Initial implementations offered a port-mapping capability which established a broadcast domain between a localized group of switched-media devices. Current network requirements demand VLAN functionality which includes end-to-end spanning of the entire network. This allows network administrators to group geographically dispersed users together in network-wide virtual topologies.
However, the benefits and wide-scale adoption of distributed VLAN solutions are currently constrained by the lack of an established standard for multi-vendor VLAN support. In the absence of an interoperable VLAN protocol, the suppliers of internetworking equipment, particularly the companies focused primarily on LAN switching, have implemented proprietary media-specific mechanisms. Network administrators now need end-to-end VLANs across multivendor Fiber Distributed Data Interface (FDDI) campus backbones, wide-area network (WAN) switched environments, and high-speed, point-to-point links. Therefore, it is clear that a single supplier's proprietary implementation is not viable.
Cisco realizes the importance of VLAN interoperability in these large enterprisewide networks. This has lead to the development of several open-vendor, nonintrusive VLAN communication protocols, including VLAN standardization of 802.10.
The 802.10 protocol incorporates a mechanism whereby LAN traffic can carry a VLAN identifier, thus allowing selective switching of packets with this identifier. This protocol is the IEEE 802.10 Interoperable LAN/MAN Security (SILS) standard, ratified in late 1992. Originally conceived to address the growing need for security within shared LAN/metropolitan-area network (MAN) environments, it incorporates authentication and encryption techniques to ensure data confidentiality and integrity throughout the network. Additionally, the SLS standard functions at layer 2 of the OSI reference model, making it well-suited to high-throughput, low-latency switching environments.
The 802.10 standard defines a single Protocol Data Unit, known as a Secure Data Exchange (SDE) PDU. This is a MAC-layer frame with an 802.10 header inserted between the MAC header and the frame's data. The 802.10 header comprises an inner and an outer header, known respectively as the "Clear Header" and "Protected Header" portions, as shown below.
Figure 1: 802.10 Header
The Clear Header includes a Security Association Identifier (SAID) and an optional Management-Defined Field (MDF), which can carry information to facilitate PDU processing. The Protected Header replicates the source address contained in the MAC header to allow for address validation. This prevents another station from being identified as the real source. The Integrity Check Value (ICV) safeguards against unauthorized internal data modification using a security algorithm. Support for each portion of the 802.10 header, including encryption, is optional. When utilized to fully secure data transfer across shared media, the protocol can be used in conjunction with a Security Management Information Base (SMIB). This provides the SAID and encryption keys used by LAN devices to exchange data within the same secured community.
When the IEEE 802.10 protocol is used to effect a VLAN topology, VLAN ID is the essential piece of required header information. The 802.10 SAID field is used as the VLAN ID. This field identifies traffic as belonging to a particular VLAN. Internetworking devices with VLAN intelligence can then make forwarding decisions based upon which ports are configured for which VLANs. Therefore, where the goal is to establish logical VLAN topologies across a physical network (rather than encrypting the actual data and thereby incurring performance reduction caused by applying security algorithms), high-throughput devices must minimally support only the Clear Header portion of the 802.10 packet format.
That is, only the "SDE Designator" (IEEE 802.2 LSAP indicating a 802.10 VLAN frame) and the actual VLAN ID (SAID field) must be carried, which adds the advantage of low processing overhead. These two fields total seven bytes. The four-byte SAID allows for an infinite number of distinct VLANs, making it possible to configure ports for multiple VLANS and extend the criteria for VLAN membership to interface and protocol, for example.
When an arbitrary collection of LAN subnets is configured as a VLAN, native packets originating from stations attached to these LANs acquire an 802.10 header that contains the appropriate VLAN ID as the packets are forwarded onto the backbone. The propagation of such packets is controlled and contained only to other LANs within the same virtual topology. This is accomplished by the other networking devices on the backbone, which perform a VLAN ID match. Received 802.10 frames that bear an ID not supported on any of a device's ports are filtered. Frames that match are stripped of the 802.10 portion and switched out corresponding ports in native format. Since 802.10 VLAN packets are valid MAC frames, they are handled transparently by non-802.10-compatible devices. Therefore, the VLAN multiplexing/demultiplexing function need only be applied at the boundary device that connects a VLAN subnet to the common backbone. Cisco currently employs 802.10 within both its switching and routing internetworking products. The interchange of 802.10 across the backbone provides broadcast control between configured VLANs. As an integral component of the Cisco Internetwork Operating System (Cisco IOS[tm]), layer 3 communications offers both VLAN interoperability and inter-VLAN communications.
In the routing/switching paradigm, where switched VLANs are connected across a collapsed backbone, a router can route between different VLAN groups or use the 802.10 MAC format to associate a VLAN ID with traffic destined for certain subnet addresses behind Data Link Layer switching devices.
When bridging workgroups together as a VLAN, a spanning tree must be formed to eliminate the possibility of loops and to establish a single data path throughout the network. There is considerable advantage, however, in establishing a separate spanning tree across each VLAN topology instead of sharing a common tree throughout. This provides much better network resilience and stability. Because each VLAN operates autonomously (never receiving VLAN traffic it is not configured to support on its native subnets), its data flow is not interrupted by physical changes or by spanning tree recomputations that occur elsewhere in the network topology.
VLANs are a highly flexible, scalable solution to current networking demands for segmentation, efficient bandwidth allocation, and workgroup support. However, for these benefits to be fully realized, multivendor interoperability resulting from the implementation of a common standard is required. The IEEE 802.10 standard provides for a straightforward VLAN mechanism. The protocol also incorporates comprehensive security features, an increasingly important attribute within today's shared networking environ-ments. 802.10-based VLANs can combine LAN end stations as a VLAN across FDDI campus backbones, Asynchronous Transfer Mode (ATM) links via LAN-emulation (LANE), Fast Ethernet, or even shared point-to-point serial connections. Its adoption brings VLAN technology (and potential security) to existing network infrastructures. This not only protects users' investments, but is also compatible with future migration strategies. Cisco will continue to focus on the development of this protocol as an interoperable VLAN communication standard. An IEEE working committee has been established to further this development.