Basics of Network Segmentation: Switching and Bridging03/16/2001
Also in Networking as a 2nd Language:
In previous articles, I explored the inner workings of the OSI Network Reference model, layer 2, the datalink layer, and one of its protocols, Ethernet. This week I'm going to significantly expand our simple two-host network -- one Macintosh and one e-mail server -- to include many hosts.
Our imaginary network example, the small sprocket manufacturing business, has suddenly taken off, and Mr. Spacely has hired seventy new employees. Each employee is required to have a host on the local network. All the devices are sharing the same media. The architecture is one Ethernet LAN segment.
Now the question arises, how do 72 hosts share one Ethernet LAN segment? The original Macintosh host must now share the wire with many other devices. The Ethernet protocol uses mechanisms at the LLC sub-layer of layer 2 for flow control. The network card will listen to the physical wire (layer 1) for a moment where there are no electrical pulses (transmissions). If the wire is quiet, as would be the case for our original two-host network, the Macintosh could easily place its Ethernet frame on the wire.
Consuming bandwidth on a single segment
Now, there are 71 other devices on the network that the Macintosh must contend with for frame transmission. If the Macintosh Ethernet adapter senses a transmission on the wire, the adapter will wait to transmit. After the wait period has expired, the network card will attempt once more to transmit the frame onto the wire. If the wire is still busy by another device, the Ethernet adapter will wait once more before attempting to transmit. The Ethernet adapter uses a back-off counter to tally these attempts. If the back-off counter exceeds 15 tries, the adapter will assume the wire is too busy to send the frame. It will then clean the frame from its memory.
In the event two network devices transmit simultaneously, a packet collision occurs. When a collision occurs and is detected, the Ethernet adapter will generate an alarm on the wire to signal other stations of the event. If the collisions occur continuously, the adapter would dump the frame and not attempt to transmit. Such a condition would arise if too many devices were on one network segment. A scenario could occur where a faulty network card could transmit continuously, causing collisions on the network.
If we have too many hosts on the Sprocket network, it is time to break up the segment into other, smaller network segments. The primary reason for segmenting is to increase bandwidth and to span the network over greater distances. The Ethernet 10-Base T topology has a distance limitation of 100 meters in transmission.
The Sprockets manufacturing floor quickly outgrew the space available in the basement of the founder's parents' farmhouse. The old barn started looking pretty appealing in size and cost of space per square footage. However, the old barn was about 90 meters away from the basement corporate site.
Mr. Spacely's mother, now the VP of IT at Sprockets, knew this distance was too close to the 100-meter limitation of the existing Ethernet 10-Base T network. When Momma Spacely was baking some cookies for the quarterly company meeting, she came to the conclusion that a signal repeater was needed to bridge the extended network between the corporate site and the new manufacturing facility.
A repeater is a layer-1, physical-layer device that simply repeats the signal from one wire onto another wire. This is a simple way to solve the Ethernet distance limitations for the Sprockets corporation, but it does have its drawbacks. For instance, if a lot of collisions are occurring in the corporate side of the network, they will be forwarded to the manufacturing network. Hubs, which are essentially repeaters with multiple ports, would be a more common solution to the Sprockets problem. A repeater is just a means for extending the existing network.
At the weekly managers meeting, Mr. Spacely Sr., Spacely's father, who is also VP of manufacturing, expresses his concern for the numerous network outages his group is experiencing. The congested finance network in the basement facility is interfering with the manufacturing robots' access to the Oracle database servers in the family room. The VP of IT decides it is time to segment the corporate networks with layer-2 bridging devices.
Bridges use MAC addresses to handle traffic flow. A bridge can also filter by MAC address, a feature that makes the bridge more attractive than a repeater. This style of filtering on Ethernet is called transparent bridging.
For the Sprocket network a filter can be set in place to keep the chatty corporate frames off the manufacturing and database server network segments. Likewise, in the event bad frames are blasting across the corporate network, the transparent bridging will not forward these to other network segments.
Bridging hardware has ports on it, called an interface, where a network segment connects. Filters are handled by software in the bridging device. The bridging cache maintains a MAC address table, similar to an ARP cache, but includes a database of which interface on the bridge the MAC address resides on. This table is crucial for the filtering software.
If an Ethernet frame contains a source MAC address (SA) and a destination MAC address (DA) from a network segment on the same interface, then the frame is not forwarded to the rest of the network. The bridging software can make this distinction by using the MAC address and interface lookup table.
Local and remote bridging
Layer-2 bridging hardware is primarily used for two distinct topologies: local and remote bridged networks. The Sprocket LAN is an example of a local bridging topology. The bridge is used for connecting multiple networks into one big network.
