T:LAN Layer 2 Capabilities Explained
BACKGROUNDER
What is Layer 2?
Known as the Data Link Layer, Layer 2, as the name implies, is the 2nd in the 7-layer OSI reference model for network protocols. This layer is also the lowest layer in a TCP/IP networking model. Layer 2 is used to transport data between interconnected nodes in a WAN (Wide Area Network), or between local nodes on a LAN (Local Area Network).
The smallest unit on a Layer 2 network is a frame. Frames are sent and received from devices on the same LAN/WAN. Frames have a defined structure to aid error detection and control plane tasks. Some frames are for the exclusive use of traffic/flow control information and do not carry any user data at all.
What traffic types does Layer 2 handle?
Layer 2 distinguishes between:
- UNICAST traffic: directed frames to be exchanged between two specific nodes.
- MULTICAST traffic: sent from one to any number of receiving nodes.
- BROADCAST traffic: sent to all nodes in a particular broadcast domain (usually to alert of a specific change in the condition of the network or for general, non-directed inquiries).
Layer 2 can also act as a bridge between linked LANs, combining separate broadcast domains and networks. VLANs are often employed to segment traffic into different categories. Virtual LANs help create ‘walls’ between traffic destined for different network sub-segments. VLANs provide the necessary separation between data streams and help in keeping sensitive data from flowing into unsecure/unauthorized parts of the network.
What about sub-layers?
Layer 2 contains two sub-layers:
- LLC – Logical link control sub-layer: responsible for managing communications links, and handling traffic.
- MAC – Media Access Control sub-layer: governs access to the physical network medium.*
*= Uses uniquely assigned MAC addresses to properly idendify all nodes communicating over the same local network.
T:LAN Layer 2 Features
T:LANs support the following Layer 2 features:
UNICAST, MULTICAST, and BROADCAST traffic classification and filtering.
Broadcast packets at the IP and MAC layer can take up a significant amount of bandwidth depending on the network environment and subnet distribution. Activate the corresponding filtering mechanism to curb broadcast traffic where required.
Layer 2 BRIDGING.
No routing or special IP address allocations required. T:LANs automatically manage Layer 2 bridging.
Per Port RECEIVE and TRANSMIT RATE LIMITS.
The T:LAN supports hardware rate limiting on a per port basis. Limits can be set independently for the receive and transmit side. The rate limit starts from 0 Kbps and goes up to the line rate in 100 kbps increments. The T:LAN uses one second as an interval.
At the beginning of each interval, the internal counters are cleared to zero, and the rate limit mechanism starts to count the number of bytes during the interval. For receive, if the number of bytes exceeds the programmed limit, the port will stop receiving until the current interval expires (use the Flow Control features to prevent packet loss). For transmit, if the number of bytes exceeds the programmed limit, the port will stop transmitting until the current interval expires.
Port Based Grouping/VLANs.
The Port Grouping feature allows the user to set up different broadcast domains and prevents conversations between ports mapped into different groups. This feature can be used to partition the LAN1-4 ports on the back panel of the T:LAN for multiple customers.
It eliminates packets being broadcast or sent across the group boundaries, by creating unique and separate WAN-to-LAN connections to each of the defined groups. The ports can be mapped into a variety of arrangements, such as starting with all ports being in one group, to each port being isolated from the rest.
IEEE-802.1Q VLAN tagging, untagging and re-tagging.
The T:LAN supports up to 16 active VLANs out of 4096 possible VLANs, as specified in the IEEE 802.1q standard. If a non-tagged or null VLAN ID-tagged packet is received, the ingress Port VLAN ID is used for look-up. In the 802.1q VLAN mode, the forwarding process starts with a VLAN Map table look-up to determine whether the VLAN ID is valid.
If the VLAN ID is not valid, the packet is dropped. If the VLAN ID is valid, the packet is forwarded to one or all ports sharing the same VLAN membership. If the destination Media Access Control (MAC) address is known, the packet is forwarded to the proper port. Otherwise, the packet is forwarded to all VLAN member ports except for the ingress port.
TRUNKING PORTS (carry multiple VLANs per link), END NODE PORTS (carry only a single VLAN, if at all).
