IEEE 802.1ad explained

IEEE 802.1ad is an amendment to the IEEE 802.1Q-1998 networking standard which adds support for provider bridges. It was incorporated into the base 802.1Q standard in 2011.^[1] The technique specified by the standard is known informally as stacked VLANs or QinQ.

The original 802.1Q specification allows a single virtual local area network (VLAN) header to be inserted into an Ethernet frame. QinQ allows multiple VLAN tags to be inserted into a single frame, an essential capability for implementing metro Ethernet.

In a multiple-VLAN-header context, out of convenience, the term VLAN tag or just tag for short is often used in place of 802.1Q VLAN header. QinQ allows multiple VLAN tags in an Ethernet frame; together these tags constitute a tag stack. When used in the context of an Ethernet frame, a QinQ frame is a frame that has two VLAN 802.1Q headers (i.e. it is double-tagged).

Background

802.1ad specifies architecture and bridge protocols to provide separate instances of the medium access control (MAC) services to multiple independent users of a bridged local area network in a manner that does not require cooperation among the users and requires a minimum amount of cooperation between the users and the provider of the MAC service.

The idea is to provide, for example, the possibility for customers to run their own VLANs inside a service provider's provided VLAN. This way the service provider can just configure one VLAN for the customer and the customer can then treat that VLAN as if it were a trunk.

IEEE 802.1ad was created for the following reasons:

1. 802.1Q has a 12-bit VLAN ID field, which has a limit of 2¹² (4096) tags. With the growth of networks, this limitation has become more acute. A double-tagged frame has a limitation of 4096 × 4096 = 16777216 tags, which can accommodate more network growth.
2. The addition of a second tag allows operations that would not have been available had the VLAN ID field simply been expanded from 12 bits to 24 bits (or any other large value). Having multiple tags—a tag stack—allows switches to more easily modify frames. In a tag stack scheme, switches can add, remove or modify single or multiple tags. It is easier for networking equipment makers to modify their existing equipment by creating multiple 802.1Q headers than to modify their equipment to implement some hypothetical new non-802.1Q extended VLAN ID field header.
3. A multi-tagged frame not only has multiple VLAN IDs, but has multiple priority code point (PCP) and drop eligible indicator (DEI) bit fields.
4. A tag stack creates a mechanism for Internet Service Providers to encapsulate customer single-tagged 802.1Q traffic with a single tag, the final frame being a QinQ frame. The outer tag is used to identify and segregate traffic from different customers; the inner tag is preserved from the original frame.
5. QinQ frames are convenient means of constructing Layer 2 tunnels, or applying quality-of-service (QoS) policies.
6. 802.1ad is upward compatible with 802.1Q. Although 802.1ad is limited to two tags, there is no ceiling on the standard limiting a single frame to more than two tags, allowing for growth in the protocol. In practice service provider topologies often anticipate and utilize frames having more than two tags.

The IEEE 802.1ad standard was approved December 8, 2005, and published May 26, 2006.

Frame format

These examples are for an Ethernet II framing with EtherType field. The standard is also applicable to IEEE 802.3 frames with or without an LLC (i.e. Logical Link Control), LLC+SNAP header). The top frame is a simple Ethernet II frame. The middle frame has an 802.1Q tag added to it. The bottom frame has yet another 802.1Q added to it.

An 802.1Q header, which is four bytes long, is added to an untagged Ethernet II frame in the following manner:

1. The four-byte tag is inserted between the source MAC address (SAMAC) of the untagged frame and its EtherType field.
2. The newly inserted VLAN header's EtherType is set to 0x8100 to identify the following data as a VLAN tag.
3. 12 bits are used for the VLAN ID, the other bits in the VLAN fields are filled in according to the QoS policy, etc. of the interface at which the tag imposition occurred.

Notice that after the insertion of an 802.1Q header to an untagged frame, the frame's original EtherType appears to have been changed to 0x8100. The untagged frame's original EtherType in the single-tag frame is now located adjacent to the payload. Its value is unchanged.

A second 802.1Q header is added to a single-tagged frame in the following manner:

1. The second tag is inserted in front of the first tag, meaning the second tag is closer to the Ethernet header than the first (original) tag.
2. The second tag is inserted between the source MAC address and the first (original) tag.
3. The second tag is assigned an EtherType of 0x88A8 (instead of the .1Q standard 0x8100) by default.
4. 12 bits are used for the VLAN ID, the other bits in the VLAN fields are filled in according to the QoS policy, etc. of the interface at which the tag imposition occurred.

Any third or subsequent tag imposition will insert the tag in front of the preceding tags, closest to the Ethernet header. The frame's original EtherType is always located after all the tags and adjacent to the payload. In the case of an 802.3 frame, this EtherType would be a length value instead, and would contain the length from there to the end of the frame. In the case of an 802.3 frame with an LLC header, the LLC header stays after the length field and adjacent to the payload.

The conventions for 802.1ad terminology typically are as follows:

1. The inner tag is the tag which is closest to the payload portion of the frame; it is officially called C-TAG for customer tag with EtherType 0x8100.
2. The outer tag is the one closest to the Ethernet header; its name is S-TAG for service tag with EtherType 0x88a8.
3. In frames having more than one tag, the tags are numbered 1 to N, and appear sequentially and contiguously in the frame from Ethernet header to payload. In this case the innermost tag is the C-TAG and all other tags are S-TAGs.
4. For a single-tagged (802.1Q) frame, that tag is designated tag 1 when mixed with 802.1ad tags.

