Sie sind auf Seite 1von 75

University

VLAN forwarding modes and IB

7302-7330-735x ISAM / 5520 AMS operator part 1 section D

Alcatel-Lucent University Antwerp

Alcatel-Lucent University Antwerp 1

During class please switch off your mobile, pager or other that may interrupt. Entry level requirements: > You are familiar with the theoretical concepts of Ethernet and VLANs. > You can configure equipment and interworking function(basic configuration) on ISAMs using the 5520AMS.

TAC03001 _D Ed01

2008 Alcatel Bell N.V., All rights reserved

Objectives
After attending this session, you should be able to:
Describe what a Residential Bridge VLAN (= Intelligent Bridge VLAN) is Explain how the RB-VLAN is behaving
on LT on SHUB

Create a RB-VLAN via AMS and CLI


on ASAM-CORE on service hub

Associate a RB-VLAN to Ethernet ports on the service hub Associate a RB-VLAN to a bridge port
with or without VLAN translation

TAC03001 _D Ed01

2008 Alcatel Bell N.V., All rights reserved

Table of contents
Forwarding modes: general Layer 2 forwarding:
The Basics Intelligent bridging . . . . . . . . . . . p. 7 p. 15

p. 4

VLAN setup . VLAN association Exercises .

. .

. . .

. . .

. . .

. . .

. . .

. . .

p. 33 p. 47 p. 61

TAC03001 _D Ed01

2008 Alcatel Bell N.V., All rights reserved

University
Forwarding modes

General

Alcatel-Lucent University Antwerp

TAC03001 _D Ed01

2008 Alcatel Bell N.V., All rights reserved

Forwarding engines
On the LT On the NT
the forwarding engine is part of the service hub
x/Eth NT x/Eth LT x
Forwarding Engine

x/Phys layer

x/Eth

FW Engine

External Ethernet links

Service Hub
GE/FE 1-7

EFM / user port

GE1-16

ASAM link

CPE

LT 1

IWF

FW Engine

PVC / Logical user port

CPE

x/Eth

x/Eth

x/ATM/Phys. Layer

x/Eth

> We mentioned earlier that the LT contains the Inter Working Function and the service hub (that is hosted on the NT) the aggregation function. Both of them perform forwarding, and for that purpose, the Inter Working Function provides a forwarding engine (i.e. a bridge).

TAC03001 _D Ed01

2008 Alcatel Bell N.V., All rights reserved

Forwarding modes: General


7302 ISAM
Network side Eth-VLAN
ANT

L3 L2+ L2

User side

Decision L2

Forwarding mode Intelligent Bridge (IB) VLAN Cross-Connect (CC) Enhanced iBridge PPPoE Engine Routed

L2+ L3

> Different forwarding modes are supported in order to make it fit into different network models of different operators. > If the DSLAMs are mainly connected to a bridged Metro Ethernet network, the MAC scalability may become an issue when only layer 2 forwarding is done in the DSLAM. In that case the MAC addresses of all end-user terminals will have to be learnt in the MetroEthernet network, while the MAC tables of some bridges may be quite limited. In that case, it would probably be better to use the layer 2+ or L3 forwarding function of the ISAM. (However, we mustnt exaggerate this issue: most bridges can learn many MAC-addresses without any problem!) > However, if IP routers are used in the Metro Ethernet Network close to the DSLAMs, MAC scalability will not be an issue, and layer 2 forwarding in the DSLAM may be an interesting option, because in general layer 2 means less configuration effort. With 7302 ISAM, operators have the flexibility to choose the forwarding mode which best fits in their network. > In general, the previous layer 2 and layer 3 forwarding functions are an overkill for networkVPN services towards business customers, given the number of connections to the same VPN from one DSLAM will be mostly only one, or only very few connections per VPN. In such cases, the VLAN cross-connect mode of the ISAM is much more appropriate for these business users: less configuration effort, avoid too many bridges or routers in one VPN.

TAC03001 _D Ed01

2008 Alcatel Bell N.V., All rights reserved

University
L2 Forwarding mode

Alcatel-Lucent University Antwerp

TAC03001 _D Ed01

2008 Alcatel Bell N.V., All rights reserved

General overview
7302 ISAM
Network side
Anything Eth - VLAN

L2

Anything Eth (VLAN) ATM/AAL Phys layer

Anything Eth (VLAN) Phys layer

User side

Eth-VLAN

layer 2 forwarding
Ethernet layer must be present at both sides. encapsulation at CPE must include Ethernet

> In case the 7302 ISAM performs L2 forwarding, it means that the internal forwarding is basically done on layer 2 information. The layer 2 is Ethernet, including the concept of VLANs. > In both layer 2 forwarding models (intelligent bridge as well as cross-connect), the ISAM can accept tagged frames coming from a user. The operator can configure exactly which tag is to be expected on the bridge port and frames carrying another tag will be discarded (filter). > In case of VLAN translation, the user sends tags that are recognized, but only have a local meaning and will immediately be translated into a network vlan. > In case of cross-connect, it is possible to have C-VLAN transparency (where only the S-VLAN is configured in the ISAM). In that case, the user can send no matter what C-VLAN. The ISAM will not filter based on C-VLAN. See section on cross-connect.

TAC03001 _D Ed01

2008 Alcatel Bell N.V., All rights reserved

Two L2 forwarding modes


the intelligent bridging (IB): one (or more) circuits per VLAN
Forwarding based upon MAC addresses and VLAN

the cross-connect (CC): one (or more) VLANs per circuit


Forwarding based upon User side: bridge port on PVC for ATM or (subscriber VLAN on) bridge port on DSL port for EFM Network side: Single or stacked VLAN tag

> The ISAM 7302 provides a special Layer 2 behavior that results from being deployed in an access environment. I.e. it supports the 'cross connect mode' and it supports the 'Intelligent Bridging mode'. > In cross-connect mode, a particular VLAN-id is associated to one user connection only. > In intelligent bridging mode, multiple user connections can be associated with each virtual LAN. > The mode can be configured per VLAN. A particular VLAN can operate in only one of these modes at a time. A port however can be assigned to one or more VLAN cross-connects at a time and can therefore operate simultaneously in cross-connect or intelligent bridging mode. This is especially true for the Ethernet port, since it must belong to every VLAN configured.

TAC03001 _D Ed01

2008 Alcatel Bell N.V., All rights reserved

L2 functionalities

NT
External Eethernet links

Control/Mgt function
Control link
FE

ASAM link

LT 16 IWF

GE/FE 1-7 GE1 ..16

Aggregation function Service Hub


GE1-16

ASA

Ml

ink

LT 1 IWF U S E R P O R T S

Standard VLAN enabled bridge.

Special VLAN enabled bridge.


PVC / Logical user port

10

> In general the aggregation function implemented by means of the Service Hub, on the NT, behaves as a standard bridge. A few extra features make that the Service Hub can be configured to behave in the IB mode or XC mode. > The Service Hub (Ethernet Switch) is composed of: 1) the Ethernet transceiver function 2) the Forwarding Engine, providing the Ethernet L2 switching function 3) the switch, providing network (trunk) ports, cascade / subtending (trunk) ports, user Ethernet ports, NT(control) Ethernet port (on ECNT-A only!), Out-band management Ethernet port and ASAM (LT) Ethernet ports. > It is the IWF (Interworking Function) on the LT board that serves as the ATM to Ethernet interworking device. > In the upstream direction (ingress bridge port on ATM PVC port), the IWF on the LT receives traffic on the ATM PVC port, reassembles the Ethernet frames from the ATM cells and forwards them towards theSHUB and thus to the E-MAN network. > In the downstream direction the network interface of the Service Hub receives the Ethernet frames and forwards them towards the correct egress port on the Service Hub. Once the Ethernet frame is received on the ingress Ethernet port of the IWF, the frame is forwarded towards the correct user logical port where the received Ethernet frames are segmented into ATM cells and forwarded toward the correct ATM PVC ports. > The Service Hub and the IWFs on the LTs behave (as much as possible) as two independent Layer 2 systems: they both will learn and age independently on MAC addresses. > The control function is involved in the management of the data plane.( see later)

TAC03001 _D Ed01

10

2008 Alcatel Bell N.V., All rights reserved

ISAM

GE E-MAN Network
NT LT CPE

POTS,ISDN

Anything Ethernet Layer 2 (+ MAC Control) Switch Eth Eth


PHY PHY FE/GE

Anything
ETH-ATM Ethernet Interworking Ethernet Layer 2 Layer 2Function (IWF)
LLC SNAP

Ethernet Layer 2
LLC SNAP

(+ MAC Control) Switch Eth Eth


FE/GE GE GE

AAL5 ATM PHY

AAL5 ATM xDSL?

