VMAN Overview

The VMAN feature is defined by the IEEE 802.1ad standard, which is an amendment to the IEEE 802.1Q VLAN standard.

A VMAN is a virtual Metropolitan Area Network (MAN) that operates over a physical MAN or Provider Bridged Network (PBN). This feature allows a service provider to create VMAN instances within a MAN or PBN to support individual customers. Each VMAN supports tagged and untagged VLAN traffic for a customer, and this traffic is kept private from other customers that use VMANs on the same PBN.

The PBN uses Provider Bridges (PBs) to create a Layer 2 network that supports VMAN traffic. The VMAN technology is sometimes referred to as VLAN stacking or Q-in-Q.



VMAN is an Extreme Networks term that became familiar to Extreme Networks customers before the 802.1ad standard was complete. The term VMAN is used in the ExtremeXOS software and also in this document to support customers who are familiar with the term. The term PBN is also used in this guide to establish the relationship between this industry standard technology and the Extreme Networks VMAN feature.

VMAN in PBN shows a VMAN, which spans the switches in a PBN.

Click to expand in new window

The entry points to the VMAN are the access ports on the VMAN edge switches. Customer VLAN (CVLAN) traffic that is addressed to locations at other VMAN access ports enters the ingress access port, is switched through the VMAN, and exits the egress access port. If you do not configure any frame manipulation options, the CVLAN frames that exit the VMAN are identical to the frames that entered the VMAN.

VMAN access ports operate in the following roles:

The CEP role, which is configured in software as a cep vman port, connects a VMAN to specific CVLANs based on the CVLAN CVID. The CNP role, which is configured as an untagged vman port, connects a VMAN to all other port traffic that is not already mapped to the port CEP role. These roles are described later.

All other VMAN ports (except the access ports) operate as VMAN network ports, which are also known as Provider Network Ports (PNPs) in the 802.1ad standard. The VMAN network ports connect the PBs that form the core of the VMAN. During configuration, the VMAN network ports are configured as tagged VMAN ports.

Tag Usage at the VMAN Access Switch shows one VMAN, but a PBN can support multiple VMAN instances, which are sometimes called VMANs or Service VLANs (SVLANs). VMANs allow you to partition the PBN for customers in the same way that VLANs allow you to partition a Layer 2 network. For example, you can use different VMANs to support different customers on the PBN, and the PBN delivers customer traffic only to the PBN ports that are configured for appropriate VMAN.

A VMAN supports two tags in each Ethernet frame, instead of the single tag supported by a VLAN Ethernet frame. The inner tag is referred to as the customer tag (C-tag), and this optional tag is based on the CVLAN tag if the source VLAN is a tagged VLAN. The outer tag is referred to as the service tag (S-tag) or VMAN tag or SVLAN tag, and it is the tag that defines to which SVLAN a frame belongs. Tag Usage at the VMAN Access Switch shows the frame manipulation that occurs at the VMAN edge switch.

Click to expand in new window
Tag Usage at the VMAN Access Switch

In this example, the switch accepts CVLAN frames on VMAN access ports 1:1 and 1:2. The switch then adds the S-tag to the frames and switches the frames to network ports 2:1 and 2:2. When the 802.1ad frames reach the PB egress port, the egress switch removes the S-tag, and the CVLAN traffic exits the egress access port in its original form.

When the switch in the figure above acts as the egress switch for a VMAN, VMAN frames arrive on network ports 2:1 and 2:2. The switch accepts only those frames with the correct S-tag, removes the S-tags, and switches those frames to access ports 1:1 and 1:2. Unless special configuration options are applied, the egress frames are identical to ingress CVLAN frames. (Configuration options are described in VMAN Configuration Options and Features.)

S-tag and C-tag Components shows that the S-tags and C-tags used in VMAN frames contain more than just customer and service VLAN IDs.

Click to expand in new window
S-tag and C-tag Components

Each S-tag and C-tag contains an ethertype, a Class of Service (CoS), and a SVLAN ID (SVID) or CVLAN ID (CVID). The ethertype is described in Secondary Ethertype Support, and the CoS is described in QoS Support.

The SVID is the VLAN tag you assign to a VMAN when you create it (see the configure vman vman_name tag tag command. The CVID represents the CVLAN tag for tagged VLAN traffic.

Switch ports support VMAN roles and features, which are described in the following sections: