Protocols in 7302 ISAM system

Table of contents TOC

 Ethernet Framing and VLAN technology

 DHCP & DHCP Relay
 Multicast
 802.1x
 QoS – Quality of Service
 IGMP
 Rapid Spanning Tree Protocol

2
Ethernet framing & VLAN technology
 Table of contents TOC

 Ethernet Framing . . . . .  p. 3
 Virtual Local Area Network . . .  p.13

4
Ethernet framing
Ethernet-,Ethernet and Ethernet TOC

 IEEE-802.3 protocol: based on Xerox Network Standard (XNS)

 IEEE-802.3 protocol: commonly called Ethernet.
3 different versions exist:
• IEEE 802.3 frame with Type field and any protocol in payload
• IEEE 802.3 frame with Length field and LLC header
• IEEE 802.3 frame with Length field and LLC/SNAP header
 Ethernet v2 is a valid IEEE 802.3 frame.
 used in Local Area Networks
 uses CSMA/CD

LAN

6
Common fields in the different “flavors" of Ethernet TOC

7B 1B 6B 6B 4B
pre-
amble SFD DA SA XXX FCS

Frame Check Sequence, CRC

Source MAC address

Destination MAC address

Fixed sequence to alert the receiver

7
IEEE 802.3 Ethernet frame interpretation TOC

 Based on type or length field

Frame size : Min 64 bytes , Max 1518 bytes

6B 6B 2B 4B
Length or
DA SA Type
XXX FCS

Data Link Header

Frame length (<=1500) or
type information (>=1536)

8
 IEEE 802.3 frame with type field TOC

 Commonly called Ethernet v2 Frame

Frame size : Min 64 bytes , Max 1518 bytes

6B 6B 2B 4B

DA SA Type P A Y L O A D (46–1500 Bytes) FCS

Data Link Header

0800 IP Datagram (46–1500 Bytes)
TYPE >= 1536
0x0800=IP
0x0806 = ARP
ARP Req PAD
0x8035 = RARP 0806
0x888E = 802.1X
ARP Reply (28 Bytes) (18 Bytes)
0x8863=PPPoE Control frames
0x8864 = PPPoE Data frames

RARP Req PAD

8035
RARP Reply (28 Bytes) (18 Bytes)
9
 IEEE 802.3 frame with 802.2 LLC header TOC

 Defining Service Access Points (SAPs)

 SAPs ensure that the same Network Layer protocol is used at the
source and at the destination.
• TCP/IP talks to TCP/IP, IPX/SPX talks to IPX/SPX,…
• Destination SAP/Source SAP

Frame size : Min 64 bytes , Max 1518 bytes

DA SA
length DSAP SSAP CONTR P A Y L O A D (43–1497 Bytes) FCS
1B 1B 1B

Data Link Header

802.2 LLC 02 = Individual LLC Sublayer Management Function
03 = Group LLC Sublayer Management Function
04 = IBM SNA Path Control (individual)
Frame length 05 = IBM SNA Path Control (group)
06 = ARPANET Internet Protocol (IP)
(<=1500) AA = SubNetwork Access Protocl (SNAP)
E0 = Novell NetWare
F0 = IBM NetBIOS

10
IEEE 802.3 frame with 802.2 LLC/ 802.3 SNAP header TOC

Due to growing number of applications using the IEEE LLC 802.2

header, an extension was made.Introduction of the IEEE 802.3 Sub
Network Access Protocol (SNAP) header
Type field provides backwards compatibility with Ethernet v2 frame

Frame size : Min 64 bytes , Max 1518 bytes

length AA AA 03 00.00.00 Type P A Y L O A D

DA SA FCS
1B 1B 1B 3B 2B (38–1492 Bytes)

Data Link Header

802.2 LLC 802.2 SNAP
TYPE
0x0800=IP
0x0806 = ARP
0x8035 = RARP
0x888E = 802.1X
0x8863=PPPoE Control frames
0x8864 = PPPoE Data frames

11
Ethernet frames - summary TOC

 Ethernet version 2 (Xerox) MAC frame

• has Ethertype field
indicates which protocol is inside the data section
Value always > 05-DC hex.

 802.3 has a Length or Type field

• if < 05-DC IEEE802.3 Length field
• if >= 05-DC IEEE802.3 Type field
Type field gives a protocol identification (same as Ethertype)

 802.3 incorporates aspects of Ethernet version 2 and will

replace it for high-speed Ethernet networks
• Ethernet v2 is a valid 802.3 frame

12
 IP over Ethernet/IEEE 802 – example TOC

Destination Source
FCS
Preamble Address Address 0800 IP datagram (4)
(8 bytes) (6 bytes) (6 bytes)
ETHERNET II

Destination Source
Preamble Address Length IP datagram FCS
(8 bytes) (6 bytes)
Address
(2 bytes)
06 06 (4)
(6 bytes)
IEEE 802.3/ IEEE 802.2 LLC LSAP

Destination Source
Preamble Address Length AA AA 03 00 0800 IP FCS
Address
(8 bytes) (6 bytes) (2 bytes) datagram (4)
(6 bytes)
IEEE 802.3/ IEEE 802.2 LLC/SNAP LSAP SNAP

13
Virtual Local Area Networks - VLAN
 What is a LAN? TOC

Everyone can communicate with

each other on the LAN
 Local Area Network
(LAN)
• Single Broadcast domain
Same Subnet
• No routing between
members of a LAN
• Routing required
between LANs

Corporate LAN

15
What is VLAN? TOC

 Virtual Local Area Network

VLAN
• Used to separate the
physical LAN into logical
LANs
– Logical broadcast /
multicast domain
– Virtual

• Inter-VLAN communication:
only via higher-layer
devices (e.g. IP routers)
Corporate LAN

• LAN membership defined Marketing LAN

by the network manager
Virtual Engineering LAN

Administration LAN

16
VLAN benefits TOC

 Performance
• VLANs free up bandwidth by limiting traffic.
 Formation of Virtual Workgroups
• Users and resources that communicate frequently with each other can be
grouped into a VLAN, regardless of physical location.
 Simplified Administration
• Adding or moving nodes => can be dealt with quickly and conveniently
from the management console rather than the wiring closet
 Reduced Cost
• Use of VLANs can eliminate the need for expensive routers
• With a VLAN-enabled adapter, a server can be a member of multiple
VLANs.
 Security
• VLANs create virtual boundaries that can only be crossed through a
router.

17
How VLANs Work TOC

 VLAN can be distinguished by the method used to indicate

membership when a packet travels between switches.
• Implicit
• Explicit
 VLAN membership can be classified by
• Port,
• Protocol type
• MAC address
• IP address
 IEEE 802.1Q
• Explicit
802.1Q tag
• Implicit
Port based
Port and Protocol based

18
 Layer 1 VLAN: Membership by port TOC

 Membership in a VLAN is defined based on the ports that

belong to the VLAN.
• Also refered to as Port switching
 Does not allow user mobility
 Does not allow multiple VLANs to include the same physical
segment (or switch port)

PORT VLAN
1 2 3 4 5 6 7 8 9
1

19
 Layer 2 VLAN : Memberschip by MAC address TOC

 Membership in a VLAN is based on the MAC address of the

workstation.
• The switch tracks the MAC addresses which belong to each VLAN

 Provides full user movement

• Clients and server always on the same LAN regardless of location

 Disadvantages
• Too many addresses need to be entered and managed
• Notebook PCs change docking stations

MAC@ VLAN 1 2 3 4 5 6 7 8 9
MAC@A
MAC@B
MAC@C MAC@D
MAC@D

MAC@A MAC@C
20 MAC@B
Layer 3 VLAN: Membership by Protocol type TOC

 Membership implied by MAC protocol type field

 This is the most flexible method and provides the most logical
grouping of users

pre- Length
amble SFD DA SA or Type P A Y L O A D (46–1500 Bytes) FCS

PROTOCOL VLAN

IP 1

IPX 2

21
 Layer 3 VLAN: Membership by IP Subnet Address TOC

 The network IP subnet address (layer 3 header) can be used to

classify VLAN membership

SUBNET /MASK VLAN

138.22.24.0/24
138.21.35.0/24
1 2 3 4 5 6 7 8 9

IP@:
IP@: 138.22.24.10
IP@: IP@:
138.21.35.47 138.21.35.58
138.22.24.5

22
VLAN types - Glossary/Terminology TOC

 Port based VLAN classification

• VID based on port of arrival
• Frame receives Port VLAN identifier – PVID
 Default VID
• Not standardized within 802.1Q
Interpretation according to context
Often equals PVID

 Port-and-protocol-based VLAN classification

• VID based on port of arrival and the protocol identifier of the frame
• Multiple VLAN-Ids associated with port of the bridge – VID set

23
VLAN link types: Access Link TOC

 Access link
• Link that is a member of only one VLAN
• Contain VLAN unaware devices
• All frames on access link are untagged
• Normal ports to which we connect our network devices such as
PCs.