11

> The customers CPE is connected to the ASAM-Core with an ATM interface. It is the IWF on the LT that provides the interworking between the ATM and the Ethernet/VLAN technology. The Service Hub will behave as a standard bridge with some enhancements and perform layer 2/Ethernet forwarding > The layer 2 access offered via the IWF does not offer the same capabilities as the traditional ATM Layer 2 access offered by the ASAM. A traditional ATM Layer 2 access network is transparent for everything on top of ATM and as such supports many more frame encapsulation techniques at the CPE. The proposed E-MAN/ATM layer 2 access supports only CPEs using Ethernet over ATM, encapsulated by AAL5 and RFC2684 bridged > In the case that the 7302 ISAM performs layer 2 forwarding and the Ethernet switches in between (EMAN) are working as bridges. In that case the Ethernet L2 environment is terminated in the IP edge (typically the BRAS).

TAC03001 _D Ed01

11

2008 Alcatel Bell N.V., All rights reserved

University
Intro Standard Bridging

Alcatel-Lucent University Antwerp

12

TAC03001 _D Ed01

12

2008 Alcatel Bell N.V., All rights reserved

Standard bridging concept


MAC bridges can interconnect all kinds of LANs together No guaranteed delivery of frames A bridge learns MAC addresses Flooding occurs when destination MAC address is broadcast, multicast or unknown, :
If you do not know, send it to everybody

If the destination MAC address has been learned, the frame is forwarded to the indicated interface

13

TAC03001 _D Ed01

13

2008 Alcatel Bell N.V., All rights reserved

Security/scalability issue with standard bridging


Broadcast frames (ARP, PPPoE-PADI) forwarded to all users & flooding to all ports.
MAC-address of a user is exposed to other users Broadcast storms
Ethernet BRAS
BC or unknown MAC DA BC or unknown MAC DA

BR
CPE DSLAM PC

CPE

PC

PC

CPE DSLAM
14

> The issue on the slide occurs with standard Ethernet bridges. Operators using VPLS in the EMAN will not have this issue!

TAC03001 _D Ed01

14

2008 Alcatel Bell N.V., All rights reserved

Standard bridging: Issues


Broadcast storms Security
Broadcast frames are forwarded to all users

Customers identified by MAC-address (not guaranteed unique) Restrictions on services and revenues:
IP edge device has no info on the access line
So not possible to limit the # of sessions per access line

User-to-user communication possible without passing the BRAS

NOT FIT FOR USE IN PUBLIC NETWORKS

15

> Scalability: Broadcast storms Broadcast frames are flooded over the entire aggregation network . This generates an important amount of traffic, that can result in service degradation or denial of service Bridges have to learn MAC-addresses of all devices connected to the network > Security Broadcast frames (ARP, PPPoE - PADI, ) are forwarded to all users MAC-address of a user is exposed to other users > Customer segregation customers are identified by MAC-address, and MAC-addresses are not guaranteed unique undesirable & unstable behaviour: user B gets traffic destined to user A and vice versa. > PADI = PPPoE Active Discovery Initiation packet (which is broadcasted). This is the first message in the initialization phase to establish a PPPoE session.

TAC03001 _D Ed01

15

2008 Alcatel Bell N.V., All rights reserved

University
Intelligent Bridging

Alcatel-Lucent University Antwerp

16

TAC03001 _D Ed01

16

2008 Alcatel Bell N.V., All rights reserved

The intelligent bridging model (1/3)


Multiple users connected to 1 VLAN ID IB-VLAN has:
1 or more network ports
Internet Internet
ISP1 ISP

Note: Tagged frames not supported for IB if Rel. <3.1

1 or more user logical ports, subtending ports or user Ethernet ports

IP

E-MAN Network BAS

Login to ISP or corporate

ISP2

E-MAN Network
Corporate

Routing to the correct ISP is based on the VLAN-id


17

Routing to the correct ISP is done based on user-id and password in the BRAS

> In case of Intelligent bridging multiple users are connected to the same VLAN, or in other words we have aggregation at DSLAM level within a VLAN. > In the figure at the left we see multiple VLAN bridges supported in 1 DSLAM, to connect to different Service Providers (SP) (wholesale). Each SP is connected to the DSLAM with a specific VLAN-ID. The user ports are connected to the VLAN of their corresponding SP. Multiple user ports can be associated to a single VLAN-ID. Users 2 and 5 are connected to the ISP1 VLAN Users 1, 3 & 4 are connected to the ISP2 VLAN. The MAC address lookup is performed in the forwarding table of the respective VLAN. With the principle that we have 1 VLAN ID per {IP-edge-DSLAM} pair this means that in each Ethernet switch the SP has its own forwarding table. > In the figure at the right we see that the routing to the correct SP is based on user-id and password and that all the users are connected with the same VLAN-ID to the BRAS.

TAC03001 _D Ed01

17

2008 Alcatel Bell N.V., All rights reserved

The intelligent bridging model (2/3)


Why VLAN Translation (customer vlan to network vlan)
Wholesale per service
Drivers: VDSL and Eth offer more BW, so it makes sense to wholesale this in pieces rather than the complete DSL line as a whole Consequences: Model with VLANs on DSL line; behaviour equivalent to multi-VC model on ATM/ADSL

VLAN per service and per provider in the aggregation network


Service provider is free to choose CPE configuration, but VLANs in aggregation network are under control of ILEC

Ultimately 1 subscriber (1 line) may have to support 2 HSIA services or 2 video services from different service providers.

18

> There are many operators who base their network architecture on one PVC per service when connecting ADSL subscribers. Once those operators start deploying VDSL, they are immediately confronted with the issue, that their is no similar approach for EFM interfaces. Thats why we have introduced VLAN Translation. > Requirement is driven by the wholesale model. Operators wants to use a network model whereby a given user can be subscribed to a different service provider for each service. Therefore they want to have separate "circuits" per service all the way up to the CPE. They are looking at a model of VLAN/service on the DSL line, and VLAN/service/ISP in the aggregation network.

TAC03001 _D Ed01

18

2008 Alcatel Bell N.V., All rights reserved

The intelligent bridging model (3/3)


Special layer 2 behavior needed in an access environment
IB with VLAN tagging

Intelligent Bridge (IB) means


distinction between network ports and user ports
Frames from a user always sent towards the network No user to user communication

prevent broadcast traffic from escalating


avoid broadcast or flooding to all users

secure MAC-address learning within a VLAN


avoid MAC-address duplication over multiple ports

protocol filtering
may lead to a frame being forwarded, sent to a host processor, discarded or forwarded & sent to a host processor

19

> In a standard bridge all ports are treated equally. The special thing about Intelligent Bridging is that it makes a distinction between network ports and user ports. > With Intelligent Bridging, frames received from a user will always be sent towards the network and never to another user. All traffic received from a user interface is forwarded only on the uplink, and never to other users. This avoids that a user's MAC-address is exposed to other users; and also assures that user's traffic is passing through the IP edge point where it can be charged for. Unicast frames: user-to-user communication is not permitted. Broadcast and multicast frames from a user are only forwarded to the interface towards the network and not to all other users. > A second difference with standard bridging is the prevention of broadcast storms: In a standard bridge, a broadcast frame will be sent to all ports in a particular VLAN. In case of a Intelligent Bridging this is no longer true. Depending on the type of broadcast frame (depending on the protocol above Ethernet e.g. DHCP) the treatment will be different. Each protocol will deal with the restriction of Intelligent Bridging in a different way. In all cases a broadcast to all users is avoided. E.g. Broadcast as a consequence of flooding (when the MAC DA is unknown) or in case of multicast. > Another difference with standard bridging is the way how MAC addresses are learnt: protection is built in to avoid the use within one particular VLAN of the same MAC address over multiple ports. > With intelligent bridging only the following types of frames are accepted from the user ports: IPv4, ARP, PPPoE, IGMP and EAPOL (used for 802.1x). Other frames will be discarded, including multicast data frames coming from user ports.

