Bridging Functions With PVLANs

1. As the starting process, a VLAN lookup is performed to determine which bridging domain the packet forms. The result of the lookup identifies the bridging domain id (bd_id), mesh group id (mg_id). With these parameters, other related information configured for this bridging domain is discovered.

2. A source MAC address (SMAC) lookup is performed to find out whether this MAC addresses is learned or not. If it is not a learned address, an MLP packet (route for flooding traffic to MAC learning chips) is sent to all the other Packet Forwarding Engines that are mapped with this bridging domain. In addition, an MLP packet is also sent to the host.

3. A destination MAC address (DMAC) lookup using the tuple (bridge domain ID, VLAN, and destination MAC address).

4. If a match is observed for the MAC address, the result of the lookup points to the egress next-hop. The egress Packet Forwarding Engine is used to forward the packet.

5. If a miss occurs during the lookup, the flood next-hop is determined using the mesh group ID to flood the packet.

The following two significant conditions are considered in PVLAN bridging: Only a specific port to another port forwarding is permitted. A packet drop occurs on the egress interface after traversing and consuming the fabric bandwidth. To avoid traffic dropping, the decision on whether the packet needs to be dropped arrives before traversing the fabric, thereby saving the fabric bandwidth during DoS attacks. Because multiple overlapping bridge domains exist, which denotes that the same port (promiscuous or interswitch link) appears as a member in multiple bridge domains, the MAC addresses learned in one port must be visible to ports on another bridge domain. For example, a MAC address learned on a promiscuous port must be visible to both an isolated port (isolated bridge domain) and a community port (community bridge domain) on the various community bridge domains.

To resolve this problem, a shared VLAN is used for PVLAN bridging. In the shared VLAN model, all the MACs learned across all the ports are stored in the same bridge domain (primary VLAN BD) and same VLAN (primary VLAN). When the VLAN lookup is done for the packet, the PVLAN port, PVLAN bridge domain, and the PVLAN tag or ID are also used. The following processes occur with a shared VLAN methodology:

• A source MAC address (SMAC) lookup is performed to find out whether this MAC address is learned or not. If it is not a learned address, an MLP packet (route for flooding traffic to MAC learning chips) is sent to all the other Packet Forwarding Engines that are mapped with this bridging domain. In addition, an MLP packet is also sent to the host.

• A destination MAC address (DMAC) lookup using the tuple (bridge domain ID, VLAN, and destination MAC address).

• If a match is observed for the MAC address, the result of the lookup points to the egress next-hop. The egress Packet Forwarding Engine is used to forward the packet.

• If a miss occurs during the lookup, the flood next-hop is determined using the mesh group ID to flood the packet.

• If a match occurs, the group ID is derived from the VLAN lookup table and the following validation is performed to enforce primary VLAN forwarding:

Steps 	Source		Destination		   	Action
Step 1					0			{*}			   	Permit
Step 2					{*}		  0				   Permit
Step 3					1				1				   Drop
Step 4	 X <-> Y (X > 1 and Y > 1 and X ≠ Y	Drop

Here, {*} is a wildcard in regular expression notation referring to any value. Step 1 ensures all forwarding from promiscuous or inter switch link ports to any other port is permitted. Step 2 ensures all forwarding from any port to promiscuous or interswitch link ports is permitted. Step 3 ensures any isolated port to another isolated port is dropped. Step 4 ensures community port forwarding is permitted only within same community(X == Y) and dropped when its across community (X ≠ Y).