VLAN aware Bridge

VLAN unaware
workstation
Access Link

24
VLAN link types: Trunk Link TOC

 Trunk Link
• Capable of carrying multiple VLANs
• Used at links between switches
Allowing VLANS to span over all network switches

VLAN aware Bridge VLAN aware Bridge

VLAN aware
workstation
Trunk Link

Trunk Link

25
VLAN link types: Hybrid Link TOC

 Hybrid Link
• Contain both VLAN aware and VLAN unaware devices
All frames for specific VLAN are tagged or untagged

VLAN aware
workstation
VLAN aware Bridge VLAN aware Bridge

Hybrid Link

VLAN unaware
workstation

26
 Q-VLAN tag (IEEE 802.1Q) TOC

 Also referred to as C-VLAN tag

• Customer VLAN tag
 VLAN Bridge
• Q-VLAN aware bridge
comprising a single Q-VLAN component
Frame size : Min 68 bytes , Max 1522 bytes

pre- length
SFD DA SA TPID TCI P A Y L O A D (46–1500 Bytes) FCS
amble type

2 bytes 2 bytes

802.1Q tag-type (value 81 00) Tag Control Information

Tag protocol Identifier 3 bits 12 bits

CFI

Priority ”p-bits” (802.1p) Vlan_ID ”Q-TAG” (802.1Q)

27 #8 # 4096
802.1Q Tag-based- Glossary/Terminology TOC

 Untagged frame
• A frame doesn’t contain a tag header
 Priority-tagged frame
• A frame with tag header carries priority but no VID (VID=0)
 VLAN-tagged frame
• A frame with Q-tag header carries both priority and VID.
 802.1Q Tag VLAN
• Each VLAN group has unique VID
• Each member of VLAN group can talk to each other
 VLAN-aware
• The device can recognize and support VLAN-tagged frame
 VLAN-unaware
• The device can't recognize VLAN-tagged frame

28
Forwarding engine - Glossary/Terminology TOC

 Ingress
• Towards the forwarding
Engine Forwarding End-user
engine
Ethernet
 Egress port End-user

• Out of the forwarding engine Ingress

 Upstream Egress

• From user to network Downstream

Upstream
 Downstream
• From network to user

29
802.1Q Process TOC

 Ingress Rule
• Classify the received frames belonging to a VLAN
 Forwarding Process
• Decide to filter or forward the frame
 Egress Rule
• Decide if the frames must be sent tagged or untagged

Packet Filtering Packet

Receive Database Transmit

Ingress Rule Forwarding Egress Rule

Process

30
 Ingress Rule TOC

 VLAN-aware switch can accept tagged and untagged frames

 Tagged frame:
• is directly sent to the forwarding engine

 Untagged frame:
• A tag is added onto this untagged frame (with the PVID)
• Then the tagged frame is sent to the forwarding engine

 PVID
• Default Port VLAN ID for incoming untagged frames

Tagged frame Tagged frame

VID VID
Untagged frame Ingress Rule Tagged frame Towards
Forwarding
PVID Process

31
 Forwarding Process TOC

 Forwarding decision is based on the filtering database

• Filtering database contains two tables.
- MAC table and VLAN table
• First, check destination MAC address based on the MAC table
• Second, check the VLAN ID based on the VLAN table
 Egress port is the allowed outgoing member port of VLAN
Filtering Database

 MAC Table  VLAN Table

Port MAC Address Aging Egress Egress frame
VID Register
2 00:A0:C5:11:11:11 0 Port type
2 00:A0:C5:22:22:22 20 1 2 Static Untag
3 00:A0:C5:33:33:33 30 1 3 Static Tag
10 00:A0:C5:44:44:44 100 100 3 Static Untag

32
Egress Rule TOC

Tagged frame Tagged frame

VID VID

Tagged frame Egress Rule Untagged frame

VID

33
 Principles of operation in a VLAN Bridge TOC

= Q/C-VLAN tag Security check that VLAN id

is allowed on that access line

VLAN tag added by CPE

e.g. outgoing port supports only tagged

VLAN tag added by access node

 C-VID of incoming frames is determined:

• If C-TAG is present, C-VID is taken from tag (no translation!)
• If C-TAG is not present,
* If supported : port and protocol are used for C-VID classification.
* else, the default C-VID for that port is used (PVID);
* the standard leaves room for proprietary assignment of C-VID based on other
parameters

 Incoming frame is forwarded according to forwarding information base

associated with the C-VLAN.
 Outgoing frame may carry C-TAG or not, depending on egress rule.

34
Objective of VLAN stacking TOC

 The existing Ethernet technology is not enough to satisfy

carrier-grade requirements
• Q/C-VLAN tag
only 4094 VIDs
Scalability issue
Business customers typically have one-to-one mapping
• Problem if different customers are using the same VID!
no customer traffic segregation

 Enhancement: new Service Provider VLAN tag (S-VLAN) to

become a carrier solution
• IEEE 802.1 ad
• Does not only describe S-VLAN for use in VLAN-stacking

35
IEEE 802.1ad - Systems TOC

 VLAN Bridge = Customer Bridge = .1Q Bridge

• Treats C-TAG only.

 Provider Bridge (new)

• Treats S-TAG only.

 Provider Edge Bridge (new)

• Contains a Provider Bridge component and a Customer Bridge
component
• Treats C-TAG and S-TAG

36
IEEE 802.1ad - Tags TOC

 Customer TAG (C-TAG)

• C-TAG is used to identify a Customer VLAN (C-VLAN) by means of
a Customer VLAN ID (C-VID).
 Service TAG (S-TAG) (new)
• S-TAG is used to identify a Service VLAN (S-VLAN) by means of a
Service VLAN ID (S-VID).
Pre-standard synonyms: VMAN-tag, P-VLAN tag.
• IEEE802.1ad: not finalized
Draft 3 (25 October 2004) Frame size : Min 68 bytes , Max TBD
3 bit priority,
1 bit CFI,
pre- length
12 bit VID. amble
SFD DA SA TPID TCI
type
P A Y L O A D (46–1500 Bytes) FCS

Tag-Type: TBD
2 bytes 2 bytes

tag-type (TBD) Tag Control Information (TBD)

37
IEEE 802.1ad - Ports TOC

to provider equipment to provider equipment

Provider Network Port Provider Network Port

S-VLAN aware Bridge component

Customer Network Port Customer Network Port Customer Network Port

Internal EISS Internal EISS

C-VLAN aware Bridge component

Provider
Provider Edge Port Provider Edge Port Bridge

to customer equipment
to customer equipment to customer equipment

Yellow ports can read C-TAGs, or assign a C-VID to untagged frames.

Green ports can read S-TAGs, or assign an S-VID to untagged frames.