TAC03001 _D Ed01

19

2008 Alcatel Bell N.V., All rights reserved

Intelligent bridging: network issues

BR VLAN1 IP edge Ethernet


CPE ISAM

MACA

Problem: If user A can obtain the MAC@ of User C, since the Ethernet switch learns all Mac @ , user to user communication is possible

CPE

ISAM

MACB

20

> On the previous slides, we learnt how user to user communication is avoided inside the ISAM. But it is also important to mention that a VLAN must be unique between an [IP-edge-ISAM]pair in the Ethernet network to support the Intelligent Bridging feature. Take e.g. the network configuration shown in the figure above, where 2 ISAMs with same VLAN are connected to the IPedge via the EMAN network through a single VLAN. Or in other words a single VLAN exists between ISAM1, ISAM2, and the IP-edge). > In this case, the Ethernet switch learns all user MAC addresses and if user A can obtain the MAC address of user C, then user A can send traffic directly to user C without going to the IPedge. This is not acceptable: in Intelligent Bridging mode no direct user to user communication is allowed in the network. Another issue is that in such configuration an ISAM would receive all broadcast / flooded frames from any ISAM in the VLAN, with potential performance issues as a consequence.

TAC03001 _D Ed01

20

2008 Alcatel Bell N.V., All rights reserved

Broadcast messages & flooding US


Upstream BC frames & flooding only forwarded towards network port(s) within a VLAN
1 VLAN per IP-edge Reduction of flooding in the aggregation network. No user-to-user communication without passing the BRAS
BC or unknown MAC DA
VLAN 1 VLAN 2

Ethernet

BR
ISAM CPE PC A

BRAS

21

CPE

PC B PC

ISAM

CPE

> Blocking user to user communication at L2 > The principle is to avoid that 2 users connected to the same ISAM will communicate with each other directly at L2. In this case, when user A sends a message with destination MAC-address B, that message is sent to the uplink, not to user B. In case of PPP this is not an issue, since all messages coming from the DSL users will have destination MAC-address = MAC-address of the BRAS > The objective is that all traffic passes a L3 box. The motivation is twofold: Security: If direct user-to-user communication at L2 would be allowed, this would give malicious users an easy way to find out the MAC address of other users, and then try to take it over. Note: blocking duplicate MAC-addresses will solve most of it, but if the malicious user is waiting until the MAC-address has aged, and then tries to take it for himself, he blocks the other user. Accounting for traffic: If we would allow for user to user communication directly in the ISAM, we would also have to introduce mechanisms to measure and account for the traffic. Not just for billing purposes (most services will likely not use volume-based billing), but also for features such as legal intercept. So in other words, this kind of peer-to-peer traffic would be hidden to the operator, and in particular for peer to peer traffic operators will probably not like that.

TAC03001 _D Ed01

21

2008 Alcatel Bell N.V., All rights reserved

Broadcast messages & flooding DS


Blocking of broadcast & flooding in the downstream
Avoids messages unintentionally distributed to all users
For some applications forwarding of BC is needed Solution: Make BC flooding / BC discarding a configurable option per VLAN
Ethernet

BR
CPE ISAM PC

BRAS

BC or unknown MAC DA

CPE

PC

CPE ISAM
22

PC

> In a normal bridge when a message is received with a destination MAC-address not yet in the self-learning table, the message is broadcast to all the other interfaces. Also broadcast messages are flooded to all interfaces In an Intelligent bridge you want to avoid that in the downstream, messages are unintentionally distributed to all users. Therefore you need to put mechanisms in place that together with the systems set up in the upstream, will inhibit BC messages to be sent to all users and avoid the flooding of messages with unknown MAC DA to all users. > For some applications it is useful that flooding BC is possible. A solution for these applications is e.g. to make flooding BC/discarding BC a configurable option per VLAN.

TAC03001 _D Ed01

22

2008 Alcatel Bell N.V., All rights reserved

Intelligent Bridge
Bridge: learning, aging, forwarding
lookup MAC DA done based on VLAN and MAC-address intelligent bridging enhancements implemented on ISAM

LT and SHUB have


independent MAC-address learning independent MAC-address aging
aging timers are configurable [10...1000000] sec Recommended default value is 300 sec

aging timer per VLAN


aging timers are configurable
Default value 1

[-1,10...1000000] sec

use system Aging timer on LT

23

> The Service Hub and the LTs autonomously learn MAC addresses. They also autonomously age on these MAC addresses. Aging timers are configurable. The idea is that the Service Hub is configured with the same aging timer than the one of the IWF of the LT. This is needed to avoid conflicts, e.g. when the MAC address is aged on the Service Hub, then the Service Hub could learn the MAC address on another interface with unpredictable behavior as a consequence. Once a MAC address is aged, then no downstream communication is possible until the address is learnt again in the upstream direction. > So its important that the MAC ageing time is properly configured, otherwise data-plane connectivity may be lost between the network and the ISAM end-users (nightly SW download on STB, incoming VoIP calls, ) In case of PPPoE traffic the MAC aging time can be kept small, because PPP has a built-in keep-alive mechanism In case of DHCP-based service scenario's, the MAC ageing time must be taken in the same order of magnitude as the DHCP lease time

TAC03001 _D Ed01

23

2008 Alcatel Bell N.V., All rights reserved

IB Configuration of SYSTEM and/or per VLAN aging timer

LT

Si de

UB SH e sid
Pe rV LA N

24

> CLI Commands: System aging timers IACM and SHUB Configure bridge ageing-time [10...1000000] Configure bridge shub ageing-time [10...1000000] > CLI Command: MAC aging PER VLAN (IACM) Configure vlan id 200 aging-time [-1,10...1000000]

Default value 1

IACM system settings are used.

TAC03001 _D Ed01

24

2008 Alcatel Bell N.V., All rights reserved

LT self-learning
only in the upstream - when initiated from user logical port
Self-learning can be disabled per user logical port. In case of self-learning, limiting number of MAC addresses is possible.
Learning of Source Mac@ within VLAN
LT MacA

NO selflearning
To Service Hub

x y z
MacB

MacC

25

> We call the LT IWF half a bridge as it only learns MAC addresses in the upstream direction. This has as a consequence that no connection can be initiated from the network side if the MAC address on the user side is not known or has not been learned yet.

TAC03001 _D Ed01

25

2008 Alcatel Bell N.V., All rights reserved

Self learning in the Service Hub


Self-learning implemented for both upstream and downstream Discard all user unicast frames with MAC DA known on an ASAM or subtending port
No user to user communication
Learning of Source Mac@ within VLAN
Service Hub
E-MAN
LT

X Y
LT

MacA

MacB

E-MAN

B B
LT

A C

MacC

26

TAC03001 _D Ed01

26

2008 Alcatel Bell N.V., All rights reserved

Blocking of user to user communication

Port mapping on the service hub/NT


An interface can only communicate with its mapping ports

Control link

8 Network links

Control link

X Network links

User links Service Hub Service Hub

15

16

15

16

subtending link

ASAM links

ASAM links

27

> This is what prevents user-to-user communication when users are on different LTs.

