ICP Electronics
ITouch Partner
Lucent Partner
Marconi Partner
Nortel Partner
RAD Partner
Telco Partner
Tellabs Partner
VoxTechnologies 3Com Partner
Adtran Partner
Alcatel Partner
CA Partner
ChannelBank
Cisco Systems Partner
Eastern Partner
Enterasys Partner
Extreme Partner
Larscom Partner Kentrox Partner

Layer 2/3/4 Frame Classification Primer

Introduction—The Evolving Enterprise Network

Businesses consider their networks to be a critical component of their success. Network administrators must ensure that business- critical data can be delivered reliably throughout the network—an increasingly difficult task in the face of today's ever-changing networks and applications.

The information that traverses today's networks includes:
• Web- based traffic from the Internet, where phenomenal growth has made e- commerce and other web-enabled applications into business necessities; and from intranets,which have become the preferred medium for exchanging corporate information.
• Multicast traffic, from bandwidth-intensive applications such as video conferencing, that are now being widely deployed on enterprise networks.
• E-mail, which corporations use for vital inter-employee communication as well as for rapid communication with customers.
• Time-sensitive voice traffic, as data and voice networks converge within the enterprise.

Administrators must be able to fine- tune their network to meet their company's demands.They must distinguish between traffic that is critical to the business, typical of day-to-day operations, or extraneous to business operations. They must also address the company's security issues—like payroll and personnel information, or research and development—all of which may be vulnerable to attack from within or from outside of the company walls.

For administrators to take complete control of network operations, the devices upon their network, such as switches and routers, must be capable of expediting mission-critical data, denying certain traffic from the network, and protecting the network's limited resources. Moreover, there must be a network management platform that can configure and verify these policies across the network infrastructure.

New switches being introduced today support two relatively new industry standards: 802.1Q, which allows administrators to configure VLANs (virtual LANs); and 802.1p, which allows them to set priority rules for network traffic. As these switches classify incoming frames into a certain VLAN or priority level, they insert a tag into the original frame to convey this specific VLAN/priority information to other switches on the network. When the frame reaches the switch nearest its destination, the frame tag is removed and the frame is forwarded on to its destination.

The ability to perform this Layer 3/4 classification—to share VLAN and priority information throughout the network—is fairly straightforward and easily understood. But it is just the first step in accommodating the new enterprise network requirements discussed above, since the limited classification capabilities of some devices may result in limited control for the network administrator.

The network edge, or entry point, is the ideal place to assign or classify frames into a VLAN and/or priority, as it is the first (and sometimes only) place where the frame can be so dealt with. Once the frame tag has been inserted in the frame, upstream switches will make frame forwarding decisions based upon the tag's indicated VLAN and/or priority.

Although most network designers agree that the network edge is the most efficient place for intelligent packet classification, most switches at the edge of today's networks have limited capabilities in this area.Typically, these switches use the ingress (or receive) port as their only criteria for classifying frames, meaning that all frames received on a given port will be classified to the same VLAN, or be assigned the same priority. This is less than ideal, since it does not match the operational reality of a network, or provide the precise control and security needed by network administrators. As shown in Figure 1, individual workstations can generate source traffic from multiple applications running over numerous protocols (e.g., IP, IPX and AppleTalk). For all protocols and application traffic from a single workstation to be assigned to the same VLAN, or given the same priority, is simply not a desired model of network operation.

It is much more efficient for the first ingress switch to have enough intelligence to classify frames to potentially different VLANs and priority levels, based upon the network administrator's needs. The drawback to this, however, is the potential cost increase of deploying such switches on the network. Traditionally, edge switches outnumber core switches or routers by many times, so these more intelligent edge switches must remain cost-competitive with devices that offer simpler classification capabilities.

All frames on links between switches include 8021.Q frame tags (802.1Q trunk ports) to indicate VLAN membership and priority. All frames sent from user "A" are classified as belonging to the same VLAN (Red) and all frames are assigned the same priority (2). Frames have been classified to VLAN Red and priority 2 based upon the receive port. This is due to the switch being a port-based classifying only device.The desired functionality would be to further classify each frame from user "A" for priority or VLAN assignment. User "A" is sourcing IP as well as IPX frames.Within the IP protocol, there are frames sent to a SAP-R3 server via http, a simple FTP session, and a voice over IP (VOIP) session via a PC phone.

Benefits of Classification

Classifying frames serves four basic functions, as shown in Figure 2.

Containment—Scoping or containing of frames within a specific boundary normally referred to as a VLAN

Filter—Preventing protocols, applications, and/or specific users from accessing the network

Security—Securing certain resources within the network, such as specific addresses

Class of Service/Quality of Service—Associating a priority to each frame based on the classification

Classification Methods

As previously described, the default behavior of a standard 802.1Q switch is to simply classify all frames based upon their receive port. This has limitations, however, when an end system is sending frames from various protocols and/or applications.

There are several other higher-layer classification capabilities that provide greater flexibility and control, although they may add to the overall complexity of the switch and the network design. These include frame- by- frame connectionless classification, and frame-by-frame connection (or flow- based) classification.The following examples illustrate these generic classification methods by describing how data sourced from user "A" in Figure 1 is interpreted or classified. The examples are given in order of increasing complexity, from the simplest to the most complex frame classification.

Port-Based This basic method is the default classification method for 802.1Q switches.All frames received on a port are classified as belonging to the same VLAN and receive the priority assigned to that specific port.
MAC Address This method relies on an administrator programming VLAN or priority classification rules based on an end user's source (or possibly destination) MAC address.This is far more flexible than simple port classification, but is very tedious to implement in a network. Since VLAN membership is tied to a user's end system (by MAC address), this method works well for networks with roving users.
Protocol This method allows an administrator to classify frames based on protocols such as IP, IPX and AppleTalk within the network. It also works well for containing or filtering unknown and broadcast-intensive protocols.
Layer 3 Protocol Type and Type of Service This method allows an administrator to classify frames based on information such as their IP Protocol Type, IP Service Type (TOS), and IPX Packet Type. This is commonly used to classify a received frame's 802.1p priority value based on the precedence indicator within its IP TOS field.An IP TOS value that indicates high priority is mapped to user-defined 802.1p value. Classifying frames via this method will become more prevalent as features such as the IETF's Differential Services become more widely deployed. Switches that can classify frames to this level can also support dynamic IP multicast group establishment/pruning, otherwise known as IGMP Snooping.
Layer 3 Address This method allows an administrator to classify frames into VLANs or priority levels based on their Layer 3 network address (e.g., their individual IP address, IP subnet, or Novell Network Number). For networks with vital server traffic, for example, this could be used to classify all source or destination frames using that server's IP address as high priority, so that traffic to or from that server would be given preferential treatment.This method also works well for securing networks.An administrator can specify that a certain IP address (such as the router) is only allowed access to the network at a specific entry point (port).This would preclude any user from inadvertently or intentionally duplicating the router's IP address.
Layer 4 Socket/Port This method allows an administrator to classify frames based on their Layer 4 application information.This can be used for containment in a scenario where all Novell server SAP advertisements could be restricted within a VLAN boundary in which only Novell servers reside.With this classification method, different priority levels can be assigned to different applications, based upon user need.

Conclusion

The edge of the network is the best place to assign policy rules. It is also the most challenging because of the number of edge switches typically found on a large network. Once hardware platforms are capable of further classification methods and network management applications are available to easily configure these features, the way networks operate will change dramatically