Beruflich Dokumente
Kultur Dokumente
During class please switch off your mobile, pager or other that may interrupt.
Forwarding modes
General
On the LT
On the NT
the forwarding engine is part of the service hub
NT
LT x
FW Engine
Service
Hub
Forwarding Engine
FW Engine
1-7 GE1-16
> We mentioned earlier that the LT contains the Inter Working Function and the service hub
(that is hosted on the NT) the aggregation function. Both of them perform forwarding, and for
that purpose, the Inter Working Function provides a forwarding engine (i.e. a bridge).
7302 ISAM
Network L3
side L2+ User
L2 side
Eth-VLAN
ANT
> Different forwarding modes are supported in order to make it fit into different network models
of different operators.
> If the DSLAMs are mainly connected to a bridged Metro Ethernet network, the MAC scalability
may become an issue when only layer 2 forwarding is done in the DSLAM.
In that case the MAC addresses of all end-user terminals will have to be learnt in the Metro-
Ethernet network, while the MAC tables of some bridges may be quite limited. In that case, it
would probably be better to use the layer 2+ or L3 forwarding function of the ISAM. (However,
we mustn’t exaggerate this issue: most bridges can learn many MAC-addresses without any
problem!)
> However, if IP routers are used in the Metro Ethernet Network close to the DSLAMs, MAC
scalability will not be an issue, and layer 2 forwarding in the DSLAM may be an interesting
option, because in general layer 2 means less configuration effort. With 7302 ISAM,
operators have the flexibility to choose the forwarding mode which best fits in their network.
> In general, the previous layer 2 and layer 3 forwarding functions are an overkill for network-
VPN services towards business customers, given the number of connections to the same
VPN from one DSLAM will be mostly only one, or only very few connections per VPN. In such
cases, the VLAN cross-connect mode of the ISAM is much more appropriate for these
business users:
• less configuration effort,
• avoid too many bridges or routers in one VPN.
L2 Forwarding mode
7302 ISAM
Network Anything Anything Anything
side Eth - VLAN L2 Eth – (VLAN) Eth – (VLAN) User
ATM/AAL Phys layer side
Phys layer
Eth-VLAN
layer 2 forwarding
Ethernet layer must be present at both sides.
encapsulation at CPE must include Ethernet
> In case the 7302 ISAM performs L2 forwarding, it means that the internal forwarding is
basically done on layer 2 information. The layer 2 is Ethernet, including the concept of VLANs.
> In both layer 2 forwarding models (intelligent bridge as well as cross-connect), the ISAM can
accept tagged frames coming from a user. The operator can configure exactly which tag is to
be expected on the bridge port and frames carrying another tag will be discarded (filter).
> In case of VLAN translation, the user sends tags that are recognized, but only have a local
meaning and will immediately be translated into a network vlan.
> In case of cross-connect, it is possible to have C-VLAN transparency (where only the S-VLAN
is configured in the ISAM). In that case, the user can send no matter what C-VLAN. The
ISAM will not filter based on C-VLAN. See section on cross-connect.
the intelligent bridging (IB): one (or more) circuits per VLAN
Forwarding based upon MAC addresses and VLAN
> The ISAM 7302 provides a special Layer 2 behavior that results from being deployed in an
access environment. I.e. it supports the 'cross connect mode' and it supports the 'Intelligent
Bridging mode'.
> In cross-connect mode, a particular VLAN-id is associated to one user connection only.
> In intelligent bridging mode, multiple user connections can be associated with each virtual
LAN.
> The mode can be configured per VLAN. A particular VLAN can operate in only one of these
modes at a time. A port however can be assigned to one or more VLAN cross-connects at a
time and can therefore operate simultaneously in cross-connect or intelligent bridging mode.
This is especially true for the Ethernet port, since it must belong to every VLAN configured.
