Vlan Forwarding Modes and Ib PDF

University
VLAN forwarding modes and IB
7302-7330-735x ISAM / 5520 AMS operator part 1 section D
Alcatel-Lucent University Antwerp Alcatel-Lucent University Antwerp

1
During class please switch off your mobile, pager or other that may interrupt.
Entry level requirements:

> You are familiar with the theoretical concepts of Ethernet and VLANs.
> You can configure equipment and interworking function(basic configuration) on ISAMs using
the 5520AMS.
TAC03001 _D Ed01 1 © 2008 Alcatel Bell N.V., All rights reserved

Objectives
After attending this session, you should be able to:

Describe what a Residential Bridge VLAN (= Intelligent Bridge
VLAN) is
Explain how the RB-VLAN is behaving
on LT
on SHUB
Create a RB-VLAN via AMS and CLI
on ASAM-CORE
on service hub
Associate a RB-VLAN to Ethernet ports on the service hub
Associate a RB-VLAN to a bridge port
with or without VLAN translation

Table of contents
Forwarding modes: general . . . . p. 4

Layer 2 forwarding:
The Basics . . . . . p. 7
Intelligent bridging . . . . . . p. 15
VLAN setup . . . . . . . . p. 33
VLAN association . . . . . . p. 47
Exercises . . . . . . . . p. 61

University
Forwarding modes
General
Alcatel-Lucent University Antwerp 4

Forwarding engines
On the LT
On the NT
the forwarding engine is part of the service hub
x/Eth x/Eth x/Phys layer x/Eth
NT
LT x
FW Engine
Service
Hub
Forwarding Engine
External EFM / user port

Ethernet CPE
ASAM
links
GE/FE link LT 1
IWF
FW Engine
1-7 GE1-16
PVC / Logical CPE

user port
x/Eth x/Eth x/ATM/Phys. Layer x/Eth
> We mentioned earlier that the LT contains the Inter Working Function and the service hub
(that is hosted on the NT) the aggregation function. Both of them perform forwarding, and for
that purpose, the Inter Working Function provides a forwarding engine (i.e. a bridge).

Forwarding modes: General
7302 ISAM
Network L3
side L2+ User
L2 side
Eth-VLAN
ANT
Decision Forwarding mode

L2 Intelligent Bridge (IB)
VLAN Cross-Connect (CC)
Enhanced iBridge
L2+ PPPoE Engine
L3 Routed
> Different forwarding modes are supported in order to make it fit into different network models
of different operators.
> If the DSLAMs are mainly connected to a bridged Metro Ethernet network, the MAC scalability
may become an issue when only layer 2 forwarding is done in the DSLAM.
In that case the MAC addresses of all end-user terminals will have to be learnt in the Metro-
Ethernet network, while the MAC tables of some bridges may be quite limited. In that case, it
would probably be better to use the layer 2+ or L3 forwarding function of the ISAM. (However,
we mustn’t exaggerate this issue: most bridges can learn many MAC-addresses without any
problem!)
> However, if IP routers are used in the Metro Ethernet Network close to the DSLAMs, MAC
scalability will not be an issue, and layer 2 forwarding in the DSLAM may be an interesting
option, because in general layer 2 means less configuration effort. With 7302 ISAM,
operators have the flexibility to choose the forwarding mode which best fits in their network.
> In general, the previous layer 2 and layer 3 forwarding functions are an overkill for network-
VPN services towards business customers, given the number of connections to the same
VPN from one DSLAM will be mostly only one, or only very few connections per VPN. In such
cases, the VLAN cross-connect mode of the ISAM is much more appropriate for these
business users:
• less configuration effort,
• avoid too many bridges or routers in one VPN.

University
L2 Forwarding mode

General overview
7302 ISAM
Network Anything Anything Anything
side Eth - VLAN L2 Eth – (VLAN) Eth – (VLAN) User
ATM/AAL Phys layer side
Phys layer
Eth-VLAN
layer 2 forwarding
Ethernet layer must be present at both sides.
encapsulation at CPE must include Ethernet
> In case the 7302 ISAM performs L2 forwarding, it means that the internal forwarding is
basically done on layer 2 information. The layer 2 is Ethernet, including the concept of VLANs.
> In both layer 2 forwarding models (intelligent bridge as well as cross-connect), the ISAM can
accept tagged frames coming from a user. The operator can configure exactly which tag is to
be expected on the bridge port and frames carrying another tag will be discarded (filter).
> In case of VLAN translation, the user sends tags that are recognized, but only have a local
meaning and will immediately be translated into a network vlan.
> In case of cross-connect, it is possible to have C-VLAN transparency (where only the S-VLAN
is configured in the ISAM). In that case, the user can send no matter what C-VLAN. The
ISAM will not filter based on C-VLAN. See section on cross-connect.

Two L2 forwarding modes
the intelligent bridging (IB): one (or more) circuits per VLAN
Forwarding based upon MAC addresses and VLAN
the cross-connect (CC): one (or more) VLANs per circuit

Forwarding based upon
User side:
– bridge port on PVC for ATM or
– (subscriber VLAN on) bridge port on DSL port for EFM
Network side: Single or stacked VLAN tag
> The ISAM 7302 provides a special Layer 2 behavior that results from being deployed in an
access environment. I.e. it supports the 'cross connect mode' and it supports the 'Intelligent
Bridging mode'.
> In cross-connect mode, a particular VLAN-id is associated to one user connection only.
> In intelligent bridging mode, multiple user connections can be associated with each virtual
LAN.
> The mode can be configured per VLAN. A particular VLAN can operate in only one of these
modes at a time. A port however can be assigned to one or more VLAN cross-connects at a
time and can therefore operate simultaneously in cross-connect or intelligent bridging mode.
This is especially true for the Ethernet port, since it must belong to every VLAN configured.

L2 functionalities
NT Control/Mgt function
Eethernet
External
Control link LT 16
ASAM link
links
FE
Aggregation IWF
GE/FE function
1-7
ASA
GE1 ..16 Service Hub Ml
ink
GE1-16 LT 1
U
Standard VLAN IWF
S
enabled bridge. Special VLAN E
enabled bridge. R
P
O
PVC / Logical R
user port
T
S
10
> In general the aggregation function implemented by means of the Service Hub, on the NT,
behaves as a standard bridge. A few extra features make that the Service Hub can be
configured to behave in the IB mode or XC mode.
> The Service Hub (Ethernet Switch) is composed of:
1) the Ethernet transceiver function
2) the Forwarding Engine, providing the Ethernet L2 switching function
3) the switch, providing network (trunk) ports, cascade / subtending (trunk) ports, user
Ethernet ports, NT(control) Ethernet port (on ECNT-A only!), Out-band management Ethernet
port and ASAM (LT) Ethernet ports.
> It is the IWF (Interworking Function) on the LT board that serves as the ATM to Ethernet
interworking device.
> In the upstream direction (ingress bridge port on ATM PVC port), the IWF on the LT receives
traffic on the ATM PVC port, reassembles the Ethernet frames from the ATM cells and
forwards them towards theSHUB and thus to the E-MAN network.
> In the downstream direction the network interface of the Service Hub receives the Ethernet
frames and forwards them towards the correct egress port on the Service Hub. Once the
Ethernet frame is received on the ingress Ethernet port of the IWF, the frame is forwarded
towards the correct user logical port where the received Ethernet frames are segmented into
ATM cells and forwarded toward the correct ATM PVC ports.
> The Service Hub and the IWFs on the LTs behave (as much as possible) as two independent
Layer 2 systems: they both will learn and age independently on MAC addresses.
> The control function is involved in the management of the data plane.( see later)

ISAM
GE
POTS,ISDN
E-MAN NT
LT
Network
CPE
Anything
Anything
ETH-ATM Ethernet Ethernet
Ethernet Interworking
Ethernet Layer 2 Layer 2
Layer 2 Layer 2Function LLC
(IWF) LLC
SNAP
SNAP
(+ MAC (+ MAC AAL5
AAL5
Control) Control)
ATM
EthSwitchEth EthSwitchEth ATM
PHY GE PHY xDSL?

PHY FE/GE FE/GE GE
11
> The customer’s CPE is connected to the ASAM-Core with an ATM interface. It is the IWF on
the LT that provides the interworking between the ATM and the Ethernet/VLAN technology.
The Service Hub will behave as a standard bridge with some enhancements and perform
layer 2/Ethernet forwarding
> The layer 2 access offered via the IWF does not offer the same capabilities as the traditional
ATM Layer 2 access offered by the ASAM.
A traditional ATM Layer 2 access network is transparent for everything on top of ATM and as
such supports many more frame encapsulation techniques at the CPE.
The proposed E-MAN/ATM layer 2 access supports only CPEs using Ethernet over ATM,
encapsulated by AAL5 and RFC2684 “bridged”
> In the case that the 7302 ISAM performs layer 2 forwarding and the Ethernet switches in
between (EMAN) are working as bridges. In that case the Ethernet L2 environment is
terminated in the IP edge (typically the BRAS).