38
Operation in a provider edge bridge: single tag TOC

S-VLAN aware Bridge component

Customer
NW Port

C-VLAN aware

Edge Port
Bridge comp
Provider
Customer
Provider

NW Port
NW Port

Internal
EISS
= S-VLAN tag

 S-VID of incoming frames is defined:

• If S-TAG is present, S-VID is taken from tag
• If S-TAG is not present,
Same rules as for C-TAG in VLAN bridge.
 Incoming frame is forwarded according to forwarding
information base associated with the S-VLAN.
 Outgoing frame may carry S-TAG or not (egress rule).
39
 Operation in a Provider Edge Bridge: single tag TOC

= Q/C-VLAN tag

S-VLAN aware bridge component

Customer
NW Port
= S-VLAN tag
e.g. Outgoing port supports only tagged

C-VLAN aware
bridge comp

Edge Port
Provider
Customer
NW Port
Provider

Internal
NW Port

EISS
 An incoming frame on a provider edge port is forwarded
internally depending on the C-TAG.
This two-step approach enables a translation of C-VID to S-
VID.
 Incoming frame is forwarded according to forwarding
information base associated with respectively the C-VLAN / S-
VLAN to which the frame belongs.
 Outgoing frame may carry S-TAG or not (egress rule)

40
 Dual VLAN – VLAN Stacking TOC

 IEEE 802.1ad – DRAFT 3.0

• Certain vendors apply today 1Q-in-Q VLAN Tag
Cisco, Alcatel,…

Single VLAN tag Frame size : Min 68 bytes , Max 1522 bytes

pre- length
SFD DA SA TPID TCI P A Y L O A D (46–1500 Bytes) FCS
amble type

Dual VLAN tag” Frame size : Min 72 bytes , Max TBD

(“Vlan stacking”)
S-Vlan C-Vlan
pre- length
SFD DA SA TPID TCI TPID TCI P A Y L O A D (46–1500 Bytes) FCS
amble type

2 bytes 2 bytes

tag-type (TBD) Tag Control Information (TBD)

41
 Dual VLAN – VLAN Stacking TOC

 Q-in-Q VLAN
• Not standardized
• The second VLAN tag protocol identifier is 802.1Q tag type just like
in Single VLAN tagged frames
Dual VLAN tag” Frame size : Min 72 bytes , Max 1526 bytes
(“Vlan stacking”)
S-Vlan C-Vlan
pre- length
SFD DA SA TPID TCI TPID TCI P A Y L O A D (46–1500 Bytes) FCS
amble type

2 bytes 2 bytes
tag-type (value 81 00) Tag Control Information

Tag protocol Identifier

3 bits CFI 12 bits

Priority ”p-bits” (802.1p) Vlan_ID ”Q-TAG” (802.1Q)

#8 # 4096

42
Operation in a Provider Bridge: VLAN stacking TOC

= Q/C-VLAN tag

S-VLAN aware bridge component

Customer
NW Port
= S-VLAN tag

C-VLAN aware
bridge comp

Edge Port
Provider
Customer
NW Port
Provider

Internal
NW Port

EISS
 We now have two tags
• The S-TAG may be added and removed independently of the C-
tag.
 A Provider Bridge ignores C-tags, except on Provider Edge
Ports
 VLAN-stacking can occur even if the incoming frame is
untagged (at provider edge port).

43
DHCP & DHCP Relay
 Table of contents TOC

 Why DHCP? . . . . . .  p. 3
 What is DHCP? . . . .  p.10
 DHCP scenario’s . . . .  p.19
 DHCP Relay . . . . . .  p.22

45
Why DHCP ?
Environment history (HSIA) TOC

 In the beginning there was… narrow-band dial-up

• and the word was PPP
• … and everything evolved around that:
– session control (Remote Access Node – RAN),
– authentication/authorization/accounting (AAA servers)…

Proxy
AAA AAA
Analog

Radius
PPP Modem

ISDN
ISP1 RAN
www PSTN
POP NT

“username/passwd”
setup PPP – IP-address
47
Environment history (HSIA) TOC

 Then came ADSL and ATM

• USB modem (no Ethernet!)
• + the motivation to stick to the legacy model (reuse AAA servers
etc.)
• … and PPPoA was born

USB
Proxy
AAA PPPoA CPE
AAA PC

Radius

ATM
DSLAM
www ISP1 BRAS
POP “username/passwd”
setup PPP – IP-address
48
Environment history (HSIA) TOC

 But users wanted more… connect multiple PCs to 1 modem

• Bridged modem, connect PC(s) via Ethernet cable.
• … and the favorite mode became:
PPPoE initiated from the PC, transparent through the modem.

Proxy CPE
AAA AAA DSLAM PC

accept/IP-address PPPoE
Radius

ATM PC

www ISP1 BRAS “username/passwd”

POP
setup PPP – IP-address

49
Environment history (HSIA) TOC

 Ethernet becomes more and more present

• Ethernet aggregation replaces ATM
• Ethernet in the first mile is emerging
• PPPoE is “the” main access scenario today
 But new issues and requirements emerged…
• End-users have problems to install PPPoE on PC
 evolution to new model: pre-installed protocol stack on the
modem, configured via a wizard
Introduction of routed modem (with PPP termination)
• New applications  other terminals (e.g. STB) connect via the
same modem, added value is introduced on the modems, …
 … and things will continue to evolve
• Remote management of modems…

50
Evolution to DHCP-based access? TOC

 DHCP-based access scenario instead of PPP

 Why?
• New services, no legacy from narrow-band dial-up.
E.g. CLECs might avoid BAS, if DHCP can be used instead of PPP?
• BAS is not suited to cope with very large BW (video)
• Broadcast TV (BTV) application is by nature in conflict with point-
to-point principle of PPP.
• Set top boxes, IP phones, … support DHCP, not PPP
• DHCP supports more options for auto-configuration
additional parameters besides IP@, allow to auto-configure middleware

– Note: DHCP does not offer authentication, nor wholesale (domain

selection)!

51
 DHCP, the end-game for non HSI subscriber mgmt TOC

DHCP

BTV

Agr NW
CPE
IP edge
node
VoD DHCP for VoIP phone, IADs,
Set Top boxes
DHCP server
DHCP PPP PPP / L2TP
Automatic IP@ configuration Yes Yes Yes
Simplicity of the protocol and network
implementation Yes No No

Video over DSL support (Set top boxes) with QoS Yes No No

IP phone direct connection with QoS

Yes No No
(Voice Over IP with DSL)

DHCP option 82 providing additional security features with physical DSL lines identification
Legacy PPP traffic goes to external BRAS

52
What is DHCP?
DHCP – Dynamic Host Configuration Protocol TOC

 DHCP = extension of BOOTP protocol

 BOOTP
• is a UDP/IP bootstrap protocol (server port 67, client port 68)
• provides for a diskless client a method to discover a.o. its IP
address DHCP
Server
 DHCP operates in client/server mode:
• DHCP Client: while booting, a computer
emits DHCP requests.
• DHCP Server: responds with DHCP replies DHCP REQUEST

 a modem or a router can act as: DHCP REPLY

• a DHCP server (towards LAN)
• a DHCP client (towards WAN)
DHCP
Client

54
DHCP TOC

 DHCP allows you to define “pools” of TCP/ IP addresses, which

can be allocated to client PCs by the server
• “pools”of “Scopes” in DHCP terminology
 Also all the related configuration settings like the subnet mask,
default router, DNS server, …
• IP address
• subnet mask
• default Gateway address
• DNS server addresses
• NetBIOS Name Server (NBNS) addresses
• Lease period in hours
• IP address of DHCP server.

55
Addressing in case of DHCP TOC

BTV

Agr NW
Ethernet
switch
VoD

DHCP server
xDSL CPE

DHCP option 82

DHCP request - including MAC@ and user identification

IP-address

56
DHCP scenario – What happens when booting up? TOC

DHCP DHCP
Client Server 1 Server 2
DHCP Discover (broadcast)

Wait 1 sec

DHCP Offer 1 (IP1, DNS,…)

Accept first Offer DHCP Offer 2 (IP2, DNS,…)

DHCP Request 1 (IP1, …) (broadcast)

DHCP Ack

57
 DHCP: No session concept TOC

 Once the client receives the related configuration,

communication with DHCP server is stopped.
• No session concept .
 New communication with DHCP server is set up if:
• confirmation of network
address or extension of a Network address can be released
lease DHCPRELEASE
DHCPREQUEST DHCP
Client DHCP
Server Client
DHCPREQUEST Server
DHCPRELEASE

DHCP Ack

DHCP Server marks IP@

as not allocated

58
 DHCP Message Format TOC

(1) (1) (1) (1)  Transaction ID

• Allows the client to intercept the
right DHCP message
(2) (2)  Ci@
Ci@ (4 Octets) • filled in by client in BOUND,
RENEW or REBINDING state or
Yi@) (4 Octets) DHCPREQUEST when renewing
(4 Octets) or extending use of a previously
Si@ allocated IP address.
Gi@ (4 Octets)
 Yi@
ch@ (16 Octets)
• Filled in by server if client does not
know its own IP-address
 Si@
• Returned in DHCPOFFER,
DHCPACK by server
 Gi@
• used in booting via a relay agent
• Relay agent IP address
 Flags Field
• 1 bit is BC flag
• Rest  set to 0

59
Options in DHCP TOC

 Options field contains:

• Configuration parameters
• Control information
 Format
• Fixed Length = TAG octet (only option 0 & option 255)
TAG

