP entry of Host B.
- If there is an ARP entry that matches Host B and VLAN information in this entry is different from that in the receiving port, the Switch checks whether inter-VLAN proxy ARP is enabled on the corresponding VLANIF interface.
If inter-VLAN proxy ARP is enabled, the Switch sends the MAC address of VLANIF 4 to Host A.
After receiving the ARP Replay packet from the Switch, Host A considers the packet as the ARP Replay packet from Host B. Host A learns the MAC address of VLANIF 4 on the Switch and uses this MAC address to send data packets to Host B.
- If inter-VLAN proxy ARP is not enabled, the Switch discards the ARP Request packet sent by Host A.
- If there is no ARP entry of Host B, the Switch discards the ARP Request packet sent by Host A, and checks whether inter-VLAN proxy ARP is enabled on the corresponding VLANIF interface.
- If inter-VLAN proxy ARP is enabled, the Switch broadcasts the ARP Request packet with the IP address of Host B as the destination IP address within VLAN 2. After the Switch receives an ARP Reply packet from Host B, the Switch generates an ARP entry indicating the mapping between the IP and MAC addresses of Host B.
- If inter-VLAN proxy ARP is not enabled, the Switch does not perform any operations.
- If there is an ARP entry that matches Host B and VLAN information in this entry is different from that in the receiving port, the Switch checks whether inter-VLAN proxy ARP is enabled on the corresponding VLANIF interface.
Layer 2 communication between a sub-VLAN and an external network
As shown in Figure 5-13, in the Layer 2 VLAN communication based on ports, the received or sent frames are not tagged with the super-VLAN ID.
The frame that accesses Switch1 through Port1 on Server A is tagged with the ID of VLAN 2. The VLAN ID, however, is not changed to the ID of VLAN 10 on Switch1 even if VLAN 2 is the sub-VLAN of VLAN 10. After passing through Port3, which is the trunk type, this frame still carries the ID of VLAN 2.
That is, Switch1 itself does not send the frames of VLAN 10. In addition, Switch1 discards the frames of VLAN 10 that are sent to Switch1 by other devices because Switch1 has no corresponding physical port for VLAN 10.
A super-VLAN has no physical port. This limitation is obligatory, as shown below:If you configure the super-VLAN and then the trunk interface, the frames of a super-VLAN are filtered automatically according to the VLAN range set on the trunk interface.
As shown in Figure 5-13, no frame of the super-VLAN 10 passes through Port3 on Switch1, even though the interface allows frames from all VLANs to pass through.
If you finish configuring the trunk interface and allow all VLANs to pass through, you still cannot configure the super-VLAN on Switch1. The root cause is that any VLAN with physical ports cannot be configured as the super-VLAN, and the trunk interface allows only the frames tagged with VLAN IDs to pass through. Therefore, no VLAN can be configured as a super-VLAN.
As for Switch1, the valid VLANs are just VLAN 2 and VLAN 3, and all frames are forwarded in these VLANs.
Layer 3 communication between a sub-VLAN and an external network
As shown in Figure 5-14, Switch1 is configured with super-VLAN 4, sub-VLAN 2, sub-VLAN 3, and a common VLAN 10. Switch2 is configured with two common VLANs, namely, VLAN 10 and VLAN 20. Suppose that Switch1 is configured with the route to the network segment 10.1.3.0/24, and Switch2 is configured with the route to the network segment 10.1.1.0/24. Then Server A in sub-VLAN 2 that belongs to the super-VLAN 4 needs to access Server C in Switch2.- After comparing the IP address of Server C 10.1.3.2 with its IP address, Server A finds that two IP addresses are not in the same network segment 10.1.1.0/24.
- Server A initiates an ARP broadcast to its gateway to request for the MAC address of the gateway.
- After receiving the ARP request, Switch1 identifies the correlation between the sub-VLAN and the super-VLAN, and offers an ARP response to Server A through sub-VLAN 2. The source MAC address in the ARP response packet is the MAC address of VLANIF4 for super-VLAN 4.
- Server A learns the MAC address of the gateway.
- Server A sends the packet to the gateway, with the destination MAC address as the MAC address of VLANIF4 for super-VLAN 4, and the destination IP address as 10.1.3.2.
- After receiving the packet, Switch1 performs the Layer 3 forwarding and sends the packet to Switch2, with the next hop address as 10.1.2.2, the outgoing interface as VLANIF10.
- After receiving the packet, Switch2 performs the Layer 3 forwarding and sends the packet to Server C through the directly-connected interface VLANIF20.
- The response packet from Server C reaches Switch1 after the Layer 3 forwarding on Switch2.
- After receiving the packet, Switch1 performs the Layer 3 forwarding and sends the packet to Server A through the super-VLAN.
