Network Working Group D. McPherson Request for Comments: 3069 Amber Networks, Inc. Category: Informational B. Dykes Onesecure, Inc. February 2001
Network Working Group D. McPherson Request for Comments: 3069 Amber Networks, Inc. Category: Informational B. Dykes Onesecure, Inc. February 2001
VLAN Aggregation for Efficient IP Address Allocation
VLAN聚合以实现高效的IP地址分配
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2001). All Rights Reserved.
版权所有(C)互联网协会(2001年)。版权所有。
Abstract
摘要
This document introduces the concept of Virtual Local Area Network (VLAN) aggregation as it relates to IPv4 address allocation. A mechanism is described by which hosts that reside in the same physical switched infrastructure, but separate virtual broadcast domains, are addressed from the same IPv4 subnet and share a common default gateway IP address, thereby removing the requirement of a dedicated IP subnet for each virtual Local Area Network (LAN) or Metropolitan Area Network (MAN).
本文档介绍了虚拟局域网(VLAN)聚合的概念,因为它与IPv4地址分配有关。描述了一种机制,通过该机制,驻留在同一物理交换基础设施中但独立虚拟广播域的主机从同一IPv4子网寻址,并共享一个公共默认网关IP地址,从而消除了每个虚拟局域网(LAN)对专用IP子网的要求或城域网(MAN)。
Employing such a mechanism significantly decreases IPv4 address consumption in virtual LANs and MANs. It may also ease administration of IPv4 addresses within the network.
采用这种机制可以显著减少虚拟LAN和MAN中的IPv4地址消耗。它还可以简化网络中IPv4地址的管理。
The VLAN [802.1Q] aggregation technique described in this document provides a mechanism by which hosts that reside within the same physical switched infrastructure, but separate virtual broadcast domains, may be addressed from the same IPv4 subnet and may share a common default gateway IPv4 address.
本文档中描述的VLAN[802.1Q]聚合技术提供了一种机制,通过该机制,驻留在相同物理交换基础设施中但独立虚拟广播域的主机可以从相同的IPv4子网寻址,并且可以共享一个公共默认网关IPv4地址。
Such a mechanism provides several advantages over traditional IPv4 addressing architectures employed in large switched LANs today. The primary advantage, that of IPv4 address space conservation, can be realized when considering the diagram in Figure 1:
与目前大型交换局域网中采用的传统IPv4寻址体系结构相比,这种机制具有若干优点。当考虑图1中的图表时,可以实现IPv4地址空间节约的主要优势:
Figure 1:
图1:
+------+ +------+ +------+ +------+ +------+ | | | | | | | | | | | A.1 | | A.2 | | B.1 | | C.1 | | B.2 | | | | | | | | | | | +------+ +------+ +------+ +------+ +------+ \ | | | / \ | | | / \ +-----------------------------------+ / | | | Ethernet Switch(es) | | | +-----------------------------------+ | | +--------+ | | | Router | | | +--------+
+------+ +------+ +------+ +------+ +------+ | | | | | | | | | | | A.1 | | A.2 | | B.1 | | C.1 | | B.2 | | | | | | | | | | | +------+ +------+ +------+ +------+ +------+ \ | | | / \ | | | / \ +-----------------------------------+ / | | | Ethernet Switch(es) | | | +-----------------------------------+ | | +--------+ | | | Router | | | +--------+
In the Figure 1 hosts A.1 and A.2 belong to customer A, VLAN A. Hosts B.1 and B.2 belong to customer B, VLAN B. Host C.1 belongs to customer C and resides in it's own virtual LAN, VLAN C.
在图1中,主机A.1和A.2属于客户A,VLAN A。主机B.1和B.2属于客户B,VLAN B。主机C.1属于客户C,并驻留在其自己的虚拟LAN VLAN C中。
Traditionally, an IP subnet would be allocated for each customer, based on initial IP requirements for address space utilization, as well as on projections of future utilization. For example, a scheme such as that illustrated in Table 1 may be used.