• Variable Length = TAG octet, Length Octet, “length” octets

TAG Length Value in “length”bytes/ Information field

• Examples :
– Pad Option – Tag 0
– End Option – Tag 255
– Requested IP Address – Tag 50, Length 4: four byte address

61
DHCP scenarios
DHCP scenario – no relay TOC

Broadcast flag NOT set by client

DHCP
Server
IP network x
LAN CPE Bridged IP=?
MacA
IPS ci@ yi@ si@ gi@ Cl-Mac@
MacS nul nul nul nul MacA
UD-port68  UD port67
null  IPBC
DHCP Discover : Broadcast MACA  MACBC

ci@ yi@ si@ gi@ Cl-Mac@ IPA

nul IPA IPS nul MacA MacA
UD-port67  UD port68
IPS  IPA DHCP Offer : UNICAST – Si@ and
MACS  MACA yi@ filled in …

ci@ yi@ si@ gi@ Cl-Max@

nul nul nul nul MacA
UD-port68  UD port67
DHCP Request : Broadcast – Requested IP@ null  IPBC
MACA  MACBC
option filled in

ci@ yi@ si@ gi@ Cl-Mac@

nul IPA IPS nul MacA
UD-port67  UD port68
IPS  IPA DHCP Ack : UNICAST– Si@ and yi@
MACS  MACA filled in

63
DHCP scenario – no relay TOC

Broadcast flag SET by client

DHCP
Server
IP Network x
LAN CPE IP=?
MacA
IPS ci@ yi@ si@ gi@ Cl-Mac@
MacS nul nul nul nul MacA
UD-port68  UD port67
null  IPBC
DHCP Discover : Broadcast MACA  MACBC

ci@ yi@ si@ gi@ Cl-Max@ IPA

nul IPA IPS nul MacA MacA
UD-port67  UD port68
IPS  IPBC DHCP Offer : Broadcast – Si@ and yi@ filled in
MACS  MACBC

ci@ yi@ si@ gi@ Cl-Max@

nul nul nul nul MacA
UD-port68  UD port67
DHCP Request : Broadcast – Requested IP@ null  IPBC
MACA  MACBC
option filled in

DHCP Reply : UNICAST

ci@ yi@ si@ gi@ Cl-Max@
nul IPA IPS nul MacA
UD-port67  UD port68
IPS  IPBC DHCP Ack : Broadcast – Si@ and yi@ filled in
MACS  MACBC

64
DHCP relay
BOOTP/DHCP Relay Agent TOC

 Different from a BOOTP/DHCP forwarder!

 An Internet host or router that passes DHCP messages
between DHCP clients and DHCP Servers.
 DHCP Relay Agents may be placed in two places:
• Routers
• Subnets that don't have a DHCP server to forward DHCP requests

Client Makes Appropriate changes

Parameter 1
Parameter 2 Binding to DHCP message
Parameter 3
... Unicast Broadcast

Server Unicast
Relay Unicast or Broadcast Client
Agent

IP Network 1 IP Network 2

66
DHCP relay Agent principle TOC

 Relay agent
• Terminates messages and then generates new messages
• DHCP message relayed within the respective VLAN

 Look at the gi@ field

• If zero : plug its own IP address (of receiving itf)
• If <> 0: gi@ field remain unchanged

 If broadcast flag is set, Offer and Ack is broadcast to the client

• Each client intercepts the right DHCP message (transaction
identifier)

67
DHCP scenario – with relay TOC

DHCP Relay
DHCP IPS configured
Server
IPS IP Network 2 IPR IP Network 1
MacS MacR IP=?
MacA
ci@ yi@ si@ gi@ Cl-Mac@ ci@ yi@ si@ gi@ Cl-Mac@
nul nul nul IPR MacA nul nul nul nul MacA
UD-port67  UD port68 UD-port68  UD port67
IPR  IPS nul  IPBC
MACR  MACS MACA  MACBC
DHCP Discover : Unicast DHCP Discover : Broadcast

ci@ yi@ si@ gi@ Cl-Mac@

Broadcast flag NOT set by client
nul IPA IPS IPR MacA
UD-port67  UD port68
IPS  IPR ci@ yi@ si@ gi@ Cl-Mac@
MACS  MACR nul IPA IPS nul MacA IPA
DHCP Offer : UNICAST to IPR – Si@ and yi@ filled in. UD-port67  UD port68 MacA
IPS  IPA
MACS  MACA
DHCP Offer : UNICAST to yi@

Broadcast flag set by client

ci@ yi@ si@ gi@ Cl-Mac@

nul IPA IPS nul MacA IPA
UD-port67  UD port68
MacA
IPS  IPBC
MACS  MACBC
DHCP Offer : Broadcast

68
Issues still to be solved TOC

 DHCP server has no identification of the client.

• In case of broadcast reply, relay agent broadcast to all users
 DHCP built on UDP/IP
• UDP/IP is inherently insecure
• Unauthorized DHCP servers can send false / disruptive
information:
– incorrect or duplicate IP address
– incorrect routing information
– incorrect DNS server addresses …
• Malicious DHCP Clients
– Can masquerade as legitimate clients and intercept information
– Could claim all resources for themselves …
IMPLEMENTATON of Option 82 in the DHCP
RELAY AGENT

69
DHCP Relay Agent Information option TOC

 Option 82 – RFC 3046

 Enables a DHCP relay agent to include info about:
• the relay agent itself
• the CPE’s physical and logical connection
 The DHCP server can use this information to implement IP
address or other parameter-assignment policies.
 Is used to provide the DHCP server with the modem’s ATM
PVC

70
 DHCP Relay Agent Information option: The process TOC

Client
Parameter 1
Parameter 2 Binding
Parameter 3
...

Server Relay Agent Client

IP Network 1 IP Network 2

DHCP Request Option DHCP Request Option DHCP Request

Option DHCP Reply Option DHCP Reply DHCP Reply

71
DHCP Relay Agent Information Option TOC

 Organized as a single DHCP option with sub-options:

• Two sub-option codes had been assigned
Sub-option 1 stands for "Agent Circuit ID Sub-option“
• identifies circuit over which DHCP client-to-server packet is
received
Sub-option 2 stands for "Agent Remote ID Sub-option“
• provides a trusted identifier for the remote host.
TAG Len Agent Information Field

82 N i1 i2 i3 i4 iN

SubOpt Len Sub-option Value

1 N s1 s2 s3 s4 sN

2 N s1 s2 s3 s4 sN

72
Security Considerations solved by option 82 TOC

 Access via circuit based public network by “non-trusted” hosts

• All traffic passes through the DHCP Relay Agent
• Secure IP network between Server and Relay Agent
Authentication between Server and Client may be done, but is not
within the scope of this option

 Broadcast forwarding
 DHCP Address Exhaustion
 Static Assignment
 IP Spoofing
 MAC Address Spoofing

73
Multicast
 Table of contents TOC

 Unicast versus Multicast . . . .  p. 3

 Multicast addressing. . . . .  p.14

75
Unicast versus Multicast
Routing Types TOC

Unicast Broadcast

Multicast Anycast

77
Unicast TOC

 Principle
• Server application sends 1 copy of data for every client
 Routing
• Entries for every destination in routing table

Server-Application

78
 Streaming content with unicast TOC

 One copy of the stream is sent for each subscriber

• Massive bandwidth use

BTV

www

= News

79
 Broadcast TOC

 Principle
• Server application sends 1 copy to all hosts
Even if only few users are interested

 Routing
• Routers typically block broadcast packets
• Broadcast to users on the LAN
same subnet

Server-Application

80
Multicast TOC

 Principle
• Server application sends 1 copy of data to a group of users
• Network nodes replicate at last possible hop
 Routing
• Reverse path forwarding

Server-Application

client

Multicast tree

81
leaf
Streaming content with multicast in core TOC

 Avoids multiple copies in core …

 But still contains multiple copies in access.