NT Control/Mgt function
Eethernet
External
Control link LT 16
ASAM link
links
FE
Aggregation IWF
GE/FE function
1-7
ASA
GE1 ..16 Service Hub Ml
ink
GE1-16 LT 1
U
Standard VLAN IWF
S
enabled bridge. Special VLAN E
enabled bridge. R
P
O
PVC / Logical R
user port
T
S
10
> In general the aggregation function implemented by means of the Service Hub, on the NT,
behaves as a standard bridge. A few extra features make that the Service Hub can be
configured to behave in the IB mode or XC mode.
> The Service Hub (Ethernet Switch) is composed of:
1) the Ethernet transceiver function
2) the Forwarding Engine, providing the Ethernet L2 switching function
3) the switch, providing network (trunk) ports, cascade / subtending (trunk) ports, user
Ethernet ports, NT(control) Ethernet port (on ECNT-A only!), Out-band management Ethernet
port and ASAM (LT) Ethernet ports.
> It is the IWF (Interworking Function) on the LT board that serves as the ATM to Ethernet
interworking device.
> In the upstream direction (ingress bridge port on ATM PVC port), the IWF on the LT receives
traffic on the ATM PVC port, reassembles the Ethernet frames from the ATM cells and
forwards them towards theSHUB and thus to the E-MAN network.
> In the downstream direction the network interface of the Service Hub receives the Ethernet
frames and forwards them towards the correct egress port on the Service Hub. Once the
Ethernet frame is received on the ingress Ethernet port of the IWF, the frame is forwarded
towards the correct user logical port where the received Ethernet frames are segmented into
ATM cells and forwarded toward the correct ATM PVC ports.
> The Service Hub and the IWFs on the LTs behave (as much as possible) as two independent
Layer 2 systems: they both will learn and age independently on MAC addresses.
> The control function is involved in the management of the data plane.( see later)
GE
POTS,ISDN
E-MAN NT
LT
Network
CPE
Anything
Anything
ETH-ATM Ethernet Ethernet
Ethernet Interworking
Ethernet Layer 2 Layer 2
Layer 2 Layer 2Function LLC
(IWF) LLC
SNAP
SNAP
(+ MAC (+ MAC AAL5
AAL5
Control) Control)
ATM
EthSwitchEth EthSwitchEth ATM
11
> The customer’s CPE is connected to the ASAM-Core with an ATM interface. It is the IWF on
the LT that provides the interworking between the ATM and the Ethernet/VLAN technology.
The Service Hub will behave as a standard bridge with some enhancements and perform
layer 2/Ethernet forwarding
> The layer 2 access offered via the IWF does not offer the same capabilities as the traditional
ATM Layer 2 access offered by the ASAM.
A traditional ATM Layer 2 access network is transparent for everything on top of ATM and as
such supports many more frame encapsulation techniques at the CPE.
The proposed E-MAN/ATM layer 2 access supports only CPEs using Ethernet over ATM,
encapsulated by AAL5 and RFC2684 “bridged”
> In the case that the 7302 ISAM performs layer 2 forwarding and the Ethernet switches in
between (EMAN) are working as bridges. In that case the Ethernet L2 environment is
terminated in the IP edge (typically the BRAS).
Intro
Standard Bridging
13
Ethernet BR
CPE
BRAS DSLAM PC
BC or unknown MAC DA
CPE
PC
PC
CPE
DSLAM
14
> The issue on the slide occurs with standard Ethernet bridges. Operators using VPLS in the E-
MAN will not have this issue!
Broadcast storms
Security
Broadcast frames are forwarded to all users
Customers identified by MAC-address (not guaranteed unique)
Restrictions on services and revenues:
IP edge device has no info on the access line
So not possible to limit the # of sessions per access line
User-to-user communication possible without passing the BRAS
15
> Scalability:
• Broadcast storms
– Broadcast frames are flooded over the entire aggregation network . This generates
an important amount of traffic, that can result in service degradation or denial of
service
– Bridges have to learn MAC-addresses of all devices connected to the network
> Security
• Broadcast frames (ARP, PPPoE - PADI, …) are forwarded to all users
– MAC-address of a user is exposed to other users
> Customer segregation
• customers are identified by MAC-address, and MAC-addresses are not guaranteed
unique
– undesirable & unstable behaviour: user B gets traffic destined to user A and vice
versa.
