Network Working Group S. Shah & M. Yip Internet Draft Extreme Networks 11 December 2002 Ethernet Automatic Protection Switching (EAPS), Version 1 draft-shah-extreme-eaps-00.txt Status of this Memo This document is an Internet-Draft and is NOT offered in accordance with Section 10 of RFC-2026, and the author does not provide the IETF with any rights other than to publish as an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at: http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at: http://www.ietf.org/shadow.html This document provides information for members of the networking community. Distribution of this memo is unlimited. 1. INTRODUCTION This document describes the Ethernet Automatic Protection Switching (EAPS) (TM) technology invented by Extreme Networks to better support operators of Ethernet MAN Rings. Many network operators have been moving to Ethernet technology from SONET technology in MANs because of the much better value proposition of the Ethernet technology. Many Metropolitan Area Networks (MANs) have a ring topology, as the fibre runs. The Ethernet Automatic Protection Switching technology described here works well in ring topologies for MANs or large campus networks. Shah & Yip [Page 1] Internet-Draft 11 December 2002 Also, most MAN operators want to minimise the recovery time in the event a fibre cut occurs. The Spanning Tree Protocol can take as long as 40 seconds to converge in the event of a topology change. The newer Rapid Spanning Tree Protocol is considerably faster, however its convergence time is still dependent upon the number of notes in the ring. Both STP and RSTP limit the number of nodes in the ring. The Ethernet Automatic Protection Switching (EAPS) technology described here converges in less than one second, often in less than 100 milliseconds. EAPS technology does not limit the number of nodes in the ring, and the convergence time is independent of the number of nodes. 2. CONCEPT OF OPERATION An EAPS Domain exists on a single Ethernet ring. Any Ethernet Virtual Local Area Network (VLAN) that is to be protected is configured on all ports in the ring for the given EAPS Domain. Each EAPS Domain has a single designated "master node". Each other node on that ring is referred to as a "transit node". Of course, each node on the ring will have 2 ports connected to the ring. One port of the master node is designated to be the "primary port" to the ring for the master node. The other port is designated as the "secondary port". In normal operation, the master node blocks the secondary port for all non-control Ethernet frames belonging to the given EAPS Domain, thereby avoiding a loop in the ring. Existing Ethernet switching and learning mechanisms operate per existing standards on this ring. This is possible because the master node makes the ring appear not to have a loop, from the perspective of the Ethernet standard algorithms used for switching and learning. If the master node detects a ring fault, it unblocks its secondary port and allows Ethernet data frames to pass through that port. There is a special "Control VLAN" that can always pass through all ports in the EAPS Domain, including the secondary port of the master node. EAPS uses both a polling mechanism, described in detail below, and an alert mechanism, also described below, to verify the connectivity of the ring and to quickly detect any faults. 2.1 LINK DOWN ALERT When any transit node detects a link-down on any of its ports in the EAPS Domain, that transit node immediately Shah & Yip [Page 2] Internet-Draft 11 December 2002 sends a "link down" control frame on the Control VLAN to the master node. When the master node receives this "link down" control frame, the master node moves from the "normal" state to the ring-fault state and unblocks its secondary port. The master node also flushes its bridging table. The master node also sends a control frame to all other ring nodes instructing them to flush their bridging tables. Immediately after flushing its bridging table, each node starts learning the new topology. 2.2 RING POLLING The master node sends a health-check frame on the Control VLAN at a user-configurable interval. If the ring is complete, this will be received on its secondary port. Upon receipt of the health-check frame, the master node resets its fail-period timer and continues normal operation. If the master node does not receive the health-check frame before the fail-period timer expires, the master node moves from the normal state to the "ring-fault" state and unblocks its secondary port. The master node also flushes its bridging table. The master node also sends a control frame to all other nodes instructing them to also flush their bridging tables. Immediately after flushing its bridge table, each node starts learning the new topology. This ring polling mechanism provides a backup in the event the Link Down Alert frame should get lost for some unforeseen reason. 