Network Working Group S. Shah
Request for Comments: 3619 M. Yip
Category: Informational Extreme Networks
October 2003
Network Working Group S. Shah
Request for Comments: 3619 M. Yip
Category: Informational Extreme Networks
October 2003
Extreme Networks' Ethernet Automatic Protection Switching (EAPS) Version 1
极限网络以太网自动保护交换(EAPS)第1版
Status of this Memo
本备忘录的状况
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2003). All Rights Reserved.
版权所有(C)互联网协会(2003年)。版权所有。
Abstract
摘要
This document describes the Ethernet Automatic Protection Switching (EAPS) (tm) technology invented by Extreme Networks to increase the availability and robustness of Ethernet rings. An Ethernet ring built using EAPS can have resilience comparable to that provided by SONET rings, at a lower cost and with fewer constraints (e.g., ring size).
本文档描述了由Extreme Networks发明的以太网自动保护交换(EAPS)(tm)技术,以提高以太网环的可用性和健壮性。使用EAP构建的以太网环的弹性可与SONET环所提供的弹性相媲美,成本更低,限制更少(例如,环大小)。
Many Metropolitan Area Networks (MANs) and some Local Area Networks (LANs) have a ring topology, as the fibre runs. The Ethernet Automatic Protection Switching (EAPS) technology described here works well in ring topologies for MANs or LANs.
在光纤运行时,许多城域网(MAN)和一些局域网(LAN)具有环形拓扑。本文介绍的以太网自动保护交换(EAPS)技术在城域网或局域网的环形拓扑中运行良好。
Most MAN operators want to minimise the recovery time in the event that a fibre cut occurs. The Ethernet Automatic Protection Switching (EAPS) technology described here converges in less than one second, often in less than 50 milliseconds. EAPS technology does not limit the number of nodes in the ring, and the convergence time is independent of the number of nodes in the ring.
大多数MAN运营商希望在发生光纤切割时尽量缩短恢复时间。这里描述的以太网自动保护交换(EAPS)技术在不到一秒钟的时间内收敛,通常不到50毫秒。EAPS技术不限制环内节点数,收敛时间与环内节点数无关。
An EAPS Domain exists on a single Ethernet ring. Any Ethernet Virtual Local Area Network (VLAN) that is to be protected is configured on all ports in the ring for the given EAPS Domain. Each EAPS Domain has a single designated "master node". All other nodes on that ring are referred to as "transit nodes".
单个以太网环上存在EAPS域。要保护的任何以太网虚拟局域网(VLAN)都配置在给定EAPS域环中的所有端口上。每个EAPS域都有一个指定的“主节点”。该环上的所有其他节点称为“传输节点”。
Of course, each node on the ring will have 2 ports connected to the ring. One port of the master node is designated as the "primary port" to the ring, while the other port is designated as the "secondary port".
当然,环上的每个节点将有2个端口连接到环。主节点的一个端口被指定为环的“主端口”,而另一个端口被指定为“辅助端口”。
In normal operation, the master node blocks the secondary port for all non-control Ethernet frames belonging to the given EAPS Domain, thereby avoiding a loop in the ring. Existing Ethernet switching and learning mechanisms operate per existing standards on this ring. This is possible because the master node makes the ring appear as though there is no loop from the perspective of the Ethernet standard algorithms used for switching and learning. If the master node detects a ring fault, it unblocks its secondary port and allows Ethernet data frames to pass through that port. There is a special "Control VLAN" that can always pass through all ports in the EAPS Domain, including the secondary port of the master node.
在正常操作中,主节点阻塞属于给定EAPS域的所有非控制以太网帧的辅助端口,从而避免环中的环路。现有以太网交换和学习机制按照该环上的现有标准运行。这是可能的,因为从用于交换和学习的以太网标准算法的角度来看,主节点使环看起来好像没有环路。如果主节点检测到环路故障,它将解锁其辅助端口,并允许以太网数据帧通过该端口。有一个特殊的“控制VLAN”,它始终可以通过EAPS域中的所有端口,包括主节点的辅助端口。
EAPS uses both a polling mechanism and an alert mechanism, described below, to verify the connectivity of the ring and quickly detect any faults.
EAPS使用轮询机制和警报机制(如下所述)来验证环的连接并快速检测任何故障。
When a transit node detects a link-down on any of its ports in the EAPS Domain, that transit node immediately sends a "link down" control frame on the Control VLAN to the master node.