> PADI = PPPoE Active Discovery Initiation packet (which is broadcasted). This is the first
message in the initialization phase to establish a PPPoE session.
Intelligent Bridging
Internet ISP1
ISP
IP
E-MAN Login to ISP
Network or corporate
E-MAN BAS
ISP2 Network
Corporate
17
> In case of Intelligent bridging multiple users are connected to the same VLAN, or in other
words we have aggregation at DSLAM level within a VLAN.
> In the figure at the left we see multiple VLAN bridges supported in 1 DSLAM, to connect to
different Service Providers (SP) (wholesale). Each SP is connected to the DSLAM with a
specific VLAN-ID. The user ports are connected to the VLAN of their corresponding SP.
Multiple user ports can be associated to a single VLAN-ID.
Users 2 and 5 are connected to the ISP1 VLAN
Users 1, 3 & 4 are connected to the ISP2 VLAN.
The MAC address lookup is performed in the forwarding table of the respective VLAN. With
the principle that we have 1 VLAN ID per {IP-edge-DSLAM} pair this means that in each
Ethernet switch the SP has its own forwarding table.
> In the figure at the right we see that the routing to the correct SP is based on user-id and
password and that all the users are connected with the same VLAN-ID to the BRAS.
18
> There are many operators who base their network architecture on one PVC per service when
connecting ADSL subscribers. Once those operators start deploying VDSL, they are
immediately confronted with the issue, that their is no similar approach for EFM interfaces.
That’s why we have introduced VLAN Translation.
> Requirement is driven by the wholesale model. Operators wants to use a network model
whereby a given user can be subscribed to a different service provider for each service.
Therefore they want to have separate "circuits" per service all the way up to the CPE. They
are looking at a model of VLAN/service on the DSL line, and VLAN/service/ISP in the
aggregation network.
19
> In a standard bridge all ports are treated equally. The special thing about Intelligent Bridging
is that it makes a distinction between network ports and user ports.
> With Intelligent Bridging, frames received from a user will always be sent towards the network
and never to another user. All traffic received from a user interface is forwarded only on the
uplink, and never to other users. This avoids that a user's MAC-address is exposed to other
users; and also assures that user's traffic is passing through the IP edge point where it can be
charged for.
• Unicast frames: user-to-user communication is not permitted.
• Broadcast and multicast frames from a user are only forwarded to the interface towards
the network and not to all other users.
> A second difference with standard bridging is the prevention of broadcast storms:
In a standard bridge, a broadcast frame will be sent to all ports in a particular VLAN. In case
of a Intelligent Bridging this is no longer true.
Depending on the type of broadcast frame (depending on the protocol above Ethernet e.g.
DHCP) the treatment will be different. Each protocol will deal with the restriction of Intelligent
Bridging in a different way. In all cases a broadcast to all users is avoided.
E.g. Broadcast as a consequence of flooding (when the MAC DA is unknown) or in case of
multicast.
> Another difference with standard bridging is the way how MAC addresses are learnt:
protection is built in to avoid the use within one particular VLAN of the same MAC address
over multiple ports.
> With intelligent bridging only the following types of frames are accepted from the user ports:
IPv4, ARP, PPPoE, IGMP and EAPOL (used for 802.1x). Other frames will be discarded,
including multicast data frames coming from user ports.
BR
VLAN1
IP edge CPE
ISAM
MACA
Ethernet
Problem:
If user A can obtain the MAC@ of
User C, since the Ethernet switch CPE
MACB
learns all Mac @ , user to user ISAM
communication is possible
20
> On the previous slides, we learnt how user to user communication is avoided inside the ISAM.
But it is also important to mention that a VLAN must be unique between an [IP-edge-ISAM]-
pair in the Ethernet network to support the Intelligent Bridging feature. Take e.g. the network
configuration shown in the figure above, where 2 ISAMs with same VLAN are connected to
the IPedge via the EMAN network through a single VLAN. Or in other words a single VLAN
exists between ISAM1, ISAM2, and the IP-edge).