2.3 RING RESTORATION The master node continues sending periodic health-check frames out its primary port even when operating in the ring-fault state. Once the ring is restored, the very next health-check frame will be received on the master node's secondary port. This will cause the master node to transition back to the normal state, logically block non-control frames on the secondary port, flush its own bridge table, and send a control frame to the transit nodes instructing them to flush their bridging tables and re-learn the topology. During the time between the transit node detecting that its link is restored and the master node detecting that the ring is restored, the secondary port of the master node is still open -- Shah & Yip [Page 3] Internet-Draft 11 December 2002 creating the possibility of a temporary loop in the topology. To prevent any temporary loop, the transit node will put all the protected VLANs transiting the newly restored port into a temporary blocked state, remember which port has been temporarily blocked, and transition into the "pre-forwarding" state. When the transit node in the "pre-forwarding" state receives a control frame instructing it to flush its bridging table, it will flush the bridging table, unblock the previously blocked protected VLANs on the newly restored port, and transition to the "normal" state. 3. MULTIPLE EAPS DOMAINS An EAPS-enabled switch can be part of more than one ring. Hence, an EAPS-enabled switch can belong to more than one EAPS Domain at the same time. Each EAPS Domain on a switch requires a separate instance of the EAPS protocol on that same switch, one instance per EAPS-protected ring. One can also have more than one EAPS domain running on the same ring at the same time. Each EAPS Domain has its own different master node and each EAPS Domain has its own set of protected VLANs. This facilitates spatial reuse of the ring's bandwidth. EAPS FRAME FORMAT 0 1 2 3 4 4 12345678 90123456 78901234 56789012 34567890 12345678 +--------+--------+--------+--------+--------+--------+ | Destination MAC Address (6 bytes) | +--------+--------+--------+--------+--------+--------+ | Source MAC Address (6 bytes) | +--------+--------+--------+--------+--------+--------+ | EtherType |PRI | VLAN ID | Frame Length | +--------+--------+--------+--------+--------+--------+ | DSAP/SSAP | CONTROL| OUI = 0x00E02B | +--------+--------+--------+--------+--------+--------+ | 0x00bb | 0x99 | 0x0b | EAPS_LENGTH | +--------+--------+--------+--------+--------+--------+ |EAPS_VER|EAPSTYPE| CTRL_VLAN_ID | 0x0000 | +--------+--------+--------+--------+--------+--------+ | 0x0000 | SYSTEM_MAC_ADDR (6 bytes) | +--------+--------+--------+--------+--------+--------+ | | HELLO_TIMER | FAIL_TIMER | Shah & Yip [Page 4] Internet-Draft 11 December 2002 +--------+--------+--------+--------+--------+--------+ | STATE | 0x00 | HELLO_SEQ | 0x0000 | +--------+--------+--------+--------+--------+--------+ | RESERVED (0x000000000000) | +--------+--------+--------+--------+--------+--------+ | RESERVED (0x000000000000) | +--------+--------+--------+--------+--------+--------+ | RESERVED (0x000000000000) | +--------+--------+--------+--------+--------+--------+ | RESERVED (0x000000000000) | +--------+--------+--------+--------+--------+--------+ | RESERVED (0x000000000000) | +--------+--------+--------+--------+--------+--------+ | RESERVED (0x000000000000) | +--------+--------+--------+--------+--------+--------+ Where: Destination MAC Address is always 0x00e02b000004. PRI contains 3 bits of priority, with 1 other bit reserved. EtherType is always 0x8100. DSAP/SSAP is always 0xAAAA. CONTROL is always 0x03. EAPS_LENGTH is 0x40. EAPS_VERS is 0x0001. CTRL_VLAN_ID is the VLAN ID for the Control VLAN in use. SYSTEM_MAC_ADDR is the System MAC Address of the sending node. HELLO_TIMER is the value set by the Master Node. FAIL_TIMER is the value set by the Master Node. HELLO_SEQ is the sequence number of the Hello Frame. EAPS Type (EAPSTYPE) values: HEALTH = 5 RING-UP-FLUSH-FDB = 6 RING-DOWN-FLUSH-FDB = 7 LINK-DOWN = 8 All other values are reserved. STATE values: IDLE = 0 COMPLETE = 1 FAILED = 2 LINKS-UP = 3 LINK-DOWN = 4 PRE-FORWARDING = 5 All other values are reserved. Shah & Yip [Page 5] Internet-Draft 11 December 2002 SECURITY CONSIDERATIONS Anyone with physical access to the physical layer connections could forge any sort of Ethernet frame they wished, including but not limited to EAPS frames. Such forgeries could be used to disrupt an Ethernet network in various ways, including methods that are specific to EAPS or other unrelated methods such as forged Ethernet bridge frames. As such, it is recommended that users not deploy Ethernet without some form of encryption in environments where such wiretapping is considered a significant operational risk. IEEE standards exist for link-layer encryption, which could also be used to protect an Ethernet's links from wiretapping. Alternately, upper-layer security mechanisms could be used if more appropriate to the local threat model. INTELLECTUAL PROPERTY Extreme Networks Inc. has filed patent applications on and related to the technology described herein. ACKNOWLEDGEMENT This document was edited together and put into RFC format by R.J. Atkinson from internal documents created by the authors below. The Editor is solely responsible for any errors made during redaction. EDITOR'S ADDRESS: R. Atkinson Extreme Networks 3585 Monroe Street Santa Clara, CA, 95051 USA Telephone: +1 (408)579-2800 Email: rja@extremenetworks.com AUTHOR'S ADDRESS: in 3 S. Shah Extreme Networks 3585 Monroe Street Santa Clara, CA, 95051 Shah & Yip [Page 6] Internet-Draft 11 December 2002 Email: sshah@extremenetworks.com Phone: +1 (408)579-2800 M. Yip Extreme Networks 3585 Monroe Street Santa Clara, CA, 95051 Email: my@extremenetworks.com Phone: +1 (408)579-2800 Shah & Yip [Page 7]