T:LANs support three VLAN ingress filtering modes; All, Listed and PortVLAN. These modes progressively filter the number of VLANs each LAN port will handle or accept. VLANs may be restricted to all mapped VLANs (as defined in the 16-entry VLAN map), to those VLANs that have the corresponding port membership enabled, or just to the port’s own Port VLAN.
The broadest (and default VLAN Ingress Filtering mode) ALL, forwards all known VLANs. This mode will accept all inbound VLAN IDs that are listed in the VLAN Map, whether or not the ingress port is included in the membership list for that VLAN ID.
The second mode, LISTED, filters the list of potential VLANs to those mapped to the corresponding ingress port. Packets are only forwarded if the port’s membership flag for the received VLAN ID is set.
The strictest mode, PortVLAN, forwards just the own port VLAN. It will only pass packets whose VLAN ID matches that of the PortVLAN. All other VLAN IDs are dropped.
MANAGEMENT VLAN
T:LANs can be managed using a separate Management VLAN. The T:LAN will always use the user-defined VLAN ID, priority and CFI settings for all communications to and from it’s own IP address. Moving T:LANs in and out of the Management VLAN (or changing the tagging operations) may restrict access to the T:LAN until the user logs back in using the newly configured settings.
Designate only one of the T:LAN units as the ‘head-end’ that connects to the core network. Make sure that the Management VLAN will only be exposed on one of the LAN1-4 ports of that particular unit. Then map the Management VLAN as a valid VLAN for the corresponding port.
Traffic received at a port that is not a member of the Management VLAN, cannot cross into the Management VLAN. It will be placed into the assigned Port VLAN or, if the packets are already VLAN tagged, they are compared against the allowed set of valid VLANs of each port. This prevents a host or remote device from masquerading as a Management VLAN member.
OPTIMA PORT LOCK, only enabling access to LAN/WAN ports for authorized protocols/users.
The Optima Port Lock (OPL) controls access to the LAN1-4 ports of a Rev.4x T:LAN unit in secure mode. To achieve this goal, a user must first obtain his/her device access list from Optima RC Server and then unlock the corresponding port through the RC Client before access to a particular LAN port is granted.
Inter-link ports do not need to be unlocked first but will monitor the link partners to determine if the link is compatible before forwarding traffic over it.
Optima REFLECTOR Protocol
Used to identify nodes connected to the opposite end of a communications link (T1/E1/Ethernet/PPP-Modem). Performs loop avoidance, link state reporting, and indicates link ages states to immediately signal how recent (or stale) the displayed information is.
MAC ADDRESSS LEARNING, including per-VLAN MAC Address Learning and forwarding.
The T:LAN OCP unit performs MAC Address learning and lookup to determine the channel to which traffic has to be forwarded to. The MAC addresses age out after approximately 250 seconds have elapsed between packet exchanges with the same MAC address.
The T:LAN OCP allocates MAC entries dynamically to keep the learned MAC addresses consistent and current.
RECEIVE, TRANSMIT or BI-DIRECTIONAL TRAFFIC SNIFFING, traffic replication on a user selected port to aid network diagnostics.
The T:LAN offers three modes to support monitoring (or mirroring) of traffic flows in and out of a particular port. The available modes are: receive sniffing, transmit sniffing and RX/TX sniffing. These operations always involve two ports: the port under observation (the sniffed port) and the port to where the monitored/mirrored packets are being sent (the monitor port).
Traffic can be sniffed simultaneously from multiple ports while only one port takes the role of the monitor port. The monitor port can still receive and transmit its own traffic flows while receiving the sniffed packet streams.
Optima Link:Guard
The Optima Link:Guard uses a combination of timers, packet reception monitors and PINGs to establish the working state of each link.
Reception of a valid packet over a monitored interface resets the Optima Link:Guard timer and returns the corresponding link to the active state. If there is no reception of valid traffic during one timer interval, the link will transition to the SPORADIC state and prompt the Optima Link:Guard to PING the user-defined target IP address.
If all five PING requests (sent out after each interval) remain unanswered, the link state will transition to FAILED. Ports/interfaces that are physically down will not be PINGed. Instead, the Optima Link:Guard will monitor the state of the link and resume operation as soon as the link is up.