> In this case, the Ethernet switch learns all user MAC addresses and if user A can obtain the
MAC address of user C, then user A can send traffic directly to user C without going to the IP-
edge. This is not acceptable: in Intelligent Bridging mode no direct user to user
communication is allowed in the network.
Another issue is that in such configuration an ISAM would receive all broadcast / flooded
frames from any ISAM in the VLAN, with potential performance issues as a consequence.
CPE
PC B
☺ ISAM PC
CPE
21
Ethernet BR
CPE
ISAM PC
BRAS
BC or unknown
☺ MAC DA
CPE
PC
CPE
PC
ISAM
22
> In a normal bridge when a message is received with a destination MAC-address not yet in the
self-learning table, the message is broadcast to all the other interfaces.
Also broadcast messages are flooded to all interfaces
In an Intelligent bridge you want to avoid that in the downstream, messages are
unintentionally distributed to all users. Therefore you need to put mechanisms in place that
together with the systems set up in the upstream, will inhibit BC messages to be sent to all
users and avoid the flooding of messages with unknown MAC DA to all users.
> For some applications it is useful that flooding BC is possible. A solution for these applications
is e.g. to make flooding BC/discarding BC a configurable option per VLAN.
23
> The Service Hub and the LTs autonomously learn MAC addresses. They also autonomously
age on these MAC addresses. Aging timers are configurable. The idea is that the Service Hub
is configured with the same aging timer than the one of the IWF of the LT. This is needed to
avoid conflicts, e.g. when the MAC address is aged on the Service Hub, then the Service Hub
could learn the MAC address on another interface with unpredictable behavior as a
consequence.
Once a MAC address is aged, then no downstream communication is possible until the
address is learnt again in the upstream direction.
> So it’s important that the MAC ageing time is properly configured, otherwise data-plane
connectivity may be lost between the network and the ISAM end-users (nightly SW download
on STB, incoming VoIP calls, …)
– In case of PPPoE traffic the MAC aging time can be kept small, because PPP has a
built-in keep-alive mechanism
– In case of DHCP-based service scenario's, the MAC ageing time must be taken in
the same order of magnitude as the DHCP lease time
LT
Si
SH
UB de
sid
Pe
e
rV
LA
N
24
Learning of Source
Mac@ within VLAN
NO selflearning
LT MacA
x
To Service MacB
Hub y
MacC
z
25
> We call the LT IWF half a bridge as it only learns MAC addresses in the upstream direction.
This has as a consequence that no connection can be initiated from the network side if the
MAC address on the user side is not known or has not been learned yet.
Learning of Source
Mac@ within VLAN
Service LT MacA
Hub
X’
E-MAN U’
MacB
Y’ LT
B A
B C
E-MAN V’ Z’ LT
MacC
26
User links
Service
Service
Hub
Hub
1 15 16
subtending
1 15 16 link
27
> This is what prevents user-to-user communication when users are on different LTs.
Control link
LT
E-MAN
network
links
LT
ASAM links
subtending
links
user links
28
> It is possible that a VLAN used to transport user frames will contain ASAM/ subtending / user
interface(s) and a network interface(s) or even more ASAM interfaces and subtending
interfaces …. Possibly also both an ASAM and a subtending interface can be present in the
same VLAN. The question arrises how we prevent user to user communication within the
same VLAN
> The blocking of user-to user communication on the Service Hub is provided by port mapping
> This way we allow L2 bi-directional communication with supporting tagged frames (within the
same VLAN) only between network ports and ASAM ports, between network ports and
subtending ports, between network ports and user ports, between the controller port and each
ASAM port and between the controller and the network ports and subtending ports.
> The drawing in the slide gives you the different possible links and the flooding strategy
(Layer2) of the frames.
> The handling of control protocol frames (Radius, VBAS, IGMP, ARP and DHCP) and internal
communication at a layer higher than the MAC layer is not in the scope of the rules explained
hereafter.