BTV

www

= News

82
 Streaming content with multicast in core & access TOC

 “Multicast” at all stages eliminates replicated

broadcast traffic in the network

BTV

www

= News

83
Requirements to multicast data across multiple TOC
networks

 Determining multicast scope

• A mechanism for determining the scope of a transmission.
• IP Multicast protocol

 Determining multicast participants:

• A mechanism to determine if a multicast datagram needs to be
forwarded on a specific network.
• Internet Group Membership Protocol - IGMP

84
 IP multicasting and IGMP TOC

sender

Multicast Routing Protocols

- PIM
- DVMRP

JOIN Multicast
IGMP 224.10.10.10

Receivers listening to multicast group

224.10.10.10
85
Multicast adressing
IP Multicasting TOC

 “Host group” – Multicast group

• an arbitrary group of receivers that want to receive a particular data
stream
• Single IP destination address
• no physical nor geographical boundaries – the host can be located
anywhere on the internet
• Host can send packets to the host group without being a member
• Host does not know the members of the host group
 The membership of a host group is dynamic
• No restriction on location or number
• Use of Private access key possible
 Host group may be permanent or transient. Multicast

87
IP Multicast Protocol TOC

 IP Multicast uses Class D addresses

• IP-addresses from 224.0.0.0 to 239.255.255.255

28
CLASS D 1110 MULTICAST 224 239

 Routers must be multicast enabled to support multicasting

 IP multicast addresses can only be used as destination

addresses
• Sources send multicast traffic towards destination class D IP-
address

88
 Addressing TOC

 Permanent addresses (assigned by IANA)

• 224.0.0.10 IGRP Routers
• 224.0.0.0 Base Address (Reserved)
• 224.0.0.11 Mobile-Agents
• 224.0.0.1 All Systems on this Subnet
• 224.0.0.12 DHCP Server/
• 224.0.0.2 All Routers on this Subnet
Relay Agent
• 224.0.0.3 Unassigned
• 224.0.0.13 All PIM
• 224.0.0.4 DVMRP Routers
• 224.0.0.14 RSVP-
• 224.0.0.5 OSPF All Routers ENCAPSULATION
• 224.0.0.6 OSPF Designated Routers
• 224.0.0.9 RIP2 Routers

 Transient addresses
• Dynamically assigned to a multicast group
• Cease to exist when membership to the group drops to zero

89
Layer 2 multicast addresses TOC

 Ethernet - MAC address

0 1 2 3 4 5

xxxxxxx1 xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx

multicast bit

 multicast bit:
• 1 – multicast (or even broadcast)
the frame is destined to all hosts or a subset of hosts on the network
• 0 – unicast
the frame is destined to one single host on the network

90
 L3 to L2 address mapping TOC

 32 different multicast group IDs all map to the same Ethernet

address
32 bits

28 bit multicast address

1110

IP multicast address (239.255.10.1) 1110 1111-11111111-00001010-00000001

5 bits lost
=
Multicast MAC address
00000001-00000000-01011110-01111111-00001010-00000001
(01-00-5E-7F-0A-01)

25 bits prefix 23 bits

48 bits

91
What is 802.1x?
What is EAP? TOC

 Extensible Authentication Protocol

 Flexible protocol that carries authentication information.

• Multiple authentication methods (smart cards, Kerberous, public
key, one-time password, etc):
• Three forms of EAP are specified in the standard
EAP-MD5 – MD5 Hashed Username/Password
EAP-OTP – One-Time Passwords
EAP-TLS – Strong PKI Authenticated Transport Layer Security (SSL)

 Typically rides on top of another protocol to carry the

authentication information

93
What is IEEE 802.1X? TOC

 EAPOL – EAP over LAN

 Is used to transport higher-level authentication protocols
• Client-server based access control and authentication protocol
• Restricts unauthorized devices from connecting to a LAN
through publicly accessible ports
• Standard for passing EAP over a wired or wireless LAN.
• Port Based Network Access Control
 Transports authentication information as EAP payloads

802.1x Header EAP Payload

94
What does 802.1X do? TOC

 Works between the supplicant and the authenticator.

 Maintains back-end communication to an authentication (RADIUS)
server
 Authenticator
• middleman for relaying EAP received in 802.1x packets to an
authentication server by using RADIUS to carry the EAP information
• enables the controlled port based upon the result of the authentication
exchanges.

Authentication Server
Supplicant PAE = client to be authenticated
Any EAP Server
Ethernet, Token Ring, Wireless etc
Typically RADIUS

Encapsulated EAP messages, EAPOL

typically on Radius (Ethernet, Token Ring, 802.11)

Authenticator PAE
95 Ethernet Switch, Router…
802.1x - Port Based Network Access Control TOC

 802.1x = EAPOL = EAP over LAN

 Port based network access control:
• Controlled Port : accepts packets from authenticated devices
• Uncontrolled Port : accepts EAPOL packets only.

Before authentication After successful authentication

96
Principle TOC

Encapsulated EAP messages, EAPOL

typically on Radius (Ethernet, TR, 802.11)

EAP
EAP Server EAP Client

Secure IEEE 802.1X IEEE 802.1X

EAPOL
Channel
Authentication Authenticator Supplicant
Server (AS)

Port Access Entity Port Access Entity

1451.5 Transducer Interface

97
 Principle TOC

Authentication Server Supplicant PAE

Encapsulated EAP messages, EAPOL

typically on Radius (Ethernet, Token Ring, 802.11)

Authenticator PAE
User activates
“Is user authorized to access LAN?” link

Authority access
e.g. controlled port opened

98
Control plane requirements: 802.1X / EAP TOC

Supplicant Authenticator Authentication

PAE (CPE) PAE (IPDSLAM) Server

EAPOL
EAPOL-Start
EAP-Request/Identity RADIUS

EAP-Response/Identity (MyID)
EAP
EAP-Request/OTP,OTPChallenge
Radius - Access Request ()
EAP-Response/OTP,OTPpw
Radius - Access Accept ()

EAP-Success Radius - Account Request

Radius - Account
Response
Radius Accounting
EAPOL
EAPOL-Logoff

99
Control plane requirements: 802.1X / EAP TOC

Supplicant Authenticator Authentication

PAE (CPE) PAE (IPDSLAM) Server

EAPOL
EAPOL-Start
EAP-Request/Identity RADIUS
Radius - Access Request ()
EAP-Response/Identity (MyID)
Radius - Access Challenge ()
EAP
EAP-Request/OTP,OTPChallenge
Radius - Access Request ()
EAP-Response/OTP,OTPpw

Radius - Access Accept ()

EAP-Success Radius - Account Request

Radius - Account Response

Radius Accounting
EAPOL
EAPOL-Logoff

100
EAPOL – 802.1x : frame format
 Ethernet II Frame Format TOC

DA SA Type
P A Y L O A D (46–1500 Bytes)
6B 6B 2B

0800 IP Datagram (46–1500 Bytes)

0800=IP
0806 = ARP
ARP Req PAD
8035 = RARP 0806
ARP Reply (28 Bytes) (18 Bytes)
888E = 802.1x
8863 = PPPoE Control
frames
8864 = PPPoE Data 888E 802.1x – EAPOL EAP
frames

102
 Ehernet II versus LLC/SNAP Frame format TOC

Ethernet II Frame Format

DA SA Type
P A Y L O A D (46–1500 Bytes)
6B 6B 2B

0180C2-000003
888E 802.1x / EAPOL

ORG
DA SA
length DSAP SSAP SSAP UI Type P A Y L O A D (46–1500 Bytes)
1B 1B 1B 3B 1B

length
DA SA AA AA 03 00-00-00 888E 802.1x / EAPOL

802.2 LLC SNAP

103
 Frame format in case EAPOL is encapsulated TOC

888E 802.1x / EAPOL

PV PT PBL
EAP packet – Packet Body
1B 1B 2B

802.1x header Code ID Length

2B EAP payload
1B 1B
EAPOL header:
PV = Protocol version EAP header
PT = Packet Type EAP header:

PBL = Packet Body Length Code (request, response…)

Identifier
Length

104
QoS – Quality of Service
 QoS in the public Internet TOC

 Internet today:
• Native IP:
– offers global any-to-any connectivity

– using hop-by-hop packet forwarding,

– leaving it up to the end-systems to cope with network transport

problems
– Best Effort (BE) delivery system where bandwidth-intensive
applications are prevalent

 Key drivers affecting the course of the Internet:

• Multimedia traffic explosion
Bleak outlook on profitability (severe competition / flat fee
pricing)
• Migration of business traffic from private to public networks
Offer higher-priced IP-based services with guaranteed or
differentiated Quality of Service (QoS) levels

106
Why QOS? TOC

 Goals
• Improve network service perceived by applications
• Give the network administrator control over network
resource usage
• These are really the same

 If there were infinite network resources, QoS would not be

necessary
• but - there are congestion points
• QoS is about deciding what traffic gets access to
resources at these points

107
 What is QOS? TOC

 On intuitive level, QoS represents quantities like how

fast can data be transferred, how much does the
receiver have to wait, how correct is the received
data likely to be, how much data is likely to be lost,
etc. ..
 QOS is the capability to provide resource/performance assurance and service
differentiation in a network
• Resource/performance assurance.
– the ability of a network element to have a level of assurance that its
traffic and service requirements can be satisfied
– combination of hardware and software to provide consistent delivery of
traffic across a network
• Service differentiation
– Implies network intelligence to differentiate between traffic flows and
enable different service levels for users and applications
– Distinguishes between different types of traffic in order to allocate
resources
• QoS gives preferential treatment to certain traffic

108
QOS parameters TOC

 QoS techniques manage …

• Rate: The desired bite rate (bps) or bandwidth

• Latency: Delay encountered by a packet, the sum of transmission

delay, processing delays (includes router look-up), queuing delay
etc.