TAC03001 _D Ed01

27

2008 Alcatel Bell N.V., All rights reserved

Port mapping
Port mapping is used to
block user to user communication on the service hub
NT

Control link LT

E-MAN
network links ASAM links

LT

subtending links user links

28

> It is possible that a VLAN used to transport user frames will contain ASAM/ subtending / user interface(s) and a network interface(s) or even more ASAM interfaces and subtending interfaces . Possibly also both an ASAM and a subtending interface can be present in the same VLAN. The question arrises how we prevent user to user communication within the same VLAN > The blocking of user-to user communication on the Service Hub is provided by port mapping > This way we allow L2 bi-directional communication with supporting tagged frames (within the same VLAN) only between network ports and ASAM ports, between network ports and subtending ports, between network ports and user ports, between the controller port and each ASAM port and between the controller and the network ports and subtending ports. > The drawing in the slide gives you the different possible links and the flooding strategy (Layer2) of the frames. > The handling of control protocol frames (Radius, VBAS, IGMP, ARP and DHCP) and internal communication at a layer higher than the MAC layer is not in the scope of the rules explained hereafter. > Frames received over a network interface: can be (layer 2) forwarded by the Service Hub to the ASAM, the user, the subtending, and the control interfaces. In PPPoE demo, ISM1 related ports are at the same position as network interface. > Frames received over an ASAM interface: can be forwarded to the network interfaces and to the control interface. > Frames received over a subtending interface: can be forwarded to the network interfaces or to the control interface. > Frames received over a user interface: can be forwarded to the network interfaces or to the control interface. > Frames received over the control interface: can be (layer 2) forwarded to the network, the subtending, the user, the ASAM interfaces.

TAC03001 _D Ed01

28

2008 Alcatel Bell N.V., All rights reserved

Upstream
Only user to network allowed
<-Network SHUB --> --> --> <-LT <-- BC --> User A - LT1 User B - LT1 User C - LT4 User D S-ASAM

<-Network SHUB

<-LT --> --> -->

<-- Unknown MAC DA -->

User A - LT1 User B - LT1 User C - LT4 User D S-ASAM

<-Network SHUB

<-LT --> --> -->

<-- Known MAC DA -->

User A - LT1 User B - LT4 User C - LT4 User D S-ASAM

29

> The ISAM only allows user to network communication in the upstream, Blocked on the same LT by the IWF Blocked by the port mapping configuration on the SHUB (see later) > This is valid for all cases, i.e. Broadcast (BC), Unknown MAC Destination Address and Known MAC Destination address. > unicast frames with unknown destination MAC addresses are flooded to the networkside. no user to user communication within the LIM no flooding from user to user port broadcast frames are flooded towards the NW port > frames with known destination MAC addresses arent forwarded to user ports, but to the networkside No user to user communication within the LT

TAC03001 _D Ed01

29

2008 Alcatel Bell N.V., All rights reserved

Downstream
Broadcast control configurable per VLAN in IB mode
BC --> Network SHUB --> --> --> --> --> LT --> -->if BC allowed --> User A - LT1 User B - LT1 User C - LT4 User D S-ASAM

Unknown MAC DA --> Network SHUB

--> --> --> --> -->

LT

--> --> -->

User A - LT1 User B - LT1 User C - LT4 User D S-ASAM

Known MAC DA --> Network SHUB

--> --> --> --> -->

LT

--> --> -->

User A - LT1 User B - LT1 User C - LT4 User D S-ASAM

30

> Broadcast from Network to User only allowed if enabled by the operator, per VLAN in IB mode. > For the unknown MAC DA case, the LT will not forward the frames to the users. > In case of a known MAC DA, all frames are forwarded. > unicast frames with known MAC DA are forwarded to the appropriate logical user port unicast frames with unknown MAC DA are discarded No flooding from NW port to user port No user to user communication > By default broadcast as a consequence of flooding, which happens in case of standard bridging when the MAC DA is unknown or in case of multicast, is avoided with intelligent bridging.

TAC03001 _D Ed01

30

2008 Alcatel Bell N.V., All rights reserved

Duplicate MAC-address learning

port x y

Mac@ Mac A Mac A Port x Mac A

ETH

Port y Mac A

Packet with destination address Mac A Problem: 2 users with same MAC-address, forwarding engine cant distinguish

Traffic from duplicate MAC-address in separate DSLAM, can be distinguished as separate flows in the Ethernet switches of the aggregation Network, when different VLAN id per DSLAM is used
31

> If a user on line x is using a certain MAC-address and a second user on a different line y is trying to connect with the same MAC-address, a mechanisme should be there so that that MAC-addresses will only appear once in the (filtering db) learning table of that VLAN. > If this would not be done, then the MAC-address would be overwritten in the bridge's learning table, such that traffic is forwarded either to user A or B in a rather unpredictable way. so this feature allows to guarantee uniqueness of MAC-addresses in the aggregation network. > In the 7302 ISAM specific rules are implemented making sure that the MAC-address will only be learned once, this is what they call secure MAC-address learning > We are not only resolving the customer segregation issue but we also avoid that in case of a malicious user, user 1 cannot take over the MAC-address of user 2 (MAC-address antispoofing, blocking duplicate MAC-address) > PS: MAC-addresses are supposed to be unique per VLAN. They are not necessarily unique for the complete system.

TAC03001 _D Ed01

31

2008 Alcatel Bell N.V., All rights reserved

Secure MAC address learning


Service Hub
MAC movement to highest priority Within priority 2 , always MAC Movement

LT
Blocking duplicate MAC-address

Static MAC-addresses never disappear from learning table


NT

Within priority 3 , MAC movement only when feature is enabled in the VLAN

1 3 3

Control link LT IWF LT IWF

E-MAN

network links, outband MGT link

2 2

ASAM links

subtending links

3 3
user links

32

> On the IWF If the MAC-address was already configured or learnt on another user logical port, the MACaddress wont be learnt on the second port and the frame is dropped (Conflict alarm) > On the Service Hub You have the possibility to provision, if MAC movement is allowed or not on a per VLAN basis. The default value is no MAC movement . Mac movement means that in case the same MAC-SA is received on a second interface , the MAC-address will enter the learning table of that interface and is removed from the 1st If you do not perform MAC movement, it means that the duplicate MAC-address is not learnt on the 2nd interface and the frames are discarded > If the Service Hub receives a frame with MAC SA on a different interface than previously learnt, then it will apply the following rules: > Control interface has first priority: Learning a MAC address on the control interface will always take priority on the learning of MAC addresses on a network, an ASAM user or subtending interface, irrespective of the order of learning. > Network interface has second priority: In case the MAC address is first learnt on a subtending, ASAM or user port, and then on an Ethernet network interface, then this movement of the MAC address will be learnt (meaning that the MAC address on the subtending, user or ASAM port is removed). In case the Duplicate MAC-address is learnt on a network interface but it was learnt before on another NW interface the last one takes priority. > ASAM link, subtending link, user link have third priority. If the duplicate MAC address is received on a ASAM, user or subtending port, and the same MAC address is already learnt on an Ethernet network interface in the same VLAN, then the MAC address is not learnt and the frame is dropped. > If the duplicate MAC address is learnt on a DSLAM, user or subtending port, and the same MAC address was already learnt on a port within this priority the action will depend on the configuration of the VLAN. ( MAC movement allowed or not configurable per VLAN). > Well-known MAC addresses (e.g., MAC addresses allocated for IEEE protocols, ...) will not be learnt. Also the MAC address of the Service Hub is a well known MAC address.

TAC03001 _D Ed01

32

2008 Alcatel Bell N.V., All rights reserved

Secure MAC address learning


Configure maximum number MAC-addresses per port
Prevents attacks that would fill up the bridging tables Subscription rules: maximum devices connected simultaneously.