> Frames received over a network interface: can be (layer 2) forwarded by the Service Hub to
the ASAM, the user, the subtending, and the control interfaces. In PPPoE demo, ISM1 related
ports are at the same position as network interface.
> Frames received over an ASAM interface: can be forwarded to the network interfaces and to
the control interface.
> Frames received over a subtending interface: can be forwarded to the network interfaces or to
the control interface.
> Frames received over a user interface: can be forwarded to the network interfaces or to the
control interface.
> Frames received over the control interface: can be (layer 2) forwarded to the network, the
subtending, the user, the ASAM interfaces.
29
> The ISAM only allows user to network communication in the upstream,
• Blocked on the same LT by the IWF
• Blocked by the port mapping configuration on the SHUB (see later)
> This is valid for all cases, i.e. Broadcast (BC), Unknown MAC Destination Address and Known
MAC Destination address.
> unicast frames with unknown destination MAC addresses are flooded to the networkside.
• no user to user communication within the LIM
• no flooding from user to user port
• broadcast frames are flooded towards the NW port …
> frames with known destination MAC addresses aren’t forwarded to user ports, but to the
networkside
• No user to user communication within the LT
30
> Broadcast from Network to User only allowed if enabled by the operator, per VLAN in IB
mode.
> For the ‘unknown MAC DA case’, the LT will not forward the frames to the users.
> In case of a known MAC DA, all frames are forwarded.
> unicast frames with known MAC DA are forwarded to the appropriate logical user port
• unicast frames with unknown MAC DA are discarded
• No flooding from NW port to user port
• No user to user communication
port Mac@
x Mac A Mac A
y Mac A
Port x
ETH
? Port y
Mac A
Packet with destination address Mac A
Problem:
2 users with same MAC-address,
forwarding engine can’t distinguish
31
> If a user on line x is using a certain MAC-address and a second user on a different line y is
trying to connect with the same MAC-address, a mechanisme should be there so that that
MAC-addresses will only appear once in the (filtering db) learning table of that VLAN.
> If this would not be done, then the MAC-address would be overwritten in the bridge's learning
table, such that traffic is forwarded either to user A or B in a rather unpredictable way. so this
feature allows to guarantee uniqueness of MAC-addresses in the aggregation network.
> In the 7302 ISAM specific rules are implemented making sure that the MAC-address will only
be learned once, this is what they call secure MAC-address learning
> We are not only resolving the customer segregation issue but we also avoid that in case of a
malicious user, user 1 cannot take over the MAC-address of user 2 (MAC-address anti-
spoofing, blocking duplicate MAC-address)
> PS: MAC-addresses are supposed to be unique per VLAN. They are not necessarily unique
for the complete system.
2
LT
3 IWF
subtending
3
links
3
user links
32
ISP
MacC MacB
IP
Port x
ISAM
Connected
port Mac@ via PPPoE
VLAN Discard Mac@ port Max x MacA
Mac@
ID 00-08-02-E9-F2-9D x MacB
x 2
33
> There are 2 motivations to block the number of MAC-addresses per port :
- Security: avoid that a malicious user can fill up all the complete bridging table of devices in
the network (DSLAM and others), by sending traffic with different MAC addresses.
- Service differentiation: by limiting the number of MAC addresses per port, the operator can
offer different types of service subscriptions to the user, limiting or allowing a certain
number of devices to connect simultaneously to the network. For this application, it is
clear that the limitation should be configurable per port.
> Note:
In this example the users PCs are connected to the internet via PPPoE. In that case actually
the BAS also has the possibility to limit the number of PPPoE sessions per user-id. Within
PPPoE, the unique PPPoE session-id can be used to provide this additional security. The
BAS can use the PPPoE session-id for user-identification during the session itself which is
linked to an earlier username/password given during the PPPoE session set-up. The BAS
knows that user has been given so many sessions. If you have information on VP/VC you can
of course also additionaly limit the number of PPPoE sessions per VP/VC. In case of
Ethernet Backhaul however the BAS has no info on the VP/VC.
Within DHCP there is no information that identifies the user. In that case limiting the number
of MAC-addresses learnt per port on the DSLAM is a possible solution, but what with a multi-
edge environment? .
If we want the DHCP server itself to be able to limite the number of sessions of the user, the
DHCP request needs to provide the information that defines the user ( VP/VC , port …) This is
possible by implementing DHCP-option 82 (see later)
> During the creation of a RB-VLAN in the Residentail Bridge VLAN service template, a list of
MAC-addresses for discarding can be added.
Security Services !
IP edge has no info on the line id
Solutions: PPP-connections (BRAS) or DHCP option 82…
User can access network with a different IP address than the
assigned IP address.
Pure layer 2 device
Scalability
Switches learn all MAC addresses of all end-users
IP edge learns all MAC addresses & IP addresses of all end-users
34
Anti-IP spoofing: blocking of traffic when user tries to connect to the network with an IP address
different than the IP address which was assigned to him.
35
Configuring a RB VLAN
Via AMS
Different versions of one VLAN possible
37
Create VLAN
Mode i.f.o service to be deployed
38
VLAN mode
SHUB LTs (ASAM-core)
Model
IP aware Bridge
Layer2 Terminated * Layer2 Terminated *
(forwarding)
Layer2 Terminated
Routed Layer2 Terminated *
NW port & v-vlan *
39
equipment
S-VLAN Id = 0
Select NE
Infrastructure
Layer 2
VLAN
41
> 5520AMS doesn’t use templates for VLANs. The only way to configure VLANs is on the NE
itself.
> For a residential bridge VLAN, the S-TAG = 0. No stacked VLANs for intelligent bridging! (The
reason why you see the S-VLAN id is that the same screens are used for cross-connect, where
you can have stacked VLANs indeed.)
mode: RB
broadcast control
DHCP option 82
> Not all parameters can be configured here already. You can configure e.g. static MAC
addresses afterwards. See further.
> From R3.5 VLAN specific aging time can be set. If set, this value will override the IACM
Layer2 - Ethernet System Parameters – Forwarding Database Aging Time. If on the other
hand the default value –1 is left, the IACM system parameter is used.
Select NE
Infrastructure
Layer 2
VLAN
Select VLAN
MAC Addresses
Static
Create
equipment
Select NE
Infrastructure
Layer 2
VLAN
44
> For all SHUB VLANs, only one VLAN tag is relevant.
45
Object details
MAC movement
IGMP settings
…
46
47
48
49
50
> Attachment of ports to the VLAN included in the “configure VLAN SHUB” command.
• configure vlan shub id <VLAN ID>
mode residential-bridge
• Optional parameters
– [no] name <VLAN name>
– [no] mac-move-allow
– [no] egress-port
– [no] untag port
> [no] name: VLAN name (default none)
> [no] mac-move-allow: allow mac-address movement between ports with priority 3 (user ports,
ASAM ports, subtending ports). Default: no mac-address movement allowed.
> [no] egress-port: ports to be added to the VLAN. Three different types of egress-ports exist:
• LT (ASAM port)
• Network
• NT (any port on the NT, e.g. a user port or subtending port)
> [no] untag port: send frames (un)tagged on egress-port.
FW Engine
PVC / Logical
user port
CPE
FW Engine
One to one mapping user port
53
VLAN Translation
VID based on port of arrival and translated to a network VID
54
> A VLAN bridge supports port-based VLAN classification, and may, in addition, support port-
and-protocol-based VLAN classification
> In port-based VLAN classification within a bridge, the VLAN-ID associated with an untagged
or priority tagged frame is determined based on the port of arrival of the frame into the bridge.
This classification mechanism requires the association of a specific Port VLAN Identifier, or
PVID, with each of the bridge’s ports. In this case, the PVID for a given port provides the
VLAN-ID for untagged and priority tagged frames received through that port.
> For bridges that implement port-and-protocol-based VLAN classification, the VLAN-ID
associated with an untagged or priority-tagged frame is determined based on the port of
arrival of the frame into the bridge and on the protocol identifier of the frame.
