Labels

Friday, January 26, 2018

The VLAN 101 Story

The VLAN 101 Story

TL;DR - Op writes a story to explain how VLANs work using an example problem because inquiring minds want to know.

Ok, here is VLAN 101, written as a story and providing a quick summary of the use of 802.1Q to solve a problem:

For sake of argument lets do this with an example because that lends itself to being able to grasp the concept easier.  So lets say that you are living with your mother in a house with three levels: attic, main floor, and basement.  You live in the basement and you just signed a contract to provide some IT services to get a server ready.  The only problem is, your house doesn't have internet and your mother doesn't want a lot of wires going through her walls and she wants things neat and tidy.  You convince her that if she gets internet through an ISP she gets to watch movies on Netflix through her network aware TV and her cell phone can now use wifi, and a little later on she can get a camera pointed at the front door so she can see who is there.  An additional gotcha is that there is a lot of metal/concrete in the main floor so wifi doesn't get to the basement easily.  I am purposefully taking cable TV out of the picture here and just concentrating on the connection to the internet and Ethernet which you need to do your contract work.

So you think this through and you decide that if the ISP puts incoming lines into the attic, you can do everything with a two Ethernet port patch panel in the attic, two ethernet cables going from the attic to the main floor, attach those cables to a three Ethernet port patch panel in the main floor, one Ethernet cable going from the main floor patch panel to a single Ethernet port patch panel in the basement.  Your wiring would be ISP (attic) -> port#1 (attic patch panel) -> port#1 (main floor patch panel) -> ISP router (with wifi) WAN port.  Thats incoming service.  For LAN side service - router LAN port (main floor) -> port#3 (main floor patch panel) -> port (basement patch panel) for your server; and a different router LAN port (main floor) -> port#2 (main floor patch panel) -> port#2 (attic patch panel) for the camera to connect to.  You can plug the TV into an empty ISP router LAN port.  You also think to yourself that if you have an unmanaged switch you can plug that into the port in the basement and plug your server equipment and your laptop into it.  So you write up the instructions for the ISP installer.  Your hardware diagram looks like this:

     +--------+                             +--------+
     | ISP    +-----------+   +-------------+ Camera |
     | Conn.  |           |   |             |        |
     +--------+        +--v---v--+          +--------+
                       |  1   2  |
                       +--+---+--+
                          |   |
                          |   |
                          |   |                 Attic
            --------------------------------------------
                          |   |
                          |   |
                          |   |   +--------+
     +--------+           |   |   |        |
     | ISP    |WAN     +--+---+---+--+     |
     | Router +---------->1   2   3  |     |
     |        |        +------^---^--+     |
     +-+-+--+-+ LAN           |   |        |
       | |  +-----------------+   |        |
    LAN| |LAN                     |        |
       | +------------------------+        |
       |                                   |
     +-+---+                      +--------+
     | TV  |                      |
     +-----+                      |             Main Floor
            --------------------------------------------
                                  |
                               +--+--+
                               |  1  |
                               +--^--+
                                  |
           +-----------+          |         +----------+
           |           |     +----+----+    |          |
           | Server    +-----> Unmgd   <----+ Laptop   |
           |           |     | Switch  |    |          |
           +-----------+     +---------+    +----------+
    
                                               Basement

On the day of the installation you leave to get your server equipment and your mother is now in charge of giving the instructions to the ISP installer.  While you are gone, the ISP installer gets the instructions from your mother and notes that in your neighborhood, all cables and electric are in conduit in the ground coming to the houses.  So, guess what, the ISP installer puts the connection in conduit in the ground up to your house and installs the ISP connection in the basement.  However, the Ethernet cable connections in the walls are done per your instructions.  Then the ISP installer runs an Ethernet cable from the ISP connection in the basement to the single port connection in the basement.  He then puts the router (with wifi) on a table on the main floor behind the TV, connects the WAN port on the router to the 3 pin port panel going to the basement, connects up the TV to a LAN port on the router, and leaves.  Meanwhile your mother is not really happy about seeing those antenna on the router in her living room and waits for you to come home to complain.

You arrive at home with the server, an unmanaged switch, and a gleam in your eye, knowing that it will be simple to get everything connected.  Then you discover what happened with the install while you were away.  In addition, your mother tells you to get rid of the antenna "thingy" in the living room because it looks bad. So what do you do now?  Enter 802.1Q.