传统上,将根据地址空间利用率的初始IP要求以及对未来利用率的预测,为每个客户分配IP子网。例如,可以使用如表1所示的方案。
Table 1: Gateway Usable Customer Customer IP Subnet Address Hosts Hosts ======== ============ ======= ====== ======== A 1.1.1.0/28 1.1.1.1 14 13 B 1.1.1.16/29 1.1.1.17 6 5 C 1.1.1.24/30 1.1.1.25 2 1
Table 1: Gateway Usable Customer Customer IP Subnet Address Hosts Hosts ======== ============ ======= ====== ======== A 1.1.1.0/28 1.1.1.1 14 13 B 1.1.1.16/29 1.1.1.17 6 5 C 1.1.1.24/30 1.1.1.25 2 1
Customer A's initial deployment consists of 2 hosts, though they project growth of up to 10 hosts. As a result, they're allocated the IP subnet 1.1.1.0/28 which provides 16 IP addresses. The first IP address, 1.1.1.0, represents the subnetwork number. The last IP address, 1.1.1.15, represents the directed broadcast address. The first usable address of the subnet, 1.1.1.1, is assigned to the router and serves as the default gateway IP address for the subnet. The customer is left 13 IP addresses, even though their requirement was only for 10 IP addresses.
客户A的初始部署由2台主机组成,但它们预计最多会增加10台主机。因此,他们被分配了IP子网1.1.1.0/28,该子网提供16个IP地址。第一个IP地址1.1.1.0表示子网编号。最后一个IP地址1.1.1.15表示定向广播地址。子网的第一个可用地址1.1.1.1分配给路由器,并用作子网的默认网关IP地址。客户只需要13个IP地址,尽管他们只需要10个IP地址。
Customer B's initial deployment consists of 2 hosts, though they project growth of up to 5 hosts. As a result, they're allocated the IP subnet 1.1.1.16/29 which provides 8 IP addresses. The first IP address, 1.1.1.16, represents the subnetwork number. The last IP address, 1.1.1.23, represents the directed broadcast address. The first usable address of the subnet, 1.1.1.17, is assigned to the router and serves as the default gateway IP address for the subnet. The customer is left 5 with IP addresses.
客户B的初始部署由2台主机组成,但它们预计最多会增加5台主机。因此,他们被分配了IP子网1.1.1.16/29,该子网提供8个IP地址。第一个IP地址1.1.1.16表示子网编号。最后一个IP地址1.1.1.23表示定向广播地址。子网的第一个可用地址1.1.1.17分配给路由器,并用作子网的默认网关IP地址。客户只剩下5个IP地址。
Customer C's initial deployment consists of 1 host, and they have no plans of deploying additional hosts. As a result, they're allocated the IP subnet 1.1.1.24/30 which provides 4 IP addresses. The first IP address, 1.1.1.24, represents the subnetwork number. The last IP address, 1.1.1.27, represents the directed broadcast address. The first usable address of the subnet, 1.1.1.25, is assigned to the router and serves as the default gateway IP address for the subnet. The customer is left 1 IP address.
客户C的初始部署由1台主机组成,他们没有部署其他主机的计划。因此,他们被分配了IP子网1.1.1.24/30,该子网提供4个IP地址。第一个IP地址1.1.1.24表示子网编号。最后一个IP地址1.1.1.27表示定向广播地址。子网的第一个可用地址1.1.1.25分配给路由器,并用作子网的默认网关IP地址。客户只剩下1个IP地址。
The sum of address requirements for all three customers is 16. The most optimal address allocation scheme here requires 28 IP addresses.
所有三个客户的地址要求之和为16。这里最理想的地址分配方案需要28个IP地址。
Now, if customer A only grows to use 3 of his available address, the additional IP addresses can't be used for other customers.
现在,如果客户A只增长到使用其可用地址的3个,那么额外的IP地址就不能用于其他客户。
Also, assume customer C determines the need to deploy one additional host, and as such, requires one additional IP address. Because all of the addresses within the existing IP subnet 1.1.1.24/30 are used, and the following address space has been allocated to other customers, a new subnet is required. Ideally, the customer would be allocated a /29 and renumber host C.1 into the new subnet. However, the customer is of the opinion that renumbering is not a viable option. As such, another IP subnet is allocated to the customer, this time perhaps a /29, providing two additional addresses for future use.
另外,假设客户C确定需要部署一个额外的主机,因此需要一个额外的IP地址。由于使用了现有IP子网1.1.1.24/30中的所有地址,并且以下地址空间已分配给其他客户,因此需要新的子网。理想情况下,客户将被分配a/29,并将主机C.1重新编号到新的子网中。但是,客户认为重新编号不是一个可行的选择。因此,另一个IP子网被分配给客户,这次可能是a/29,提供两个额外的地址供将来使用。
As you can see, the number of IP addresses consumed by the subnetwork number, directed broadcast address, and a unique gateway address for each subnet is quite significant. Also, the inherent constraints of the addressing architecture significantly reduce flexibility.