Configure MAC-addresses for Discarding


Internet

ISP

IP
Port x

MacC

MacB

BAS

ETH

bridged PADI with source address=MacC

MacA

ISAM
port VLAN ID
33

Mac@ MacA MacB

Discard Mac@ 00-08-02-E9-F2-9D

port x

Max Mac@ 2

Connected via PPPoE

x x

> There are 2 motivations to block the number of MAC-addresses per port : - Security: avoid that a malicious user can fill up all the complete bridging table of devices in the network (DSLAM and others), by sending traffic with different MAC addresses. - Service differentiation: by limiting the number of MAC addresses per port, the operator can offer different types of service subscriptions to the user, limiting or allowing a certain number of devices to connect simultaneously to the network. For this application, it is clear that the limitation should be configurable per port. > Note: In this example the users PCs are connected to the internet via PPPoE. In that case actually the BAS also has the possibility to limit the number of PPPoE sessions per user-id. Within PPPoE, the unique PPPoE session-id can be used to provide this additional security. The BAS can use the PPPoE session-id for user-identification during the session itself which is linked to an earlier username/password given during the PPPoE session set-up. The BAS knows that user has been given so many sessions. If you have information on VP/VC you can of course also additionaly limit the number of PPPoE sessions per VP/VC. In case of Ethernet Backhaul however the BAS has no info on the VP/VC. Within DHCP there is no information that identifies the user. In that case limiting the number of MAC-addresses learnt per port on the DSLAM is a possible solution, but what with a multiedge environment? . If we want the DHCP server itself to be able to limite the number of sessions of the user, the DHCP request needs to provide the information that defines the user ( VP/VC , port ) This is possible by implementing DHCP-option 82 (see later) > During the creation of a RB-VLAN in the Residentail Bridge VLAN service template, a list of MAC-addresses for discarding can be added.

TAC03001 _D Ed01

33

2008 Alcatel Bell N.V., All rights reserved

Intelligent Bridging, things to consider


Security Services !
IP edge has no info on the line id
Solutions: PPP-connections (BRAS) or DHCP option 82

User can access network with a different IP address than the assigned IP address.
Pure layer 2 device

No support for duplicate MAC-addresses on the same ISAM


Within the same VLAN

Scalability
Switches learn all MAC addresses of all end-users IP edge learns all MAC addresses & IP addresses of all end-users

34

Anti-IP spoofing: blocking of traffic when user tries to connect to the network with an IP address different than the IP address which was assigned to him.

TAC03001 _D Ed01

34

2008 Alcatel Bell N.V., All rights reserved

Intelligent Bridging, things to consider


Advised to use unique VLAN per [IPedge-DSLAM]-pair in EMAN
Avoid user-to-user communication Traffic management per DSLAM Complex IP network configuration

When 1 VLAN shared by multiple DSLAMs


User to user traffic in EMAN Easy IP network configuration One single subnet for all DSLAMs MAC-address spoofing
Standard MAC address learning at EMAN level Traffic will be rerouted to any spoofed MAC address

35

TAC03001 _D Ed01

35

2008 Alcatel Bell N.V., All rights reserved

University
Configuring a RB VLAN

Alcatel-Lucent University Antwerp

36

TAC03001 _D Ed01

36

2008 Alcatel Bell N.V., All rights reserved

IB VLAN set-up
VLAN set-up:
Create VLAN
Creation of VLAN on SHUB and ASAM-CORE

Create VLAN for service to be deployed

Add ports to VLAN


On SHUB and LTs

Add ports to VLAN

Via AMS
Different versions of one VLAN possible

37

> Here youll learn how to: Distinguish different forwarding models and choose the right VLAN mode for a certain forwarding model Create a VLAN on Service hub and ASAM-CORE, either using 5520AMS or using CLI Add ports to a VLAN.

TAC03001 _D Ed01

37

2008 Alcatel Bell N.V., All rights reserved

Creation of IB VLAN
Creation of VLAN in 2 steps
on SHUB on LTs (ASAM-CORE)

VLAN mode according to forwarding model


Create VLAN Mode i.f.o service to be deployed

Create VLAN on ASAM-CORE Residential bridge

Create VLAN on SHUB Residential bridge

38

> The VLAN type in the service hub permits us to do consistency checks between SHUB and ASAM CORE (with AMS) to couple specific configuration behavior to a VLAN. > Intelligent (Residential) Bridging mode: forwarding based on L2 and multiple user connections can be associated to each VLAN. RB on ASAM-CORE: multiple end-user ports can be assigned to a RB VLAN RB on SHUB: one VLAN on the SHUB that will be associated to all (configured) network ports and ASAM ports Note: When configuring with CLI, operator needs to make sure that if needed port is added to respective VLAN. Using AMS, it depends if the egress ports on the service hub were forbidden or not. See further. Note: Theres no difference when you create a VLAN as RB or L2Terminated on the SHUB. There is however a difference on the ASAM-CORE side.

TAC03001 _D Ed01

38

2008 Alcatel Bell N.V., All rights reserved

VLAN modes (except for cross-connect)


VLAN mode Model Intelligent Bridge IP aware Bridge (forwarding) Routed

SHUB Residential bridge Layer2 Terminated * Layer2 Terminated NW port & v-vlan *

LTs (ASAM-core) Residential bridge Layer2 Terminated * Layer2 Terminated *

* : see next chapters

39

TAC03001 _D Ed01

39

2008 Alcatel Bell N.V., All rights reserved

> Routed mode: Forwarding decision in ASAM-CORE is based on L3 (IP forwarding) . SHUB behaves as a Full router. L2 terminated on ASAM-CORE: association with V-VLAN based on IP DA. Layer2-term-nwport on SHUB: a VLAN on the SHUB will only be associated to network ports. That means the VLAN is terminated on the SHUB. > In Cross-connect mode different models exist C-VLAN cross-connect : Straightforward VLAN cross-connect model where one or more VLANs at the EMAN side are associated with a given PVC at the user side CC on ASAM-CORE : only one end-user port (PVC or bridge port EFM) associated to a specific C-VLAN CC on SHUB: since theres only one user associated to a specific C-VLAN on the SHUB one ASAM-link and one or more network ports are associated to the VLAN S-VLAN at the EMAN side is associated with a PVC at the user side, the C-VLANs carried within the S-VLAN are then passed transparently to the end user. CC on ASAM-CORE : only one end-user port (PVC or bridge port EFM) associated to a specific S-VLAN CC on SHUB: since theres only one user associated to a specific S-VLAN on the SHUB one ASAM-link and one or more network ports are associated to the S-VLAN S-VLAN/C-VLAN cross-connect mode : PVC C-VLAN mapping, where the S-VLAN tag can be used by the EMAN as route-identifier towards the ISAM CC on ASAM-CORE : Different end-user ports (PVC or bridge port EFM) can be associated to a specific S-VLAN. The C-VLAN identifies the user-port CC on SHUB: since theres can be many users associated to a specific S-VLAN on the SHUB all ASAM-link and one or more network ports are associated to the VLAN.

TAC03001 _D Ed01

40

2008 Alcatel Bell N.V., All rights reserved

Creation of IB VLAN on NE

equipment

S-VLAN Id = 0
Select NE Infrastructure Layer 2 VLAN Create VLAN Create SHUB VLAN

see next slide

41

> 5520AMS doesnt use templates for VLANs. The only way to configure VLANs is on the NE itself. > For a residential bridge VLAN, the S-TAG = 0. No stacked VLANs for intelligent bridging! (The reason why you see the S-VLAN id is that the same screens are used for cross-connect, where you can have stacked VLANs indeed.)

TAC03001 _D Ed01

41

2008 Alcatel Bell N.V., All rights reserved

Creation of IB VLAN on NE

mode: RB

protocol filter (PPPoE / IPoE) broadcast control PPPoE relay tag

DHCP option 82

Virtual MAC translation


42

> Not all parameters can be configured here already. You can configure e.g. static MAC addresses afterwards. See further. > From R3.5 VLAN specific aging time can be set. If set, this value will override the IACM Layer2 - Ethernet System Parameters Forwarding Database Aging Time. If on the other hand the default value 1 is left, the IACM system parameter is used.