For port-and-protocol based tagging, the VLAN bridge will have to look at the Ethertype, the
SSAP, or the SNAP-type of the incoming frames. When the protocol is identified, the VID
associated with the protocol group to which the protocol belongs will be assigned to the
frame. This classification mechanism requires the association of multiple VLAN-IDs with each
of the ports of the bridge; this is known as the “VID Set” for that port.
Frames received from end users Frames received from end users
are untagged are tagged
User port can be mapped to On logical port define different
multiple VID using port- VIDs and configure frames
Protocol based association or received from end-user as
PVID tagged
Send frames back to the
subscriber to be set as Single
Tagged
IPoE
IPoE PPPoE
PPPoE LT xxx E-MAN LT
E-MAN CPE CPE
Network xxx Network
= PVID
55
> There are many operators who base their network architecture on one PVC per service when
connecting ADSL subscribers. Once those operators start deploying VDSL, they need to use
the VLAN as a "PVC emulation".
> The ISAM support the ability to emulate a multi-PVC configuration on an EFM interface using
the VLAN as a "PVC emulation", i.e. it is possible to associate a set of VLAN Id's at the
subscriber interface with a set of forwarding engines being chosen from the following list :
• VLAN-CC (Transparent or Protocol aware) In this case, the C-VLAN received at the user
side is either forwarded as a C-VLAN CC or encapsulated into an S-VLAN (VLAN
stacking).
• i-Bridge In this case, the VLAN received at the user side will be bridged into an i-bridge
identified by the same VLAN Id.
• IP Aware Bridge
• IP Routing
> Additionally, in case of VLAN-CC or i-Bridge, we support VLAN translation to make
wholesaling possible without impacting the CPE configuration : starting from a set of pre-
defined C-VLAN tags at the CPE side (i.e. the same for all CPEs), it is possible to retag the
received packet with a new C-VLAN (VLAN-CC or i-bridge) or a stacked VLAN (VLAN-CC),
so that the traffic can be passed to the VLAN associated with the couple (serivce provider,
service).
on ASAM-CORE on SHUB
Bridge port – VID mapping Define egress ports within
the VLAN
Control Control/mgt
link
External functions
ethernet Aggregation
links function FE
GE/FE 1
GE/FE 2
….. LIM
GE/FE 7
ASAM
links IWF LIM
GE1
….. IWF
GE16
PVC
PVC
57
• In the SHUB
– Create VLAN in RB mode
– Add NW interfaces and all ASAM interfaces to this VLAN
• In the ASAM
– Create VLAN in RB mode
– Add port to VLAN
equipment
Create
VLAN Association
58
59
equipment
local subscriber VLAN
VLAN Association
61
> E.g. you configure a RB VLAN association with VLAN translation on a VDSL EFM bridge port.
The modem is configured in such a way that it generates tagged traffic, e.g. local subscriber
VLAN 10. This subscriber VLAN is translated into the network VLAN 150.
• All frames returned to the subscriber should again have VLAN tag 10.
Configure that the frames returned to the subscriber should be single-tagged.
VLAN Translation
Configure bridge port 1/1/<slot>/<port>:<VP>:<VC>#
vlan-id <VLAN ID> vlan-scope <local> network-vlan <VLAN ID>
62
63
64
65
Exercises
3. What are the ports belonging to VLAN 200 on the SHUB? Explain what you see.
5. Explain the total configuration of the user logical port PVC 8/35 on port TRAINING-a .
Note : For the downstream forwarding , we assume that the SHUB knows the MAC-addresses of
the end user within the respective VLANs .
> What happens when the end-user sends a frame with VLAN tag 300?
> What happens with a frame with VLAN tag 200 coming from the network?
> What happens with a frame with VLAN tag 300 coming from the network?
6. How many MAC-addresses can be learnt in VLAN 200 on the logical user port VP/VC 8/35 of
port TRAINING-a?
7. Explain the total configuration of the user logical port PVC 8/35 on port TRAINING-b.
Note : For the downstream forwarding , we assume that the SHUB knows the MAC-
addresses of the end user within the respective VLANs .