You understand instinctively through your IT experience that you have several broadcast domains to deal with here. When we use the term broadcast domain we are talking about a logical division of a network where the nodes can reach each other by broadcast at the data link layer (in our case Ethernet). You can have several LAN segments in the broadcast domain "bridged" together with the use of hubs or switches; but broadcast wise they can still get to each other.  A router forms a boundary between broadcast domains.  In our case we have at least two broadcast domains to deal with: the ISP network and your home network.  The ISP router forms the barrier between the ISP and the home network and allows traffic to flow from one to the other according to a set of rules, e.g. network address translation, known as NAT.

You know that you cannot put the router in the basement because one of the selling points is the wifi connection.  That leaves putting the ISP router in the attic.  You only have one Ethernet cable between the basement and the main floor so that leaves out getting the LAN side of the router to your server.  Somehow you have to flow the ISP Ethernet to the WAN port on the router in the attic then the LAN port on the router back to your server equipment using one cable.  So lets talk "router on a stick"; it's going to look like we have the router on a long pole.

If you obtain two vlan aware (managed) switches, you can solve the problem. Virtual LANs (vlans) are like any other LAN that is a single broadcast domain.  VLANs are normally separated from each other the same as a normal LAN is to any other LAN.  But, in this case we can flow the traffic from multiple vlans down the same physical cable by using 802.1Q.  In the 802.1Q based Ethernet packet that goes out over our cable (level 2), we introduce a 32-bit vlan tag field between the source MAC address field and the EtherType/Length field of the original Ethernet frame.  This 32-bit number is composed of: a Tag Protocol Identifier (TPID) of 16 bits set to 0x8100 [ends up in the same position as the Ethertype/length field]; a Priority Code Point (PCP) of 3 bits referring to its 802.1p priority [used to prioritize classes of traffic such as voice, video, data, etc.]; a Canonical Format Indicator (CFI) of 1 bit indicating if the MAC address is in canonical format [always 0 for Ethernet switches to distinguish from Token Rings]; and a VLAN Identifier (VID) of 12 bits specifying the VLAN number which the frame belongs to [0x000 and 0xFFF being reserved giving 4094 possible VLANs].

As long as the connecting devices understand the vlan tag field they can introduce the field when sending packets down a physical connection/cable.  Note that packets from different vlans can be mixed together on the same physical cable, but are identified and therefore isolated from each other by reason of this 32-bit field.  The IEEE 802.1Q standard defines this number and how it is used.  A static vlan connection would be when we have a port on a managed switch that connects to one single vlan (an "untagged" port).  A dynamic vlan connection would use these 32-bit fields on packets to distinguish between different vlans and multiplex them together on the same cable.  We sometimes call this a "trunk" line.  The ports on at least two managed switches are set up to use "tagged" packets.  Note that some routers also have a vlan tag capability.

Back to our story.  So you leave the house again and go out and buy two cheap managed switches, along with a few Ethernet patch cables, and bring them home.  When you get home you place one of the managed switches in the attic and connect it (port SW1-8) to port#1 of the attic patch panel and one in the basement connected (port SW2-8) to the basement patch panel.  The designation SW1-8 means port 8 on Switch#1.  In the attic, you connect the WAN port of the ISP router to the managed switch and note the port number (SW1-1) on the switch.  Likewise you connect one of the LAN ports on the ISP router to the managed switch on a second port (SW1-2).  You also connect  one of the ports (SW1-3) on the switch to port#2 on the attic patch panel.  Down on the main floor you connect port#1 to port#3 on the main floor patch panel and port#2 to the TV.  In the basement you connect one of the ports (SW2-8) on the managed switch to the port on the basement patch panel.  You connect another of the ports (SW2-2) on the managed switch to your server.  Your laptop goes into still another port (SW2-3) on the managed switch.  Normally we would go ahead and connect the ISP connection to the managed switch (SW2-1) in the basement but we have to configure it first.  The hardware connection now looks like this:

                                                               +-----------+
                              +--------------------------------+ Camera    |
                              |                                |           |
                   +----------v---+                            +-----------+
                   |  Managed     +------------+
                   |  Switch#1    |            |
                   |              +--------+   |
                   +--^----^------+x       |   |
                      |    |            +--v---v--+
    +-------------+   |    |            |  1   2  |
    |  ISP        +---+    |            +--+---+--+
    |  Router     | WAN    |               |   |
    |             +--------+               |   |
    +-------------+ LAN                    |   |                 Attic
                            --------------------------------------------
                                           |   |
                                           |   |
                                           |   |   +--------+
                                           |   |   |        |
                                        +--+---+---+--+     |
                                        |  1   2   3  |     |
                                        +--^---^---^--+     |
                      +---------+          |   |   |        |
                      |         |          +-------+        |
                      | TV      |              |            |
                      |         +--------------+            |
                      +---------+                  +--------+
                                                   |             Main Floor
                             --------------------------------------------
                                                   |
                                                +--+--+
                                                |  1  |
                                                +--^--+
                                                   |
                                                   |x
                      +-----------+         +--------------+        +-----------+
                      |           |         |  Managed     |        |           |
                      |  Server   +--------->  Switch#2    <--------+  Laptop   |
                      |           |         |              |        |           |
    +------+          +-----------+         +--^-----------+        +-----------+
    | ISP  |                                   |
    | Conn.+-----------------------------------+
    +------+                                                     Basement

The important thing to remember in this diagram is that port x (SW1-8) on Managed Switch#1 is connected to port x (SW2-8) on Managed Switch#2.  The Ethernet cable connecting these two ports is where we are going to have our "trunk" line ("dynamic" vlan), i.e. 802.1Q tags (fields).  The other ports on the Managed Switches will not be "tagged" and will be dedicated to one vlan only ("static" vlan).  Once we have all this connected with none of the equipment on, except maybe for the TV we can now configure the system.  We will use VLAN 100 for the WAN side, VLAN 200 for the LAN side, and VLAN 300 for the Management VLAN.  The choice of an IP subnet for the LAN VLAN could be based on the default LAN IP for the ISP router, or just choose your own after changing the subnet on the ISP Router LAN.

So what is the flow of a packet in this network to our server?  ISP Conn. -> Managed Switch#2 (SW2-1, VLAN 100, "untagged") -> Managed Switch#2 (SW2-8, "trunk") where a VLAN 100 tag is applied -> Managed Switch#1 (SW1-8, "trunk") where the VLAN 100 tag is removed and sent to any port with the "untagged" VLAN 100 -> Managed Switch#1 (SW1-1, VLAN 100, "untagged") -> ISP Router WAN port -> rules are applied -> ISP Router LAN port(s) -> Managed Switch#1 (SW1-2, VLAN 200, "untagged") -> Managed Switch#1 (SW1-8, "trunk") where a VLAN 200 tag is applied -> Managed Switch#2 (SW2-8, "trunk") where the VLAN 200 tag is removed and sent to any port with the "untagged VLAN 200 -> Managed Switch#2 (SW2-2, VLAN 200, "untagged") -> our server.  Note that a similar flow can be shown to any other LAN connected device.  Also, note that we did not have to modify the wiring that the ISP installer left.

What are the steps needed to configure this network?  Thats another story for another day and it depends on your equipment.

Saturday, January 6, 2018

LED - Light Controller #3 - I always seem to never have enough time to complete projects

As usual, I am here after a long period of time without completion of my project.  During my time away from my little projects, it occurred to me that I might have a problem with the way that I was doing this project. I had a workable solution, bread-boarded part of it and connected the raspberry pi to it, putting a simple python program onto it and exercising the 8-channel relay.  After checking things out, I started putting the elements together and soldering them to a perma-proto board from Adafruit.  Sure enough, when I started soldering the 24 pin chips onto a breadboard I ended up smoking them.  I found myself completely unable to switch the 8-channel relay at this point.

At this point I started rethinking my approach to development.  Even though I had plenty of Raspberry Pis to go around, I started thinking about other solutions.  In my network, I have a vlan specific to Experimenting.  I also have a bunch of switches that allow me to setup links all over the house.  It occurred to me that maybe I could use an ESP8266 NodeMCU chip to receive commands and cause the switching to occur.  That way, I could use a Raspberry Pi to do the commands.  I could also simply print each of the boxes and tailor them to my circuitry.  So that is where I am at.