当传输节点在EAPS域中的任何端口上检测到链路断开时,该传输节点立即将控制VLAN上的“链路断开”控制帧发送到主节点。
When the master node receives this "link down" control frame, the master node moves from the "normal" state to the ring-fault state and unblocks its secondary port. The master node also flushes its bridging table, and the master node also sends a control frame to all other ring nodes, instructing them to flush their bridging tables as well. Immediately after flushing its bridging table, each node begins learning the new topology.
当主节点接收到该“链路断开”控制帧时,主节点从“正常”状态移动到环故障状态,并解除其辅助端口的阻塞。主节点还刷新其桥接表,并且主节点还向所有其他环节点发送控制帧,指示它们刷新其桥接表。刷新桥接表后,每个节点立即开始学习新拓扑。
The master node sends a health-check frame on the Control VLAN at a user-configurable interval. If the ring is complete, the health-check frame will be received on its secondary port, where the master node will reset its fail-period timer and continue normal operation.
主节点以用户可配置的间隔在控制VLAN上发送健康检查帧。如果环完成,将在其辅助端口上接收健康检查帧,其中主节点将重置其故障周期计时器并继续正常操作。
If the master node does not receive the health-check frame before the fail-period timer expires, the master node moves from the normal state to the "ring-fault" state and unblocks its secondary port. The master node also flushes its bridging table and sends a control frame to all other nodes, instructing them to also flush their bridging tables. Immediately after flushing its bridge table, each node starts learning the new topology. This ring polling mechanism provides a backup in the event that the Link Down Alert frame should get lost for some unforeseen reason.
如果主节点在故障期计时器到期之前未接收到健康检查帧,则主节点将从正常状态移动到“环故障”状态,并解除其辅助端口的阻塞。主节点还刷新其桥接表,并向所有其他节点发送控制帧,指示它们也刷新其桥接表。刷新网桥表后,每个节点立即开始学习新拓扑。此环形轮询机制在链路断开警报帧因某些不可预见的原因丢失时提供备份。
The master node continues sending periodic health-check frames out its primary port even when operating in the ring-fault state. Once the ring is restored, the next health-check frame will be received on the master node's secondary port. This will cause the master node to transition back to the normal state, logically block non-control frames on the secondary port, flush its own bridge table, and send a control frame to the transit nodes, instructing them to flush their bridging tables and re-learn the topology.
即使在环故障状态下运行,主节点也会继续向其主端口发送定期健康检查帧。恢复环后,将在主节点的辅助端口上接收下一个健康检查帧。这将导致主节点转换回正常状态,从逻辑上阻塞辅助端口上的非控制帧,刷新其自己的桥接表,并向传输节点发送控制帧,指示它们刷新桥接表并重新学习拓扑。
During the time between the transit node detecting that its link is restored and the master node detecting that the ring is restored, the secondary port of the master node is still open -- creating the possibility of a temporary loop in the topology. To prevent this, the transit node will place all the protected VLANs transiting the newly restored port into a temporary blocked state, remember which port has been temporarily blocked, and transition into the "pre-forwarding" state. When the transit node in the "pre-forwarding" state receives a control frame instructing it to flush its bridging table, it will flush the bridging table, unblock the previously blocked protected VLANs on the newly restored port, and transition to the "normal" state.
在传输节点检测到其链路已恢复和主节点检测到环已恢复之间的时间内,主节点的辅助端口仍处于打开状态,这就可能在拓扑中创建临时环路。为了防止出现这种情况,传输节点会将所有通过新恢复端口传输的受保护VLAN置于临时阻止状态,记住哪个端口已被临时阻止,然后转换为“预转发”状态。当处于“预转发”状态的传输节点接收到一个控制帧,指示它刷新其桥接表时,它将刷新桥接表,在新恢复的端口上取消阻止以前被阻止的受保护VLAN,并转换到“正常”状态。
An EAPS-enabled switch can be part of more than one ring. Hence, an EAPS-enabled switch can belong to more than one EAPS Domain at the same time. Each EAPS Domain on a switch requires a separate instance of the EAPS protocol on that same switch, one instance per EAPS-protected ring.
启用EAPS的交换机可以是多个环的一部分。因此,启用EAPS的交换机可以同时属于多个EAPS域。交换机上的每个EAPS域需要同一交换机上的EAPS协议的单独实例,每个EAPS保护环一个实例。
One can also have more than one EAPS domain running on the same ring at the same time. Each EAPS Domain has its own unique master node and its own set of protected VLANs. This facilitates spatial reuse of the ring's bandwidth.