TAC03001 _D Ed01

42

2008 Alcatel Bell N.V., All rights reserved

Modifying IB VLAN on NE
equipment

Static MAC addresses

Select NE Infrastructure Layer 2 VLAN Select VLAN MAC Addresses Static Create Static MAC Address
43

TAC03001 _D Ed01

43

2008 Alcatel Bell N.V., All rights reserved

Creation of IB SHUB VLAN

equipment

Select NE Infrastructure Layer 2 VLAN Create VLAN Create SHUB VLAN

see next slide

44

> For all SHUB VLANs, only one VLAN tag is relevant.

TAC03001 _D Ed01

44

2008 Alcatel Bell N.V., All rights reserved

Creation of SHUB VLAN


Define egress ports on SHUB

45

> Tag mode can be configured on network ports Configure vlan shub id <VLAN ID> untag-port network:<...> ASAM-links support only tagged frames

TAC03001 _D Ed01

45

2008 Alcatel Bell N.V., All rights reserved

Modifying SHUB VLAN

Object details
MAC movement IGMP settings
46

TAC03001 _D Ed01

46

2008 Alcatel Bell N.V., All rights reserved

Residential bridge parameters


BC button not checked by Default

Broadcast control on LT
Only applicable in IB mode
Disabled (default): Enabled: Allow BC in DS
MAC-DA Broadcast

From Service Hub

LT

BC in IWF on LT blocked in DS
NT SHUB

MAC movement on SHUB


Only applicable in IB mode
Disabled (default): No MAC movement in SHUB within priority 3 interfaces Enabled: MAC movement allowed within priority 3 interfaces
47

1
LT

E-MAN

2 2

3
LT

3 3 3

> Disabled: > Enabled:

Button not checked Button checked

TAC03001 _D Ed01

47

2008 Alcatel Bell N.V., All rights reserved

Residential bridge parameters


DHCP option 82/PPPoE Relay Tag
Disabled (default):
No option 82/PPPoE information added by LT

Enabled:
Option 82/PPPoE information added by LT

Protocol Group Filter


Different from Protocol based VLAN association 3 possibilities
All : IPoE: PPPoE : PPPoE + IPoE: allow all protocols on VLAN allow only IPoE on VLAN allow only PPPoE on VLAN allow only PPPoE and IPoE on VLAN

48

> Protocol based VLAN association

see later

TAC03001 _D Ed01

48

2008 Alcatel Bell N.V., All rights reserved

Creation of IB VLAN via CLI


Vlan ID range: 1 to 4093
Exluding the VLAN ID used for management

Create VLAN on ASAM-CORE


configure vlan id < VLAN ID> mode <VLAN Mode >

Create VLAN on SHUB


configure vlan shub id <VLAN ID> mode <VLAN Mode >
egress-port network: egress-port lt:rack/shelf/slot

49

CONFIGURATION OF VLAN ON ASAM-CORE > Id: [2...4093,4097] vlan id > Name: optional parameter with default value: " name > Mode: Mandatory parameter with possible values (on ASAM-CORE): 1) cross-connect, 2) residential-bridge, 3) qos-aware, 4) layer2-terminated > Priority: optional parameter with default value: 0. Range: {0...7} > [no]switch-broadcast: optional parameter to control downstream broadcast frames (default value:"discard-broadcast). Broadcast control is configurable per VLAN: on/off [No] broadcast frames broadcast frames means: broadcast allowed (= ON) > [no] protocol filter (default: pass all). Other possibilities: pass pppoe ,pass ipoe,pass pppoe-ipoe > [no]enable-pppoe-relay: optional parameter with default value: "disable-pppoe-relay adding tag for pppoe relayed traffic (rb vlan) > [no]dhcp-opt-82-on: optional parameter with default value: "dhcp-opt-82-off enable adding dhcp option 82 (rb vlan) CONFIGURATION OF VLAN ON SHUB > Mode: Mandatory parameter with possible values (on SHUB): 1) cross-connect, 2) residential-bridge, 3) layer2-terminated, 4) layer2-term-nwport, 5) v-vlan = virtual vlan, 6) reserved (internal and external communication via vlan) > [no] mac-move-allow: for residential bridges (no) mac-address movement allowed between priority 3 ports (ASAM ports, subtending ports and user ports on the SHUB). > Note: Adding ports to the VLAN also with configure VLAN command, but not in one go with the creation of the VLAN! You need to enter two consecutive commands. (see next chapter add port to VLAN) Same for VLAN on SHUB

TAC03001 _D Ed01

49

2008 Alcatel Bell N.V., All rights reserved

Add port to a IB VLAN on the SHUB via CLI (2/2)


Attachment of ports to the VLAN on SHUB for IB.
Define egress ports in the configure VLAN shub command
Configure>vlan>shub>id <VLAN ID> egress-port lt:<...> defines an ASAM-link Configure>vlan>shub>id <VLAN ID> egress-port network:<...> defines an external NT port

Tag mode can be configured on network ports


Configure vlan shub id <VLAN ID> untag-port network:<...> ASAM-links support only tagged frames

50

> Attachment of ports to the VLAN included in the


configure vlan shub id <VLAN ID> mode residential-bridge Optional parameters [no] name <VLAN name> [no] mac-move-allow [no] egress-port [no] untag port

configure VLAN SHUB command.

> [no] name: VLAN name (default none) > [no] mac-move-allow: allow mac-address movement between ports with priority 3 (user ports, ASAM ports, subtending ports). Default: no mac-address movement allowed. > [no] egress-port: ports to be added to the VLAN. Three different types of egress-ports exist: LT (ASAM port) Network NT (any port on the NT, e.g. a user port or subtending port) > [no] untag port: send frames (un)tagged on egress-port.

TAC03001 _D Ed01

50

2008 Alcatel Bell N.V., All rights reserved

University
IB VLAN association on bridge port

Alcatel-Lucent University Antwerp

51

TAC03001 _D Ed01

51

2008 Alcatel Bell N.V., All rights reserved

Definition of logical user port on ASAM-CORE


x/Eth x/ATM/ADSL x/Eth

xDSL based on ATM


1 VP/VC is mapped on 1 logical user port on IWF of LT. xDSL line can have multiple VP/VCs
LT 1

IWF
FW Engine PVC / Logical user port CPE

xDSL based on Ethernet (VDSL2/EFM)


1 end user is mapped to one logical user port on the IWF of the LT
One to one mapping subscriber VLANs can be defined

LT 1

IWF
EFM / Logical user port FW Engine

CPE

x/Eth
52

X/Eth/Phys layer

x/Eth

> xDSL based on ATM 1 VP/VC used per service (HSI, VoIP, STB), max 8 VP/VC per xDSL line > xDSL based on Ethernet VLAN per Service on UNI for all services, VLAN translation CPE generates the VLAN in function of the (ISP, Service), potentially requiring CPE management in case of wholesaling QoS discrimination per VLAN (priority remarking, policing, ) Multicast replication (one VLAN only) Option 82 and PPP relay in ISAM (ideally with VLAN Id in option 82 or PPPoE relay tag)

TAC03001 _D Ed01

52

2008 Alcatel Bell N.V., All rights reserved

IB VLAN association of port on ASAM-CORE


One logical user port can be mapped to multiple VIDs One logical port associated to CC or Residential-bridge VIDs One logical user port can accept tagged or untagged frames
Configured on the level of VID Association

Per user logical port a PVID can be defined


Before PVID can be configured VLAN association has to be configured
Configuration of VID within the bridged port

Support of 48 x 16 = 768 I-Bridges


on L3 LIMs

53

TAC03001 _D Ed01

53

2008 Alcatel Bell N.V., All rights reserved

IB VLAN association
Port based VLAN association
VLAN ID based on port of arrival Untagged frames, receive port VLAN identifier PVID
Also called the default VLAN ID

Port-and-protocol-based VLAN classification


VID based on port of arrival and the protocol identifier of the frame Multiple VLAN-IDs associated with port of the bridge VID set