如您所见,子网编号、定向广播地址和每个子网的唯一网关地址所消耗的IP地址数量非常重要。此外,寻址体系结构的固有约束大大降低了灵活性。
If within the switched environment, on the routed side of the network, we introduce the notion of sub-VLANs and super-VLANs, a much more optimal approach to IP addressing can be realized.
如果在交换环境中,在网络的路由端,我们引入了子VLAN和超级VLAN的概念,那么就可以实现更优化的IP寻址方法。
Essentially, what occurs is that each sub-VLAN (customer) remains within a separate broadcast domain. One or more sub-VLANs belong to a super-VLAN, and utilize the default gateway IP address of the super-VLAN. Hosts within the sub-VLANs are numbered out of IP subnets associated with the super-VLAN, and their IP subnet masking information reflects that of the super-VLAN subnet.
本质上,每个子VLAN(客户)都保持在一个单独的广播域中。一个或多个子VLAN属于超级VLAN,并使用超级VLAN的默认网关IP地址。子VLAN内的主机在与超级VLAN关联的IP子网之外进行编号,其IP子网掩码信息反映了超级VLAN子网的掩码信息。
If desired, the super-VLAN router performs functions similar to Proxy ARP to enable communication between hosts that are members of different sub-VLANs.
如果需要,超级VLAN路由器执行类似于代理ARP的功能,以实现不同子VLAN成员的主机之间的通信。
This model results in a much more efficient address allocation architecture. It also provides network operators with a mechanism to provide standard default gateway address assignments.
该模型产生了一种更高效的地址分配体系结构。它还为网络运营商提供了提供标准默认网关地址分配的机制。
Let's again consider Figure 1, now utilizing the super-VLAN sub-VLAN model. Table 2 provides the new addressing model.
让我们再次考虑图1,现在使用超级VLAN子VLAN模型。表2提供了新的寻址模型。
Table 2: Gateway Usable Customer Customer IP Subnet Address Hosts Hosts ======== ============ ======= ====== ======== A 1.1.1.0/24 1.1.1.1 10 .2-.11 B 1.1.1.0/24 1.1.1.1 5 .12-.16 C 1.1.1.0/24 1.1.1.1 1 .17
Table 2: Gateway Usable Customer Customer IP Subnet Address Hosts Hosts ======== ============ ======= ====== ======== A 1.1.1.0/24 1.1.1.1 10 .2-.11 B 1.1.1.0/24 1.1.1.1 5 .12-.16 C 1.1.1.0/24 1.1.1.1 1 .17
Customer A's initial deployment consists of 2 hosts, though they project growth of up to 10 hosts. As a result, they're allocated the IP address range 1.1.1.2 - 1.1.1.11. The gateway address for the customer is 1.1.1.1, the subnet is 1.1.1.0/24.
客户A的初始部署由2台主机组成,但它们预计最多会增加10台主机。因此,它们被分配了IP地址范围1.1.1.2-1.1.1.11。客户的网关地址为1.1.1.1,子网为1.1.1.0/24。
Customer B's initial deployment consists of 2 hosts, though they project growth of up to 5 hosts. As a result, they're allocated the IP address range 1.1.1.12 - 1.1.1.16. The gateway address for the customer is 1.1.1.1, the subnet is 1.1.1.0/24.
客户B的初始部署由2台主机组成,但它们预计最多会增加5台主机。因此,分配给它们的IP地址范围为1.1.1.12-1.1.1.16。客户的网关地址为1.1.1.1,子网为1.1.1.0/24。
Customer C's initial deployment consists of 1 host, and they have no plans of deploying additional hosts. As a result, they're allocated the IP address 1.1.1.17. The gateway address for the customer is 1.1.1.1, the subnet is 1.1.1.0/24.
客户C的初始部署由1台主机组成,他们没有部署其他主机的计划。因此,他们被分配了IP地址1.1.1.17。客户的网关地址为1.1.1.1,子网为1.1.1.0/24。
The sum of address requirements for all three customers is 16. As a result, only 16 addresses are allocated within the subnet. These 16 addresses, combined with the global default gateway address of 1.1.1.1, as well as the subnetwork number of 1.1.1.0 and directed broadcast of 1.1.1.255, result in a total of 19 addresses used. This leaves 236 additional usable hosts address with the IP subnet.
所有三个客户的地址要求之和为16。因此,子网内只分配了16个地址。这16个地址,加上全局默认网关地址1.1.1.1,以及子网编号1.1.1.0和定向广播1.1.1.255,总共使用了19个地址。这将为IP子网留下236个额外的可用主机地址。
Now, if customer A only grows to use 3 of his available addresses, the additional IP addresses can be used for other customers.