In IEEE 802.1ad, the single-bit Canonical Format Indicator (CFI) is replaced by a Drop Eligibility Indicator (DEI), increasing the functionality of the PCP field.

Tag operations

In a tag stack, push and pop operations are done at the outer tag end of the stack, therefore the tag added by a tag push operation becomes a new outer tag and the tag to be removed by a tag pop operation is the current outer tag.

Examples

Virtual networks

This simple example will illustrate the practical use of 802.1ad. The diagram shows switches as hexagons, and a service provider (SP) network encompassing all items within the dotted oval. The items on the periphery of the oval are networks belonging to SP customers. Different physical locations appear in the shaded rectangle and include both customer and SP network components.

A service provider (SP) offers L2 connectivity to customers in the cities of Seattle and Tacoma. Two corporations, Acme and XYZ, each have campuses in both Seattle and Tacoma. All campuses run Ethernet LANs, and the customers intend to connect through the SP's L2 VPN network so that their campuses are in the same LAN (L2 network). It is desirable for each company to have a single LAN available in both Seattle and Tacoma, obviating the alternative of having two LANs in which traffic must be routed between the LANs. The SP has two switches, one in Seattle (S-Switch #1), and one in Tacoma (S-Switch #2). The customers interface to the SP network in switches designated A and B. Each customer has its own pair of A and B switches. Acme switch A is connected to S-Switch #1 through link A1; the rest of the links are labeled. S-Switch #1 and #2 are connected by link S12.

Acme's LAN uses VLAN IDs 10, 11 and 12 in their network. The connections A1 and A2 are Ethernet trunks that have single-tagged VLAN traffic, the traffic using IDs 10, 11 and 12. Likewise XYZ uses IDs 11, 12 and 13 in their network, so X1 and X2 are also trunks with single tagged traffic of IDs 11, 12 and 13. The SP, having one network and one connection between S-Switch #1 and S-Switch #2, must segregate Acme's and XYZ's traffic. Since both Acme and XYZ share some VLAN IDs, traffic cannot be segregated by customer VLAN ID.

The solution is for the SP to use 802.1ad in their network. They assign a single, unique outer VLAN tag ID of 100 for Acme, and a unique outer VLAN ID of 101 for XYZ. All traffic sent from Acme A to the SP network (sent on A1, destined for Acme B) will have a tag of ID 100 pushed. The inner tag will be either 10, 11 or 12, the original Acme tag. The traffic will be sent through S12 in this format, and just before it exits S-Switch #2 bound for Acme B (link A2), all traffic will undergo a single pop operation, removing the outer VLAN tag with the ID 100. This pop operation is the inverse of the former push operation, with the net result of no change to the traffic. The traffic passes through the SP network as 802.1ad frames, but no 802.1ad frames are sent to or received from the customer.

Problems with previous example

An experienced network engineer will immediately recognize the shortcomings of the above example. This is the reason why 802.1ad is more of a definition for a method of adding multiple tags to a frame than it is an end-to-end self-contained solution. It is used in conjunction with other protocols and standards. The problems with the above example are:

1. Many switches bridge Ethernet traffic based on MAC addresses—not on VLAN IDs. This is called Shared VLAN Learning and is done per 802.1d MAC learning/MAC aging, etc.
2. Should Acme and XYZ use the same MAC addresses in their networks, this will cause problems with the MAC learning, as the assumption in MAC learning is that no two hosts use the same MAC address. In other words, a MAC should only be learned from a single switch's port.
3. The SP network must learn all customer MAC addresses in order to switch them. This does not scale well.
4. There is no provision in the above example for L2 protocol frames, Spanning Tree being the most important.
5. Additional QoS capabilities are lacking.
6. Bridges that use Independent VLAN Learning (IVL), i.e., the first VLAN tag is included as part of the SAMAC address, circumvent the problems mentioned in paragraphs 1 and 2. IVL resolves the problem of MAC addresses possibly being used by more than one customer. However, switches en route still have to learn all inserted VLAN/MAC address combinations (12 + 48 = 60 bits).
7. Broadcasts from LAN to LAN is always an issue to consider.

Provider Bridges (802.1ad) and Provider Backbone Bridges (the IEEE 802.1ah-2008 standard) address the above problems by a further modified SAMAC learning method.

See also

• Carrier Ethernet
• Connection-oriented Ethernet
• IEEE 802.1
• IEEE 802.1ah Provider Backbone Bridges
• IEEE 802.1aq Shortest Path Bridging
• Metro Ethernet
• Provider Backbone Bridge Traffic Engineering
• TRILL (TRansparent Interconnection of Lots of Links)

External links

• IEEE 802.1ad development page
• IEEE 802.1Q-in-Q VLAN Tag Termination (Cisco)
• Stacked VLAN Processing (Cisco)
• Configuring Super Aggregated VLANs (Brocade)

Notes and References

1. Web site: 802.1Q-2011 - IEEE Standard for Local and metropolitan area networks--Media Access Control (MAC) Bridges and Virtual Bridged Local Area Networks. https://web.archive.org/web/20181214223152/https://standards.ieee.org/standard/802_1Q-2011.html . dead . December 14, 2018 .