VLAN Translation
VID based on port of arrival and translated to a network VID

54

> A VLAN bridge supports port-based VLAN classification, and may, in addition, support portand-protocol-based VLAN classification > In port-based VLAN classification within a bridge, the VLAN-ID associated with an untagged or priority tagged frame is determined based on the port of arrival of the frame into the bridge. This classification mechanism requires the association of a specific Port VLAN Identifier, or PVID, with each of the bridges ports. In this case, the PVID for a given port provides the VLAN-ID for untagged and priority tagged frames received through that port. > For bridges that implement port-and-protocol-based VLAN classification, the VLAN-ID associated with an untagged or priority-tagged frame is determined based on the port of arrival of the frame into the bridge and on the protocol identifier of the frame. For port-and-protocol based tagging, the VLAN bridge will have to look at the Ethertype, the SSAP, or the SNAP-type of the incoming frames. When the protocol is identified, the VID associated with the protocol group to which the protocol belongs will be assigned to the frame. This classification mechanism requires the association of multiple VLAN-IDs with each of the ports of the bridge; this is known as the VID Set for that port. > BTV and Port & protocol-based VLAN on R3.1-3.2 the port default VLAN must be chosen equal to the VLAN used for BTV traffic no protocol based VLAN must be defined for IP, otherwise we end up generating a wrong tag when issuing IGMP messages to the end user

TAC03001 _D Ed01

54

2008 Alcatel Bell N.V., All rights reserved

IB VLAN association of port on ASAM-CORE


Frames received from end users are untagged
User port can be mapped to multiple VID using portProtocol based association or PVID

Frames received from end users are tagged


On logical port define different VIDs and configure frames received from end-user as tagged Send frames back to the subscriber to be set as Single Tagged

E-MAN Network

IPoE PPPoE xxx

LT

IPoE PPPoE xxx

CPE

E-MAN Network

LT

CPE

= PVID

55

Behavior of the RB VLAN Association on the AMS > Frames received by the end users are tagged Association Settings Send frames back to the subscriber as: Single Tagged

> Frames received from end users are untagged Association Settings Send frames back to the subscriber as: Untagged

TAC03001 _D Ed01

55

2008 Alcatel Bell N.V., All rights reserved

IB VLAN association of port on ASAM-CORE


VLAN Translation, frames received from end users are tagged
Bridge Port

Network VLAN
VLAN 10 (HSIA, SP1) VLAN 11 (HSIA, SP2) VLAN 20 (VoD, SP1) VLAN 30 (BTV, SP1) VLAN 31 (BTV, SP2) VLAN 21 (VoD, SP2) VLAN 40 (Voice, SP3)

Subscriber VLAN

Bridge 10 Bridge 11 Bridge 20 MCast Bridge 21 Bridge 40

VLAN 1 (HSIA) VLAN 5 (HSIA) VLAN 2 (Video)

CPE
VLAN 6 (Video) VLAN 3 (Voice)

VLAN per service & per provider


56

VLAN per service & per provider

> There are many operators who base their network architecture on one PVC per service when connecting ADSL subscribers. Once those operators start deploying VDSL, they need to use the VLAN as a "PVC emulation". > The ISAM support the ability to emulate a multi-PVC configuration on an EFM interface using the VLAN as a "PVC emulation", i.e. it is possible to associate a set of VLAN Id's at the subscriber interface with a set of forwarding engines being chosen from the following list : VLAN-CC (Transparent or Protocol aware) In this case, the C-VLAN received at the user side is either forwarded as a C-VLAN CC or encapsulated into an S-VLAN (VLAN stacking). i-Bridge In this case, the VLAN received at the user side will be bridged into an i-bridge identified by the same VLAN Id. IP Aware Bridge IP Routing > Additionally, in case of VLAN-CC or i-Bridge, we support VLAN translation to make wholesaling possible without impacting the CPE configuration : starting from a set of predefined C-VLAN tags at the CPE side (i.e. the same for all CPEs), it is possible to retag the received packet with a new C-VLAN (VLAN-CC or i-bridge) or a stacked VLAN (VLAN-CC), so that the traffic can be passed to the VLAN associated with the couple (serivce provider, service).

TAC03001 _D Ed01

56

2008 Alcatel Bell N.V., All rights reserved

Configuration of the port on VLAN in IB


Add ports to VLAN

on ASAM-CORE Bridge port VID mapping


Control link

on SHUB Define egress ports within the VLAN

External ethernet links

Aggregation FE function
GE/FE 1 GE/FE 2 .. GE/FE 7 GE1 .. GE16

Control/mgt functions

ASAM links

LIM IWF LIM IWF

PVC PVC

57

In the SHUB Create VLAN in RB mode Add NW interfaces and all ASAM interfaces to this VLAN In the ASAM Create VLAN in RB mode Add port to VLAN

TAC03001 _D Ed01

57

2008 Alcatel Bell N.V., All rights reserved

Create VLAN association on bridge port (1/2)

equipment

Select configured bridge port Create VLAN Association

58

TAC03001 _D Ed01

58

2008 Alcatel Bell N.V., All rights reserved

Create VLAN association on bridge port (2/2)

define scope (local for subscriber VLAN

send frames back to subscriber as: untagged


59

TAC03001 _D Ed01

59

2008 Alcatel Bell N.V., All rights reserved

Define PVID on bridge port


Modify VLAN association Object details view

select default VLAN and click OK


60

TAC03001 _D Ed01

60

2008 Alcatel Bell N.V., All rights reserved

RB VLAN association with VLAN translation


VLAN scope: local
equipment

local subscriber VLAN

Select configured bridge port Create VLAN Association

select network VLAN

61

> E.g. you configure a RB VLAN association with VLAN translation on a VDSL EFM bridge port. The modem is configured in such a way that it generates tagged traffic, e.g. local subscriber VLAN 10. This subscriber VLAN is translated into the network VLAN 150. All frames returned to the subscriber should again have VLAN tag 10. Configure that the frames returned to the subscriber should be single-tagged.

TAC03001 _D Ed01

61

2008 Alcatel Bell N.V., All rights reserved

IB VLAN association of port on ASAM-CORE (CLI)


define VIDs in the configure bridge port command
configure bridge port 1/1/<slot>/<port>:<VP>:<VC># vlan-id <VLAN ID> or vlan-id stacked <S-VLAN ID:C-VLAN ID>

VLAN Translation
Configure bridge port 1/1/<slot>/<port>:<VP>:<VC># vlan-id <VLAN ID> vlan-scope <local> network-vlan <VLAN ID>

Define PVIDs in the configure bridge port command


configure bridge port 1/1/<slot>/<port>:<VP>:<VC># pvid <VLAN ID>

62

> No VLAN Translation: leg:isadmin>configure>bridge>port>1/1/4/1:8:36# vlan-id 720 leg:isadmin>configure>bridge>port>1/1/4/1:8:36# info #-------------------------------------------------------------------------------------------------- port 1/1/4/1:8:36 max-unicast-mac 4 vlan-id 720 exit Exit > With VLAN Translation: leg:isadmin>configure>bridge>port>1/1/4/1:8:36# vlan-id 100 vlan-scope local networkvlan 720 leg:isadmin>configure>bridge>port>1/1/4/1:8:36# info #-------------------------------------------------------------------------------------------------- port 1/1/4/1:8:36 max-unicast-mac 4 vlan-id 100 network-vlan 720 vlan-scope local exit Exit

TAC03001 _D Ed01

62

2008 Alcatel Bell N.V., All rights reserved

Deletion of VLAN
First remove VLAN associations on VLAN

Then delete VLAN

63

TAC03001 _D Ed01

63

2008 Alcatel Bell N.V., All rights reserved

Deletion of VLAN
It is not possible to delete a VLAN if there are still ports attached to the VLAN Deleting VLAN on ASAM-CORE
configure vlan no id <VLAN ID>

Deleting VLAN on SHUB


configure vlan shub no id <VLAN ID>

64

TAC03001 _D Ed01

64

2008 Alcatel Bell N.V., All rights reserved

VLAN related show commands


Selection of multiple show vlan commands
Display list of command via Show vlan ? Interesting commands on ASAM-CORE
Show vlan residential bridge <VLAN ID> gives al bridge ports connected to vlan Show vlan bridge-port-fdb < bridge port id > Gives all MAC-adresses learned or configured on that port Show vlan fdb <VLAN ID> Gives you MAC -adresses learned on all ports of that vlan Show vlan port-vlan-map <bridge port id> Gives all the VLANS to which that port is mapped

Same commands available on shub

65

TAC03001 _D Ed01

65

2008 Alcatel Bell N.V., All rights reserved

University
Exercises

Alcatel-Lucent University Antwerp

66

TAC03001 _D Ed01

66

2008 Alcatel Bell N.V., All rights reserved

> Perform these exercises with CLI and AMS unless specified differently

Perform these exercises on the board and ports assigned to you to do the retrieval exercises.