A remote bridge topology is used when two networks are separated geographically. For instance, Sprockets may wish to extend its network to cousin Fred's machine shop in another state. Fred may require access to the database server for quality assurance and ISO 9000 certification. The Sprockets LAN can be extended with bridging hardware and a few leased lines from the phone company. Filters would definitely need to be in place for cousin Fred. You wouldn't want to tie up his two T1 leased lines with noise from the corporate office computers.
When a bridge receives a broadcast from one interface, it will forward the frame to all interfaces. There are pros and cons to layer-2 frame flooding and bridging. For example, in cousin Fred's shop, floor robots' software may use broadcasts to update all the robots simultaneously with new instructions. This ensures that all robots receive the same notification and updates. The downside is that the finance network will be receiving the robot's frames since finance is sharing the same bridged network. The network can easily become overwhelmed.
The layer-2 switch
Five years have gone by since Mr. Spacely Jr. started Sprockets. It has now evolved into a large corporation with manufacturing partners in the Pacific island rim. Cousin Fred is VP of computer-integrated manufacturing as well as a proud recipient of CCIE, MSCE, and Linux certifications. All this to keep his manufacturing robots operating on a 7x24 schedule. Cousin Fred now has high-speed ATM WAN connections between his Uncle Spacely Sr.'s family room and his automated shop floor.
The family room, now a humble data center supporting finance, marketing, and engineering, has raised flooring and a climate-controlled environment for an IBM mainframe, five Linux servers, and two Windows 2000 servers. The family room, which Mr. Spacely Sr. aptly refers to as his hobby room, has a fast Ethernet LAN segment and a token ring network. Finance is wired into a token ring, to the data center mainframe, while the local manufacturing floor in the barn is the legacy 10-Base T Ethernet network. There are now mixed layer-2 media that must operate seamlessly.
Momma Spacely, the VP of IT, makes a bold move once more to introduce cutting edge hardware. She opts to use a layer-2 switch to connect her growing mixed-media network. A layer-2 switch is essentially a super bridging device. Instead of connecting via interfaces as Sprockets did with a bridge, the connection medium of a switch is a port, just like a port on a simple hub (repeater). Unlike a hub, a port on a switch can be configured to belong to a specific network.
The Sprocket corporate network is Ethernet using TCP/IP protocols. The token ring network is also using TCP/IP. However, token ring layer 2 and Ethernet layer 2 are entirely different frames. And don't forget cousin Fred's ATM WAN connection which uses LANE (LAN Emulation for Ethernet and Token Ring). The Sprockets network has a switch with interface cards that support all these styles of ports. The ATM switch is a special piece of hardware that works in conjunction with the layer-2 switch they use for the network. All this functionality is handled primarily at the hardware level of the switch.
The primary layer-3 protocol in the Sprockets network is IP. The layer-2 protocols are a mixture of token ring, Ethernet, and ATM LANE. Our network-knowledgeable VP of IT decides to carve up her mixed-media and workgroup infrastructure into virtual LANs (VLANs). The physical ports of the layer-2 switch can be configured to belong to a logical network. Recall the MAC address table for the bridge we discussed earlier? Now a MAC address table is maintained with an associated VLAN. What the switch is doing is carving up the really big and flat network into manageable isolated network segments. Finance can have its own VLAN using token ring. Cousin Fred and his ATM LANE Ethernet traffic flows can be moved over to a manufacturing VLAN and so forth.
From the figure you can see that the Sprockets network topology is easily carved into three distinct virtual networks: manufacturing, finance, and a server farm. The technical definition of a VLAN is a virtual bridge that segments a physical broadcast domain inside of a switch. The rule of thumb is that one VLAN can not explicitly pass traffic to another. Therefore, finance traffic is now kept inside the finance token ring and Ethernet networks. Manufacturing has its own VLAN extended across an ATM LANE link. This is a good solution for managing the bandwidth, but a small problem has surfaced. How can users access the server farm if it's off on its own VLAN? The solution is a layer-3 switch, called a router, which we'll discuss in a future segment. The point that needs to be made is that the layer 2 switch will provide the ability to carve up your network into broadcast domains. To make these broadcast domains share traffic across VLANs requires a layer-3 switch (router).
Jumping through loops
The Sprockets corporation has experienced a wealth of prosperity in the past five years. The VPs at Sprockets have clearly understood the necessity of their network and have expanded it accordingly, to meet the demands of their business needs. The network certainly has come a long way since the original Macintosh client and single Intel server that once sat in the basement. The network isn't perfect yet; our heroine, Momma Spacely, the VP of IT, has added a significant amount of switches to her corporate network to accommodate the company's explosive rate of hiring. Now network path loops have surfaced and our IT warrior must come up to speed fast on the spanning-tree bridging protocol. Stay tuned for the next installment where we'll see how Momma Sprocket tackles the bridging protocol.
Michael J. Norton is a software engineer at Cisco Systems.
Return to the O'Reilly Network.