• Jitter: Variations in Latency or delay variation

• Error Rate: The percentage of packets received in error

• Loss Rate : Percentage of packets dropped or lost during end-to-

end transmission or loss ratio.

109
Implementing QOS: resolving 2 main issues TOC

 Resource allocation
• Who should get the resources and how much?
Layer 2 : ATM , 802.1p
Layer 3: Integrated Services , Differentiated Services

 Bandwidth provisioning and Performance optimization.

• How to organize the resources in a network efficiently
– to maximize the probability of delivering the commitments
– and minimize the cost of delivering the commitments.
• MPLS
• Traffic engineering

110
Implementing QoS TOC

 Classification
 Marking
 Mapping
 Connection Admission Control (CAC)
 Policing – User Parameter Control (UPC)
 Buffer Admission Control (BAC)
 Traffic scheduling
 Shaping

111
 Classification TOC

 Classification = defining traffic classes that sort traffic into categories

groups of flows
• Traffic classes encompass both user requirements and network
service offerings
 QoS techniques classify traffic into forwarding classes = classes of
service (CoS) = types of service
 Basic division
• Guaranteed service (GS) and Best effort (BE).
IETF
ATM Forum
 based on sensitivity to delay
 based on sensitivity to
bandwidth  GS
 GS Intolerant to delay variation
CBR, VBR Tolerant to delay variation
 BE
 BE
ABR, UBR interactive burst
interactive bulk
asynchronous bulk
112
Marking TOC

 Marking packets for prioritization uses bits in the packet header

to flag packets for preferential treatment.
• needed for forwarding equipment to distinguish different classes

 Marking defines how packets need to be forwarded

• Network nodes only need to read the markings and forward
packets appropriately.
• Enables enforcing of varying service levels throughout the network

 Marking possible on different network layers

• Layer 2 => 802.1p-bit
• Layer 3 => TOS or DSCP
TOS = Type of Service
DSCP = Differentiated Serv ice Code Point

113
 802.1p, IP precedence, and DSCP TOC

Layer 2 Preamble SFD DA SA

TAG
PT DATA FCS
802.1Q/p 4 Bytes

Layer 3
IPv4

Version TOS Total

ID Offset TTL Protocol FCS SA DA Data
Length 1 Byte Length

IP Precedence (3 bits)

DSCP (6 bits)

114
BAC - Buffer Admission Control TOC

 Decide whether or not a packet can access the queue or not

 Tail drop:
• drop arriving packet
 Priority drop
• drop/remove on priority basis
 Random drop
• drop/remove randomly
 Random Early Drop (RED) provides active queue management
• Congestion avoidance mechanism
• When the average queue exceeds threshold, RED drops
packets from randomly chosen TCP flows
• This way a high (TCP) throughput can be maintained

115
 QoS and traffic scheduling (1/2) TOC

 Shaping
Scheduler
• Each queue is scheduled
according to a pre-defined traffic S
rate.
• Bandwidth in excess cannot be
reused

 FCFS (First Come First Served) or FIFO

• packets are processed according Scheduler
to the arrival time S
• buffer overflow-> packet loss
congestion control at the endpoints
of the network necessary e.g. TCP

116
 QoS and traffic scheduling (2/2) TOC

 Priority based scheduling

Scheduler
• Traffic sorted according to priorities into
different queues

Priority
1
• High priority queue served until empty,
then lower priority queue
N
• Ideal for delay sensitive applications
• No traffic guarantee for low priority queue

 Weighted Fair Queuing GCR = 2 c/s, Weight = 50%

Scheduler

NGCR GCR
• Each queue gets a minimum guaranteed

WFQ
1s 1
bandwidth + fair share of the bandwidth in
excess
GCR = 4 c/s, Weight = 50% N
• No priority  CDV can be impacted

117
 Policing - Token bucket mechanism TOC

 Goal
• limit traffic not to exceed declared parameters
• Flow specifications needed (Traffic description)
 Three common-used criteria:
• r = (Long term) Average Rate:
rate at which tokens arrive at the bucket
• b= (Max.) Burst Size (= size of bucket)
• P= (Short term) Peak Rate
highest rate at which a source can
generate traffic
 Token Bucket
• limit input to specified Burst Size
and Average Rate.
 over interval of length t, number of packets admitted  (r * t + b).

118
QOS end-to-end TOC

 To enable QoS requires cooperation of all network layers

from top-to-bottom, as well as every network element from
end-to-end

 Any QoS assurances are only as good as the weakest link in

the chain between sender and receiver

 Interoperability is essential for QoS

119
Architectural layers and QoS TOC

 QoS can be implemented at link level

1. ATM via CBR, VBR, ABR, UBR
2. Ethernet via IEEE 802.1p
3. Wireless via IEEE 802.11e

 User/application really needs end-to-end QoS

• QoS also implemented at network (IP) and transport
(TCP) level.

 For QoS at IP-layer: two architectures developed by IETF:

• Integrated Services model (IntServ)
• Differentiated Services model (DiffServ)

120
 MAC prioritization TOC

IEEE 802.1Q Tagged Ethernet Frame

TPID = 8100 hex

Bytes 7 1 6 6 2 2 2 42-1496 4
Preamble SFD DA SA TPID TCI Type Data CRC
Length

Bits 3 1 12
User CFI VLAN ID
Priority

8 user-defined
levels of service

121
 QoS in Ethernet networks (1/2) TOC

Class Priority Traffic Type

7 High Network Control
6 “Voice”, < 10ms Latency and Jitter
5 “Video”, < 100ms Latency and Jitter
4 Delay Sensitive - no bound
3 Reserved
2 Reserved
1 Reserved - less than best-effort
0 Low Default - best-effort

 IEEE 802.1p specifies seven levels of QoS for the Ethernet

LAN traffic
 Highest service class traffic is always sent first
 No bandwidth reservation!

122
QoS in Ethernet networks (2/2) TOC

No of Switch Queues
Traffic Type
1 2 3 4 5 6 7 8
Network Control 1 1
1 1 1 1
“Voice”, < 10ms Latency and Jitter 2 2
1
“Video”, < 100ms Latency and Jitter 2 2 3 3
2 2
Delay Sensitive - no bound 3 3 4 4
1
Reserved 4 5 5
3 4
Reserved 5 6 6
2 3
Reserved - less than best-effort 7
4 5 6 7
Default - best-effort 8

 Ethernet switches can implement QoS by having up to 8 switch

queues for switched Ethernet traffic.
 Most only have one or two defined only allowing traffic to be
crudely prioritized

123
 QoS in ATM networks TOC

ABR - Available Bit Rate UBR - Unspecified Bit Rate

CBR - Constant Bit Rate VBR - Variable Bit Rate (rt-VBR / nrt-VBR)

ATM Bearer
10/100 Mbps LAN
ABR

VBR
VBR

UBR

Conference CBR CBR

File Transfer
• Network Efficiency
PABX
• Bandwidth Pricing Options

124
IntServ service classes TOC

 Guaranteed Service (GS) - real-time applications

• Deterministic worst-case delay bound through:
– strict admission control

– and fair queuing scheduling

• Designed for applications that require absolute guarantees on

delay

 Controlled Load (CL) - adaptive applications

• Provides a less firm guarantee
• A service that is close to a lightly loaded best-effort network
• Low average delay and limited loss

 Best Effort (BE) - the current Internet service

• No QOS commitments

125
 IntServ concepts TOC

 Per flow resource reservation

• To receive resource assurance, an
application must make a reservation
before it can transmit traffic onto the
network
• Resource Reservation Protocol - RSVP

 IntServ flow definition

• Micro-Flow =
5-tuple of header field values
• (SRC IP addr & Port n°,
DEST IP addr & Port n°, Protocol Id)
 Each flow has a fixed path
 Routers along the path maintain
the state of the flows

126
IntServ traffic management/control functions TOC

 Application characterizes its traffic source / resource requirement

 Find a path based on the requested resources
• routing protocols (RIP, OSPF…)

 Install the reservation state along that path

• Resource reservation protocol - (RSVP)
• Admission control at each hop
• Reservation is enforced by packet classification and scheduling
mechanisms in the network elements , such as routers .
 Application can start sending traffic

Host Router
Application RSVP Routing RSVP
process Policy RSVP process process Policy
control control
Data Data
Admission Admission
control control
Classifier Packet Classifier Packet
scheduler Data scheduler
Data
127
RSVP - Resource ReSerVation Protocol TOC

 RSVP is a signaling (and not routing) protocol

 RSVP operates on top of IP (v4 or v6)
 RSVP model is one pass : receiver sends reservation requests
upstream and each node either accepts or rejects it
 RSVP fundamental message types : Path, Resv
 Path and Resv messages are sent periodically to maintain the
reservation state along a particular traffic path

QOS state = SOFT STATE

128
 Path/Resv message exchange TOC

 Path message follows the path computed by e.g. dynamic IP

routing protocol (e.g. OSPF)
 At each node:
• installs state about pending reservation request
• records the IP address of upstream router
Path
Sender R R R Receiver

Resv

 Path and Resv messages are periodically sent

129
 From IntServ to DiffServ
 RSVP: per-flow (E2E
signaling)  scalability!
• state explosion!
 IntServ requires RSVP &
IntServ router capabilities
E2E
• “upgrade the whole
world”
Full differentiation but no aggregation
Scheduler
130
TOC
 Solution: ensure “QoS”
scalability through
aggregation
 Differential Services
Scalable differentiation through
aggregation in a
limited amount of queues
Scheduler
DiffServ concepts TOC

 Aggregate flow classification

• Classification and conditioning at the network edge
– DSCP used to identify how each node should handle the frame

• no need for per-flow state (stateless)

 Simple core routers, complex edge routers

• Per hop behaviors for core routers
• Traffic conditioning block for edge routers

 Sophisticated network management

• Resource provisioning of the network by management
• Traffic Contracts - Service Level Agreements
• no per-flow end-to-end signaling

131
 DiffServ key concepts TOC

Service Level
Specification (SLS)

Per Hop Behavior (PHB)

User
DiffServ Edge Router
Classification – aggregation DiffServ Core Router
Traffic Conditioning (TC) - Per-class queuing
(policing/marking/dropping) - Weighted scheduling
- Priority dropping
132
Per hop behavior: split of functionality in a DS domain TOC

DiffServ
Edge
Router

Classifier Marker Meter Policer

DiffServ
Core Select PHB PHB
PHB Local
Router PHB
PHB conditions

Extract Packet
DSCP treatment

133
DiffServ service classes – Per hop behavior TOC

 PHB - Expedited Forwarding (EF) – Real time applications

• Recommended DSCP = 101110
• Low loss, low latency, low jitter and guaranteed bandwidth for
aggregated flow
• Point-to-point connection or virtual leased line service
 PHB - Assured Forwarding (AF) - minimal throughput (messaging /
file)
• Four AF classes are implemented, which forward packets
independently from each other
• Per AF class: 3 levels of Drop Precedence (low/medium/high)
• 12 DSCP values
 PHB - Best Effort (BE) - the current Internet service
• Default DSCP = 000000
• Unrecognized DSCP’s should be treated as BE traffic
• No QOS commitments

134
 IPv4 header TOC

Priority Delay TP Rel. CU CU  QoS in IP-Datagrams

• Described by TOS-
4-bit 4-bit hdr 8-bit type of serv. Byte
16-bit total length (in bytes)
version length (TOS)
Priority
3-bit
16-bit identification 13-bit fragment offset
flags Delay
8-bit time to live
8-bit protocol 16-bit header checksum Throughput
(TTL)

32-bit source IP address Reliability

32-bit destination IP address • RFC 791: do not use
Options (if any) TOS
• TOS: set of bits
data
where each bit has
its own meaning.
• IPv4 can‘t provide
QoS

135
 ToS and precedence (RFC 1349) TOC

 Not widely used for traffic differentiation in TCP/IP

implementations.
 Redefined for service discrimination and relabeled as
• Differentiated Service (DS) Byte
• redefines TOS field as a 4-bit field (unlike RFC791).
1
Bits 3 4
TOS Precedence MBZ
TOS Field
Byte

000 (0) – Routine ‘Must be zero’

0000 – normal service
001 (1) – Priority
010 (2) – Immediate 0001 – minimize monetary cost
011 (3) – Flash
0010 – maximize reliability
100 (4) – Flash Override
101 (5) – Critical 0100 – maximize throughput
110 (6) – Inter-network Control
1000 – minimize delay
111 (7) – Network Control
136
 DSCP - Differentiated Services Code Point TOC

Bits 3 4 1
TOS
Precedence ToS Field MBZ
Byte
Check
Bit

6 2
DS 1/0 1/0 0 Unused
Byte
Default 0 0 0
CS1 0 0 1 Example:
CS2 0 1 0
CS3 0 1 1 Class Selector Point 4 (CS)
CS4 1 0 0 1 1 0 DSCP AF42
CS5 1 0 1 Decimal value 36
CS6 1 1 0
CS7 1 1 1

137
Internet Group Management Protocol

IGMP
Terminology TOC

IGMP

BTV

Content network Core network Access network Home network

Multicast Routing
• Router to Router – PIM DM/SM, DVMRP, MOSPF etc.
• Client to Router – IGMP (internet group management protocol) version 1,2,3

Multicast Control Termination (MCT) – entity which terminates the IGMP signaling which
is used to initiate channel zapping; this protocol is initiated within the customer device
(usually a STB) when channel changes are requested

Multicast Engine (ME) – entity which actually copies the stream in order that multiple
users can view the same content. Depending upon the architecture the ME function may
be done in more than one place.

139
 Situating IGMP TOC

application application application

Destination port number (TCP/UDP header)

TCP UDP

ICMP IGMP
Protocol value (IP header)
IP (2)

ARP
Frame type (Ethernet header)

Ethernet driver

Incoming frame

140
IGMP – Internet Group Management Protocol TOC

 IGMP is used to dynamically register individual hosts in a

multicast group on a particular LAN
 IGMP Hosts
• Hosts identify group memberships by sending IGMP messages to
their local multicast router
 IGMP Routers
• Routers listen to IGMP messages and periodically send out queries
to discover which groups are active or inactive on a particular
subnet

membership query membership report (join)

leave group (unjoin)

141
IGMP – Internet Group Management Protocol TOC

 Like ICMP, IGMP is considered part of the IP layer

IP header IGMP message
20 byte 8 Byte

 Different versions exist

• IGMPv1 = query / response model = age out mechanism
not responding to queries (latency 3 minutes)
• IGMPv2 = introduction of join / leave messages
Still too slow for DSL
• Expedited leave based on IGMPv2 (BAS/ISM implementation)
• IGMPv3 xxxxxxx
membership query membership report join

membership report leave

( From IGMP v2 onwards )

142
 IGMP Packet Format TOC

 IGMPv1  IGMPv2
• IGMPv1 = query / response • IGMPv2 = introduction of leave
model messages and group specific
• age out mechanism queries
No “leave”-messages.
(latency 3 minutes)
0 3 7 15 31 0 7 15 31
Max Resp
Ver Type Unused Checksum Type Checksum
time

Group Address Group Address

• Version = 1 Type：
- 0x11 = Query
• Type：
- 0x12 = Version 1 Report
- 1 = Query
- 0x16 = Version 2 Report
- 2 = Report
- 0x17 = Leave Report
• Group address：
- Multicast Group Address Maximum Response Time：
- Max. time before sending a
responding report

143
IGMP version 1 (RFC1112) TOC

Query-response model

 IGMP query
BTV “want to watch something?”

 IGMP report
“join News”

 start sending data

In order to receive multicast stream, a “join” report

= News can be initiated by user (skip step 1 )

144
IGMP version 1 (RFC1112) - cont’d TOC

Query-response model

 IGMP query
BTV “want to keep watching?”