1. Which VLANs are created on the NE?

2. What is the forwarding mode of VLAN 200 (cross-connect, residential bridge)?

3. What are the ports belonging to VLAN 200 on the SHUB? Explain what you see.

4.

Which logical ports are associated to VLAN 200?

5. Explain the total configuration of the user logical port PVC 8/35 on port TRAINING-a . Note : For the downstream forwarding , we assume that the SHUB knows the MAC-addresses of the end user within the respective VLANs .

TAC03001 _D Ed01

67

2008 Alcatel Bell N.V., All rights reserved

> What happens when the end-user sends a frame with VLAN tag 200?

> What happens when the end-user sends a frame with VLAN tag 300?

> What happens when the end-user sends an untagged frame ?

> What happens with a frame with VLAN tag 200 coming from the network?

> What happens with a frame with VLAN tag 300 coming from the network?

6. How many MAC-addresses can be learnt in VLAN 200 on the logical user port VP/VC 8/35 of port TRAINING-a?

7. Explain the total configuration of the user logical port PVC 8/35 on port TRAINING-b. Note : For the downstream forwarding , we assume that the SHUB knows the MACaddresses of the end user within the respective VLANs .
Ingress DSL port 150 150 Egress DSL port

160 210 50

8/35

160 210 50

TAC03001 _D Ed01

68

2008 Alcatel Bell N.V., All rights reserved

What happens when the end-user sends a frame with VLAN tag 150?

What happens when the end-user sends a frame with VLAN tag 50?

What happens when the end-user sends an untagged frame?

What happens when a frame with VLAN tag 150 is sent towards the end user?

What happens when a frame with VLAN tag 160 is sent towards the end user?

What happens when a frame with VLAN tag 210 is sent towards the end user?

What happens when a frame with VLAN tag 50 is sent towards the end user?

What happens when an untagged frame is sent towards the end user?

8. How many MAC-addresses can be learnt on the user logical port PVC 8/35 on port TRAINING-b within VLAN 50?

TAC03001 _D Ed01

69

2008 Alcatel Bell N.V., All rights reserved

For these exercises go back to the board and ports assigned to you to do the configuration exercises.
1. Go to the port that you configured before and where the modem is connected. Use CLI to apply the service with VLAN id as default VLAN 150 to PVC 8/36. Frames coming from the end user are untagged. You should be able to connect with 2 PCs. DHCP server is available on the other side . setup

2. Check if you are able to get an IP address. from the DHCP server. Note: in function of the modem setup you need to either use VMware on the trainee PC or disconnect your PC from the AUA LAN and connect the PC to the modem (or connect your own PC to the modem ). Ask the teacher what to do! Force your PC to ask for a new IP-address (DHCP release/renew) ipconfig /release and ipconfig /renew. What is the IP-address you received ? What is the IP-address of the DHCP server?

3. Check the MAC-address learnt on your bridge port using AMS and CLI.

TAC03001 _D Ed01

70

2008 Alcatel Bell N.V., All rights reserved

4. Are you able to ping the PC of one of your colleagues connected to the same ISAM? Explain.

5. Use the AMS to associate logical port 8/35 with VLAN 200 as the default VLAN. Frames coming from the end user are untagged. You should be able to connect with 3 PCs to this connection. VLAN 200 terminates on a BRAS so use PPPoE to set up a connection. Check if you can surf the web. Note: in function of the modem setup PPPoE session needs to be initiated from modem or PC . Ask the trainer what to do ! Setup

6. Check the MAC-address learnt on the VP/VC 8/35 and VP/VC 8/36 with the AMS. What do you notice ? Explain what you see. 7. Use the AMS to remove the RB vlan with id 200 from the 8/35 ATM termination point on your port.

8. Use the CLI to remove the RB vlan with id 150 from the 8/36 ATM termination point on your port.

TAC03001 _D Ed01

71

2008 Alcatel Bell N.V., All rights reserved

9. Create RB VLAN with VLAN ID=20x ( x = adsl-x) via CLI. All traffic type is
possible within the VLAN. The VLAN is default VLAN on logical port 8/35. 4 user sessions possible on the logical port. No user line id is required for DHCP or BRAS. No MC service is deployed within the VLAN. Try to initiate a PPPoE session towards the network. Verify if your configuration works. Note: BRAS will not provide you with an IP@ ( Setup of the network currently not ready ) Setup

10. Create a Service for RB VLAN on the AMS. All traffic type is possible within the VLAN. 4 user sessions possible on the logical port. No user line id is required for DHCP or BRAS. No MC service is deployed within the VLAN. Leave status under construction. Note : unique VLAN-ID per [IP-edge ISAM] pair to prohibit user-to-user communication.

11. You want to have line identification information on the DHCP server. Try to apply the change and explain

TAC03001 _D Ed01

72

2008 Alcatel Bell N.V., All rights reserved

12. Use the AMS to associate the service you just created on VP/VC 8/36 of the port assigned to you. VLAN id to be used is VLAN 16x (x=adslx). Frames coming from the end user are untagged. VLAN 16x is the default VLAN. Check if your configuration works by setting up a DHCP session and see if you are able to receive an IP@ . Setup

13. Release your IP address. (ipconfig /release)

14. Your management changed mind and the VLAN 16x can only be used for PPPoE traffic. Apply the change with CLI. Check if you are still able to retrieve an IP@ via DHCP. Does it work ? Why? Why not?

15. In normal operation would you normally apply such change with CLI?

16. Your management changed mind again, and now only wants IPoE traffic in VLAN 16x and disable option 82. Apply the change with AMS. Check if you are still able to retrieve an IP@ via DHCP. Does it work ? Why? Why not??

TAC03001 _D Ed01

73

2008 Alcatel Bell N.V., All rights reserved

17. Can you ping the client PC from the server side on VLAN 16x? Ask the trainer to assist you since access to DHCP server is secured. First check the ARP table of DHCP server and make sure the MAC@ of your PC is no longer in the self-learning table of VLAN 16x, then issue the ping command. What do you notice? Explain.

18

Force the system to allow broadcast frames to pass through in the downstream direction. Use a CLI command to achieve this goal. Verify, and explain what you notice.

19. Delete the association with VLAN 20x from VP/VC 8/35 on your port and associate VP/VC 8/35 with VLAN 21x. VLAN 21x is a RB service and parameters are such that only PPPoE traffic is allowed on this VLAN. Perform this exercise with the AMS. Check if your setup works . What is the IP@ you get from the BRAS ? What is the IP@ you got from the DHCP server? Note: BRAS will not provide you with an IP@ ( Setup of the network currently not ready ) Setup

TAC03001 _D Ed01

74

2008 Alcatel Bell N.V., All rights reserved

20.

Try to delete VLAN 16x from the ISAM via the AMS. What happens? Explain. Note: If not possible just proceed to the next exercise after explanation

21.

Version 2 of service with VLAN-ID 16x has been deployed in the entire network. Delete version 1 from the AMS.

22.

MC Teaser . Set-up a MC control-channel on VP/VC 8/36 and allow your user to see package 1 . Ask the teacher for assistance and see if you can watch some video.

TAC03001 _D Ed01

75

2008 Alcatel Bell N.V., All rights reserved