也可以同时在同一个环上运行多个EAPS域。每个EAPS域都有自己独特的主节点和自己的受保护VLAN集。这有助于环的带宽的空间重用。
EAPS Frame Format
EAPS帧格式
0 1 2 3 4 4
12345678 90123456 78901234 56789012 34567890 12345678
+--------+--------+--------+--------+--------+--------+
| Destination MAC Address (6 bytes) |
+--------+--------+--------+--------+--------+--------+
| Source MAC Address (6 bytes) |
+--------+--------+--------+--------+--------+--------+
| EtherType |PRI | VLAN ID | Frame Length |
+--------+--------+--------+--------+--------+--------+
| DSAP/SSAP | CONTROL| OUI = 0x00E02B |
+--------+--------+--------+--------+--------+--------+
| 0x00bb | 0x99 | 0x0b | EAPS_LENGTH |
+--------+--------+--------+--------+--------+--------+
|EAPS_VER|EAPSTYPE| CTRL_VLAN_ID | 0x0000 |
+--------+--------+--------+--------+--------+--------+
| 0x0000 | SYSTEM_MAC_ADDR (6 bytes) |
+--------+--------+--------+--------+--------+--------+
| | HELLO_TIMER | FAIL_TIMER |
+--------+--------+--------+--------+--------+--------+
| STATE | 0x00 | HELLO_SEQ | 0x0000 |
+--------+--------+--------+--------+--------+--------+
| RESERVED (0x000000000000) |
+--------+--------+--------+--------+--------+--------+
| RESERVED (0x000000000000) |
+--------+--------+--------+--------+--------+--------+
| RESERVED (0x000000000000) |
+--------+--------+--------+--------+--------+--------+
| RESERVED (0x000000000000) |
+--------+--------+--------+--------+--------+--------+
| RESERVED (0x000000000000) |
+--------+--------+--------+--------+--------+--------+
| RESERVED (0x000000000000) |
+--------+--------+--------+--------+--------+--------+
0 1 2 3 4 4
12345678 90123456 78901234 56789012 34567890 12345678
+--------+--------+--------+--------+--------+--------+
| Destination MAC Address (6 bytes) |
+--------+--------+--------+--------+--------+--------+
| Source MAC Address (6 bytes) |
+--------+--------+--------+--------+--------+--------+
| EtherType |PRI | VLAN ID | Frame Length |
+--------+--------+--------+--------+--------+--------+
| DSAP/SSAP | CONTROL| OUI = 0x00E02B |
+--------+--------+--------+--------+--------+--------+
| 0x00bb | 0x99 | 0x0b | EAPS_LENGTH |
+--------+--------+--------+--------+--------+--------+
|EAPS_VER|EAPSTYPE| CTRL_VLAN_ID | 0x0000 |
+--------+--------+--------+--------+--------+--------+
| 0x0000 | SYSTEM_MAC_ADDR (6 bytes) |
+--------+--------+--------+--------+--------+--------+
| | HELLO_TIMER | FAIL_TIMER |
+--------+--------+--------+--------+--------+--------+
| STATE | 0x00 | HELLO_SEQ | 0x0000 |
+--------+--------+--------+--------+--------+--------+
| RESERVED (0x000000000000) |
+--------+--------+--------+--------+--------+--------+
| RESERVED (0x000000000000) |
+--------+--------+--------+--------+--------+--------+
| RESERVED (0x000000000000) |
+--------+--------+--------+--------+--------+--------+
| RESERVED (0x000000000000) |
+--------+--------+--------+--------+--------+--------+
| RESERVED (0x000000000000) |
+--------+--------+--------+--------+--------+--------+
| RESERVED (0x000000000000) |
+--------+--------+--------+--------+--------+--------+
Where:
哪里:
Destination MAC Address is always 0x00e02b000004. PRI contains 3 bits of priority, with 1 other bit reserved. EtherType is always 0x8100. DSAP/SSAP is always 0xAAAA. CONTROL is always 0x03. EAPS_LENGTH is 0x40. EAPS_VERS is 0x0001. CTRL_VLAN_ID is the VLAN ID for the Control VLAN in use. SYSTEM_MAC_ADDR is the System MAC Address of the sending node. HELLO_TIMER is the value set by the Master Node. FAIL_TIMER is the value set by the Master Node. HELLO_SEQ is the sequence number of the Hello Frame.