现在,如果客户A只增长到使用其可用地址中的3个,那么额外的IP地址可以用于其他客户。
Also, assume customer C determines the need to deploy one additional host, and as such, requires one additional IP address. The customer is simply allocated the next available IP address within the subnet, their default gateway remains the same.
另外,假设客户C确定需要部署一个额外的主机,因此需要一个额外的IP地址。客户只需分配子网内的下一个可用IP地址,其默认网关保持不变。
The benefits of such a model are obvious, especially when employed in large LANs or MANs.
这种模式的好处是显而易见的,尤其是在大型局域网或城域网中使用时。
This specification provides no support for directed broadcasts. Specifically, the <net, subnet, -1> directed broadcast address can only apply to one of the Layer 2 broadcast domains.
本规范不支持定向广播。具体而言,<net,subnet,-1>定向广播地址只能应用于第2层广播域之一。
Though use of directed broadcast is frowned upon in the Internet today, there remain a number of applications, primarily in the enterprise arena, that continue to use them. As such, care should be taken to understand the implications of using these applications in conjunction with the addressing model outlined in this specification.
尽管当今互联网上不赞成使用定向广播,但仍有许多应用程序继续使用定向广播,主要是在企业领域。因此,应注意理解将这些应用程序与本规范中概述的寻址模型结合使用的含义。
It is assumed that the Layer 2 multicast domain will be the same as the Layer 2 broadcast domain (i.e., VLAN). As such, this means that for an IP multicast packet to reach all potential receivers in the IP subnet the multicast router(s) attached to the IP subnet need to employ something akin to IP host routes for the sender in order for the Reverse Path Forwarding check to work.
假定第2层多播域与第2层广播域(即VLAN)相同。因此,这意味着,为了使IP多播分组到达IP子网中的所有潜在接收器,连接到IP子网的多播路由器需要为发送方采用类似于IP主机路由的东西,以便反向路径转发检查工作。
Extreme Networks has a working implementation of this model that has been deployed in service provider data center environments for over a year now. Other vendors are rumored to be developing similar functionality.
Extreme Networks拥有此模型的工作实现,该模型已在服务提供商数据中心环境中部署了一年多。据传其他供应商正在开发类似的功能。
One obvious issue that does arise with this model is the vulnerabilities created by permitting arbitrary allocation of addresses across disparate broadcast domains. It is advised that address space ranges be made sticky. That is, when an address or range of addresses is allocated to a given sub-VLAN, reception of IP
此模型确实会出现一个明显的问题,即允许跨不同广播域任意分配地址所造成的漏洞。建议将地址空间范围设置为粘性。也就是说,当一个地址或地址范围分配给给定的子VLAN时,IP的接收
or ARP packets on a sub-VLAN with a source IP address that isn't allocated to the sub-VLAN should be discarded, and perhaps trigger a logging message or other administrative event.
或者,子VLAN上的ARP数据包(其源IP地址未分配给该子VLAN)应被丢弃,并可能触发日志消息或其他管理事件。
Implementation details are intentionally omitted as all functions in this document should remain local to the super-VLAN router. As such, no interoperability issues with existing protocols should result.
有意省略实现细节,因为本文档中的所有功能都应保留在超级VLAN路由器的本地。因此,不应导致与现有协议的互操作性问题。
Thanks to Mike Hollyman and Erik Nordmark for their feedback.
感谢迈克·霍利曼和埃里克·诺德马克的反馈。
[802.1Q] IEEE 802.1Q, "Virtual LANs".
[802.1Q]IEEE 802.1Q,“虚拟局域网”。
Danny McPherson Amber Networks, Inc. 48664 Milmont Drive Fremont, CA 94538
Danny McPherson Amber Networks,Inc.加利福尼亚州弗里蒙特市密尔蒙特大道48664号,邮编94538
EMail: danny@ambernetworks.com
EMail: danny@ambernetworks.com
Barry Dykes OneSecure, Inc. 2000 S. Colorado Blvd Suite 2-1100 Denver, CO. 80222
Barry Dykes OneSecure,Inc.科罗拉多州丹佛市南科罗拉多大道2000号2-1100室,邮编80222
EMail: bdykes@onesecure.com
EMail: bdykes@onesecure.com
Copyright (C) The Internet Society (2001). All Rights Reserved.
版权所有(C)互联网协会(2001年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。