University
Intro
Standard Bridging

Standard bridging concept
MAC bridges can interconnect all kinds of LANs together

No guaranteed delivery of frames
A bridge learns MAC addresses
Flooding occurs when destination MAC address is broadcast,
multicast or unknown, :
“If you do not know, send it to everybody’
If the destination MAC address has been learned, the frame is
forwarded to the indicated interface
13

Security/scalability issue with standard bridging
Broadcast frames (ARP, PPPoE-PADI…) forwarded to

all users & flooding to all ports.
MAC-address of a user is exposed to other users
Broadcast storms
BC or unknown MAC DA
Ethernet BR
CPE
BRAS DSLAM PC
CPE
PC
PC
CPE
DSLAM
14
> The issue on the slide occurs with standard Ethernet bridges. Operators using VPLS in the E-
MAN will not have this issue!

Standard bridging: Issues
Broadcast storms
Security
Broadcast frames are forwarded to all users
Customers identified by MAC-address (not guaranteed unique)
Restrictions on services and revenues:
IP edge device has no info on the access line
So not possible to limit the # of sessions per access line
User-to-user communication possible without passing the BRAS
NOT FIT FOR USE IN PUBLIC NETWORKS
15
> Scalability:
• Broadcast storms
– Broadcast frames are flooded over the entire aggregation network . This generates
an important amount of traffic, that can result in service degradation or denial of
service
– Bridges have to learn MAC-addresses of all devices connected to the network
> Security
• Broadcast frames (ARP, PPPoE - PADI, …) are forwarded to all users
– MAC-address of a user is exposed to other users
> Customer segregation
• customers are identified by MAC-address, and MAC-addresses are not guaranteed
unique
– undesirable & unstable behaviour: user B gets traffic destined to user A and vice
versa.
> PADI = PPPoE Active Discovery Initiation packet (which is broadcasted). This is the first
message in the initialization phase to establish a PPPoE session.

University
Intelligent Bridging

The intelligent bridging model (1/3)
Multiple users connected to 1 VLAN ID Note: Tagged frames not

supported for IB if Rel. <3.1
IB-VLAN has:
1 or more user logical ports, subtending ports or user Ethernet ports
1 or more network ports
Internet
Internet ISP1
ISP
IP
E-MAN Login to ISP
Network or corporate
E-MAN BAS
ISP2 Network
Corporate
Routing to the correct

Routing to the
ISP is done based on
correct ISP is
user-id and password
based on the
in the BRAS
VLAN-id
17
> In case of Intelligent bridging multiple users are connected to the same VLAN, or in other
words we have aggregation at DSLAM level within a VLAN.
> In the figure at the left we see multiple VLAN bridges supported in 1 DSLAM, to connect to
different Service Providers (SP) (wholesale). Each SP is connected to the DSLAM with a
specific VLAN-ID. The user ports are connected to the VLAN of their corresponding SP.
Multiple user ports can be associated to a single VLAN-ID.
Users 2 and 5 are connected to the ISP1 VLAN
Users 1, 3 & 4 are connected to the ISP2 VLAN.
The MAC address lookup is performed in the forwarding table of the respective VLAN. With
the principle that we have 1 VLAN ID per {IP-edge-DSLAM} pair this means that in each
Ethernet switch the SP has its own forwarding table.
> In the figure at the right we see that the routing to the correct SP is based on user-id and
password and that all the users are connected with the same VLAN-ID to the BRAS.

Why VLAN Translation (customer vlan to network vlan)

Wholesale per service
Drivers: VDSL and Eth offer more BW, so it makes sense to wholesale
this “in pieces” rather than the complete DSL line as a whole
Consequences: Model with VLANs on DSL line; behaviour equivalent to
multi-VC model on ATM/ADSL
VLAN per service and per provider in the aggregation network
Service provider is free to choose CPE configuration, but VLANs in
aggregation network are under control of ILEC
Ultimately 1 subscriber (1 line) may have to support 2 HSIA
services or 2 video services from different service providers.
18
> There are many operators who base their network architecture on one PVC per service when
connecting ADSL subscribers. Once those operators start deploying VDSL, they are
immediately confronted with the issue, that their is no similar approach for EFM interfaces.
That’s why we have introduced VLAN Translation.
> Requirement is driven by the wholesale model. Operators wants to use a network model
whereby a given user can be subscribed to a different service provider for each service.
Therefore they want to have separate "circuits" per service all the way up to the CPE. They
are looking at a model of VLAN/service on the DSL line, and VLAN/service/ISP in the
aggregation network.