目标MAC地址始终为0x00e02b000004。PRI包含3位优先级,另保留1位。EtherType始终为0x8100。DSAP/SSAP始终为0xAAAA。控件始终为0x03。EAPS_长度为0x40。EAPS版本为0x0001。CTRL\u VLAN\u ID是正在使用的控制VLAN的VLAN ID。SYSTEM_MAC_ADDR是发送节点的系统MAC地址。HELLO_TIMER是主节点设置的值。FAIL_TIMER是主节点设置的值。HELLO_SEQ是HELLO帧的序列号。
EAPS Type (EAPSTYPE) values: HEALTH = 5 RING-UP-FLUSH-FDB = 6 RING-DOWN-FLUSH-FDB = 7 LINK-DOWN = 8 All other values are reserved.
EAPS类型(EAPSTYPE)值:运行状况=5振铃-刷新-FDB=6振铃-刷新-FDB=7链路-关闭=8保留所有其他值。
STATE values: IDLE = 0 COMPLETE = 1 FAILED = 2 LINKS-UP = 3 LINK-DOWN = 4 PRE-FORWARDING = 5 All other values are reserved.
状态值:IDLE=0 COMPLETE=1 FAILED=2 LINKS-UP=3 LINK-DOWN=4 PRE-FORWARDING=5保留所有其他值。
Anyone with physical access to the physical layer connections could forge any sort of Ethernet frame they wished, including but not limited to Bridge frames or EAPS frames. Such forgeries could be used to disrupt an Ethernet network in various ways, including methods that are specific to EAPS or other unrelated methods, such as forged Ethernet bridge frames.
任何能够物理访问物理层连接的人都可以伪造任何种类的以太网帧,包括但不限于网桥帧或EAPS帧。此类伪造可用于以各种方式破坏以太网网络,包括特定于EAP的方法或其他不相关方法,例如伪造以太网网桥帧。
As such, it is recommended that users not deploy Ethernet without some form of encryption in environments where such active attacks are considered a significant operational risk. IEEE standards already exist for link-layer encryption. Those IEEE standards could be used to protect an Ethernet's links. Alternately, upper-layer security mechanisms could be used if it is more appropriate to the local threat model.
因此,建议用户在此类主动攻击被视为重大操作风险的环境中,不要在没有某种形式加密的情况下部署以太网。IEEE标准已经存在于链路层加密中。这些IEEE标准可用于保护以太网的链路。或者,如果更适合本地威胁模型,则可以使用上层安全机制。
The IETF has been notified of intellectual property rights claimed in regard to some or all of the specification contained in this document. For more information, consult the online list of claimed rights.
IETF已收到关于本文件所含部分或全部规范的知识产权声明。有关更多信息,请查阅在线权利主张列表。
This document was edited together and put into RFC format by R.J. Atkinson from internal documents created by the authors below. The Editor is solely responsible for any errors made during redaction.
本文件由R.J.Atkinson根据以下作者创建的内部文件一起编辑并转换为RFC格式。编辑对编辑过程中出现的任何错误全权负责。
R. Atkinson Extreme Networks 3585 Monroe Street Santa Clara, CA, 95051 USA
R.阿特金森极限网络美国加利福尼亚州圣克拉拉门罗街3585号,邮编95051
Phone: +1 (408)579-2800
EMail: rja@extremenetworks.com
Phone: +1 (408)579-2800
EMail: rja@extremenetworks.com
S. Shah Extreme Networks 3585 Monroe Street Santa Clara, CA, 95051
S.Shah Extreme Networks加利福尼亚州圣克拉拉门罗街3585号,邮编95051
Phone: +1 (408)579-2800
EMail: sshah@extremenetworks.com
Phone: +1 (408)579-2800
EMail: sshah@extremenetworks.com
M. Yip Extreme Networks 3585 Monroe Street Santa Clara, CA, 95051
M.Yip Extreme Networks加利福尼亚州圣克拉拉门罗街3585号,邮编95051
Phone: +1 (408)579-2800
EMail: my@extremenetworks.com
Phone: +1 (408)579-2800
EMail: my@extremenetworks.com
Copyright (C) The Internet Society (2003). All Rights Reserved.
版权所有(C)互联网协会(2003年)。版权所有。
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.
本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。
The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees.
上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。
This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。