Egress
Ingress
DSL port
DSL port
150 150
8/35
160 160
210 210
50 50
What happens when the end-user sends a frame with VLAN tag 50?
What happens when a frame with VLAN tag 150 is sent towards the end user?
What happens when a frame with VLAN tag 160 is sent towards the end user?
What happens when a frame with VLAN tag 210 is sent towards the end user?
What happens when a frame with VLAN tag 50 is sent towards the end user?
What happens when an untagged frame is sent towards the end user?
8. How many MAC-addresses can be learnt on the user logical port PVC 8/35 on port
TRAINING-b within VLAN 50?
1. Go to the port that you configured before and where the modem is connected.
Use CLI to apply the service with VLAN id as default VLAN 150 to PVC 8/36.
Frames coming from the end user are untagged. You should be able to connect
with 2 PCs. DHCP server is available on the other side .
setup
2. Check if you are able to get an IP address. from the DHCP server.
Note: in function of the modem setup you need to either use VMware on the
trainee PC or disconnect your PC from the AUA – LAN and connect the PC to
the modem (or connect your own PC to the modem … ). Ask the teacher what
to do!
Force your PC to ask for a new IP-address (DHCP release/renew) ipconfig
/release and ipconfig /renew.
What is the IP-address you received ? What is the IP-address of the DHCP
server?
3. Check the MAC-address learnt on your bridge port using AMS and CLI.
5. Use the AMS to associate logical port 8/35 with VLAN 200 as the default VLAN.
Frames coming from the end user are untagged. You should be able to connect
with 3 PCs to this connection.
VLAN 200 terminates on a BRAS so use PPPoE to set up a connection. Check
if you can surf the web.
Note: in function of the modem setup PPPoE session needs to be initiated from
modem or PC . Ask the trainer what to do !
Setup
6. Check the MAC-address learnt on the VP/VC 8/35 and VP/VC 8/36 with the
AMS. What do you notice ? Explain what you see.
7. Use the AMS to remove the RB vlan with id 200 from the 8/35 ATM termination
point on your port.
8. Use the CLI to remove the RB vlan with id 150 from the 8/36 ATM termination
point on your port.
Setup
10. Create a Service for RB VLAN on the AMS. All traffic type is possible within the
VLAN. 4 user sessions possible on the logical port. No user line id is required for
DHCP or BRAS. No MC service is deployed within the VLAN.
Leave status under construction.
Note : unique VLAN-ID per [IP-edge – ISAM] pair to prohibit user-to-user
communication.
11. You want to have line identification information on the DHCP server. Try to apply
the change and explain
Setup
14. Your management changed mind and the VLAN 16x can only be used for
PPPoE traffic. Apply the change with CLI. Check if you are still able to
retrieve an IP@ via DHCP. Does it work ? Why? Why not?
15. In normal operation would you normally apply such change with CLI?
16. Your management changed mind again, and now only wants IPoE traffic in
VLAN 16x and disable option 82. Apply the change with AMS. Check if you
are still able to retrieve an IP@ via DHCP. Does it work ? Why? Why not??
18 Force the system to allow broadcast frames to pass through in the downstream
direction. Use a CLI command to achieve this goal. Verify, and explain what you notice.
19. Delete the association with VLAN 20x from VP/VC 8/35 on your port and associate
VP/VC 8/35 with VLAN 21x.
VLAN 21x is a RB service and parameters are such that only PPPoE traffic is allowed on
this VLAN.
Perform this exercise with the AMS.
Check if your setup works .
What is the IP@ you get from the BRAS ?
What is the IP@ you got from the DHCP server?
Note: BRAS will not provide you with an IP@ ( Setup of the network currently not ready )
Setup
21. Version 2 of service with VLAN-ID 16x has been deployed in the entire network. Delete
version 1 from the AMS.
22. MC Teaser .
Set-up a MC control-channel on VP/VC 8/36 and allow your user to see package 1 .
Ask the teacher for assistance and see if you can watch some video.