1

I would like to understand what is used as a VLAN column in the FDB. For ACCESS port it is PVID if frame untagged or frame VID if frame is tagged, for TRUNK it is allowed VLANs?

We can represent the CAM record of the FDB in a table as the following structure:

type FdbEntry struct {
    Port    uint16
    Address MACAddr
    Type    uint8
    Vlan    []uint16
    TTL     Duration
}

But if the frame came to the trunk port, the trunk port can have several VLANs, respectively we set in the Vlan field an array of VLANs specified on the trunk interface. If the port is ACCESS we use PVID. Since the fastest option along with the CAM table to get the record is via hash-map, the key must be unique and as a key we use MAC address of the sender. That's why the Vlan field is an array.

When frame was came, we must find an entry in FDB (because we're supporting 802.1Q) If an entry is found, we make sure to check the entry port ID with the ingress port ID, because the device may be reconnected to another port, so the port ID must be changed accordingly. If the entry was not found, we have to create an entry in the table (FDB) with the PVID of the ingress port as the Vlan field. Or if ingress frame tagged, we must set a frame VID as the Vlan field instead of ingress PVID?

t = FdbEntry{
    Port:    ingressPort.Id,
    Address: ingressFrame.srcAddr,
    Type:    DYNAMIC,
    Vlan:    ingressPort.Vlans(),
    TTL:     60 * Second,
}

Checking for "MAC movement moment"

isMoved = fdbEntry.Port != ingressPort.Id
if isMoved {
    // Be sure to check if a frame came to us, but from under a different port,
    // we must necessarily overwrite the port in the table.
    t = FdbEntry{
        Port:    ingressPort.Id,
        Address: fdbEntry.Address,
        Type:    fdbEntry.Type,
        Vlan:    fdbEntry.Vlan,
        TTL:     fdbEntry.TTL,
    }
    fdbTable.Update(ingressFrame.srcAddr, t) // update hash-map 
}

See illustartion below:

enter image description here

Also, do we add the entry as soon as the frame arrives (after only ingress filtering (if enabled)), or do we add the entry only when the ingress, egress filtering, forwaring process will be successful?

Improve this question
1
  • Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can post and accept your own answer.
    – Ron Maupin
    Commented Nov 19, 2022 at 23:04

1 Answer 1

Reset to default
0

Each VLAN is treated as a separate L2 segment, or forwarding domain.

You cannot forward by destination MAC address alone as that would violate those domains. Also, MAC address learning needs to be limited to the current domain as a MAC may be located on different ports in different VLANs.

In relation to your other question it's efficient to handle both VLAN filtering and forwarding at the same time. It is reasonable to treat the VLAN ID (or the index to the VLAN table) as an extension to the MAC address. On frame ingress, you need to check whether the inbound port is allowed access with the tagged VLAN. Also, on a trunk port untagged frames may not be defined/allowed. Illegal frames are dropped.

Legal frames are matched to the CAM table, the destination MAC possibly extended by the VLAN ID, depending on implementation - remember that a switch is doing all forwarding in hardware.

Note that with a combined VLID-MAC address you can only match the destination MAC on the indicated VLAN - if the MAC isn't present there, it's treated as unknown and the frame is flooded to all VLAN ports.

On egress, the tag needs to be removed when that VLAN is untagged (access port, or native VLAN on a trunk port).

Improve this answer
4
  • It turns out that only after passing all phases of filtering: ingress filtering (if enabled), forward process, egress filtering can we enter data into the table? In my previous post I added a complete frame processing scheme.
    – Manticore
    Commented Apr 19, 2022 at 9:56
  • A frame passing the ingress filter should always update the CAM table/forwarding database, regardless of whether or not it passes the egress filter.
    – Zac67
    Commented Apr 19, 2022 at 10:57
  • As soon as frame arrives we first search the table and in case of "MAC movement moment" we update the data of the table, otherwise we just forward to the port specified in the table. And if the record is not found, we do a forwarding to all ports except the port from which the frame came. But you still did not answer my question, what is set as Vlan column in the table. If the inbound port is in ACCESS mode, the PVID is set, and if the port is in TRUNK mode, the whole member set supported by the trunk port is set? What "variable", what value and value of what?
    – Manticore
    Commented Apr 19, 2022 at 12:00
  • As mentioned in your other question, you can combine the VLAN ID with the MAC address on the forwarding table - a MAC is only meaningful within its L2 segment anyway. If a MAC addres is used in multiple VLANs you've just got multiple entries that won't collide in any way. Also, if the addressed MAC is present only on another VLAN, there's no match for the current frame and its flooded as it should be.
    – Zac67
    Commented Apr 19, 2022 at 13:18

Not the answer you're looking for? Browse other questions tagged or ask your own question.