 No IGMP report
“no”

 stop sending data and “prune branch”

User cannot initiate to “leave” a multicast group;

based on time-out mechanism
= News = not optimal (leave latency up to 3 minutes)

145
IGMP version 2 (RFC2236) TOC

Introduction of “leave” message

and Group specific queries

 IGMP report
BTV “join News”

 IGMP report
“leave News”

 start sending data

Faster response: initiative for both “join”

= News and “leave” comes from users

146
IGMP version 2 (RFC2236) TOC

After receiving “leave” message,

a Group specific query is sent

 IGMP Group specific query

BTV

 No answer
stop sending data

= News

147
IGMP – Versions and their future TOC

 ICMP = Signaling protocol for IP unicast

in IPv6 IGMP will be part of ICMP
 IGMP = Signaling protocol for IP multicast
 Used by hosts to join or leave a multicast host group.
• Group membership information is exchanged between a specific host and the
nearest multicast router (by means of group membership report)

IP header IGMP message

20 byte 8 Byte

Messages
Group Destination Address
Query Report Leave = Multicast IP address of Class D type IP address
(224.0.0.0 - 239.255.255.255)
IGMPv1  
= added to/removed from multicast routing table
IGMPv2   
IGMPv3 adds concept of “source filtering” + join/leave
IGMPv3    for groups
 v3 (e.g. WinXP) client falls back to v2 if v2
message received

148
Terminology IGMP Snooping vs Proxy
 Terminology TOC

 Static MC stream
• MC stream sent/available on switch no matter if there is a subscriber or
not
 Dynamic MC stream
• MC stream sent to the switch only when there is a subscriber for it.
IGMP for stream Nb s
IGMP snooping
Ethernet Switch
Ethernet switch VLAN bridging
ISAM
1
1
1
IP Backbone
1
1 Ethernet Switch IP edge
ISAM (BAS, IP router)
Ethernet Switch

1 N streams in one VLAN

1

ISAM

150
IGMP snooping/Proxy functionality TOC

 L2 boxes like switches are basically unaware of L3.

• Multicast streams travel through as broadcast traffic (because
switches can’t learn multicast addresses (GDA)).
• Adding IGMP (L3) intelligence to switch will inhibit broadcast
• Switch will forward multicast stream only to those ports on which it
received an IGMP Join message
 IGMP snooping
• Monitoring passively the IGMP messages passing by and then
taking appropriate actions for setting up multicast branches
 IGMP proxy
• Messages do not pass transparently through
• IGMP proxy acts as a router and can terminate and generate IGMP
messages

151
IGMP snooping: GMQ and Report TOC

IGMP snooping

IGMP report
H

IGMP report
H
IGMP GMQ
R IGMP report
H
IGMP report
H

152
IGMP proxy: GMQ and Report TOC

IGMP proxy

”IGMP report
H
”IGMP report
H
IGMP GMQ ”IGMP GMQ
R H R ”IGMP report
GMP report H
”IGMP report
GMP report H

153
 IGMP snooping: Join TOC

Static Multicast IGMP snooping

IGMP JOIN IGMP JOIN


MC


IGMP JOIN IGMP JOIN

Dynamic Multicast
IGMP snooping

IGMP JOIN IGMP JOIN


 

IGMP JOIN IGMP JOIN

154
 IGMP proxy: Join TOC

Static Multicast
IGMP proxy

IGMP JOIN

R 
MC H R


IGMP JOIN

Dynamic Multicast
IGMP proxy

”IGMP JOIN IGMP JOIN

R

H R
 

IGMP JOIN
155
 IGMP snooping: IGMP Leave TOC

IGMP snooping
Static Multicast

 IGMP GSQ  IGMP Leave

MC

Dynamic Multicast
IGMP snooping

 IGMP GSQ  IGMP Leave

156
 IGMP proxy: IGMP Leave TOC

IGMP proxy

”IGMP GSQ
”IGMP GSQ
MC
R H R ”IGMP GSQ ”IGMP Leave

”IGMP GSQ

Dynamic Multicast IGMP proxy “ no IGMP Report

received for that
specific group

”IGMP GSQ
”IGMP GSQ
 IGMP GMQ
H R ”IGMP GSQ ”IGMP Leave

”IGMP GSQ
 IGMP Leave

157
Rapid Spanning Tree Protocol

RSTP
IEEE 802.1 Protocol overview TOC

 802.1D Bridge Protocol

• Interconnection of IEEE 802 LANs
• Includes Spanning Tree Protocol (STP)

 802.1W Rapid Bridge Protocol

• Amendment to IEEE Std 802.1D
• Rapid Spanning Tree Protocol (RSTP)

159
Bridged networks and forwarding loops TOC

 Bridged networks can contain forwarding loops

• e.g. in meshed topologies
 To avoid loops only one active path can exist between 2 nodes
 If multiple physical paths between two arbitrary hosts exist,
Spanning Tree Protocol (STP) is used to ensure that only one
single path is used

 STP relies on sending BPDUs: Bridged Protocol Data Units

 Key functions:
• find an active topology without loops
• block and unblock ports
• discover failures

160
 Example of a loop TOC

 Multiple active paths between hosts cause loops

• end stations might receive duplicate messages
• switches might learn host MAC addresses on multiple
interfaces.
 These conditions result in an unstable network
LOOP! Phys MAC addr. Port nbr
6 P1 1 2
P1 P2
3
2 1
P1 P2

1
P1 P2

Phys2 Phys1

2 1

P1 P2
5
Phys MAC addr. Port nbr
P1 1 2
P1 2 4
161
STP – Spanning Tree Protocol TOC

 IEEE 802.1d bridge protocol

 Spanning tree: loop-free subset of a network topology

• STP defines a tree with a root switch and a loop-free path from the
root to all switches in the layer 2 network
• redundant paths are put into a standby state (ports will be
blocked)
• if a network segment in the spanning tree fails and a redundant
path exists, a new spanning tree will be calculated and activated.

 Operation of STP is transparent to hosts

hosts cannot detect whether they are connected to a single LAN
segment or a switched LAN with multiple segments

162
STP – Spanning Tree Protocol TOC

 bridges send BPDU – Bridge Protocol Data Unit

 BPDU are used to build the spanning tree :
• select one bridge as the root bridge (lowest bridge-id)
• calculate the shortest path from each of the other bridges to the root
bridge based on the path cost
• define a designated bridge in each LAN that will forward frames to
the root (based on path cost)
• on each non-root bridge, select the port that gives the best path
towards the root (see also root port and designated port)
• select ports to be included in the spanning tree (block other ports)
 the bridge-id is based on one of the MAC addresses
 the path cost default value can be changed by the operator

163
BPDU Field Format TOC

For each BPDU format:

• The destination address is specified in the Bridge Group Address table.
• The source address is the base MAC address used by the switch.
• The SAP field should be set to 0x424203.

BPDU Field Format

Protocol Identifier (2) Prot. Vers. ID (1) BPDU Type (1)

Flags (1) Root identifier

Root Identifier (8)
Root Identifier Root path cost (4)
Root path cost Bridge identifier
Bridge Identifier (4)
Bridge identifier Port Identifier (2) Message age (2)

Message age Max age (2) Hello time (2)

Hello time Forward delay (2)

164
Bridge and port definitions TOC

R If receiving best BPDU on segment ROOT

D If sending best BPDU on segment

D D

R R DESIGNATED

Alternate port Backup port

(Blocked) D
(Blocked)

Take over Take over

165
Spanning tree – Example TOC

0 root

2 2
Bridge
(identifier) 11 10

4 4 4 path cost

12 13 9

LAN 19 19
19 Path cost
4
19 5 1 2 3 10Mbps  100
4 100Mbps  19
100 100 100 1000Mbps  4
10Gbps  2
6 7 8

168
RSTP (Rapid Spanning Tree Protocol) TOC

 Limitations of IEEE802.1d STP ?

• STP recovers connectivity after an outage within 1 minute.
• L3 routers need less time for recovery (e.g. OSPF)!
• Cisco added proprietary enhancements (configuration needed)

 IEEE802.1w RSTP
• Evolution of 802.1d STP
• Most parameters remain the same
• Capable of reverting back to 802.1d on a per port basis

 Enhancements
• Only 3 port states: discarding, learning and forwarding
• All bridges send BPDUs periodically i.s.o relaying root-BPDU
• Rapid transition to forwarding state which speeds up convergence when
links are added / changed (sometimes within hundreds of ms)
• New topology change mechanisms

169
 TOC

www.alcatel.com

170