Special layer 2 behavior needed in an access environment

IB with VLAN tagging
Intelligent Bridge (IB) means
distinction between network ports and user ports
Frames from a user always sent towards the network
– No user to user communication
prevent broadcast traffic from escalating
avoid broadcast or flooding to all users
secure MAC-address learning within a VLAN
avoid MAC-address duplication over multiple ports
protocol filtering
may lead to a frame being forwarded, sent to a host processor,
discarded or forwarded & sent to a host processor
19
> In a standard bridge all ports are treated equally. The special thing about Intelligent Bridging
is that it makes a distinction between network ports and user ports.
> With Intelligent Bridging, frames received from a user will always be sent towards the network
and never to another user. All traffic received from a user interface is forwarded only on the
uplink, and never to other users. This avoids that a user's MAC-address is exposed to other
users; and also assures that user's traffic is passing through the IP edge point where it can be
charged for.
• Unicast frames: user-to-user communication is not permitted.
• Broadcast and multicast frames from a user are only forwarded to the interface towards
the network and not to all other users.
> A second difference with standard bridging is the prevention of broadcast storms:
In a standard bridge, a broadcast frame will be sent to all ports in a particular VLAN. In case
of a Intelligent Bridging this is no longer true.
Depending on the type of broadcast frame (depending on the protocol above Ethernet e.g.
DHCP) the treatment will be different. Each protocol will deal with the restriction of Intelligent
Bridging in a different way. In all cases a broadcast to all users is avoided.
E.g. Broadcast as a consequence of flooding (when the MAC DA is unknown) or in case of
multicast.
> Another difference with standard bridging is the way how MAC addresses are learnt:
protection is built in to avoid the use within one particular VLAN of the same MAC address
over multiple ports.
> With intelligent bridging only the following types of frames are accepted from the user ports:
IPv4, ARP, PPPoE, IGMP and EAPOL (used for 802.1x). Other frames will be discarded,
including multicast data frames coming from user ports.

Intelligent bridging: network issues
BR
VLAN1
IP edge CPE
ISAM
MACA
Ethernet
Problem:
If user A can obtain the MAC@ of
User C, since the Ethernet switch CPE
MACB
learns all Mac @ , user to user ISAM
communication is possible
20
> On the previous slides, we learnt how user to user communication is avoided inside the ISAM.
But it is also important to mention that a VLAN must be unique between an [IP-edge-ISAM]-
pair in the Ethernet network to support the Intelligent Bridging feature. Take e.g. the network
configuration shown in the figure above, where 2 ISAMs with same VLAN are connected to
the IPedge via the EMAN network through a single VLAN. Or in other words a single VLAN
exists between ISAM1, ISAM2, and the IP-edge).
> In this case, the Ethernet switch learns all user MAC addresses and if user A can obtain the
MAC address of user C, then user A can send traffic directly to user C without going to the IP-
edge. This is not acceptable: in Intelligent Bridging mode no direct user to user
communication is allowed in the network.
Another issue is that in such configuration an ISAM would receive all broadcast / flooded
frames from any ISAM in the VLAN, with potential performance issues as a consequence.

Broadcast messages & flooding US
Upstream BC frames & flooding only forwarded towards

network port(s) within a VLAN
1 VLAN per IP-edge
Reduction of flooding in the aggregation network.
No user-to-user communication without passing the BRAS
VLAN 1
Ethernet BR
VLAN 2 CPE
BRAS ISAM PC A
CPE
PC B
☺ ISAM PC
CPE
21
> Blocking user to user communication at L2

> The principle is to avoid that 2 users connected to the same ISAM will communicate with each
other directly at L2. In this case, when user A sends a message with destination MAC-address
B, that message is sent to the uplink, not to user B.
In case of PPP this is not an issue, since all messages coming from the DSL users will have
destination MAC-address = MAC-address of the BRAS
> The objective is that all traffic passes a L3 box. The motivation is twofold:
• Security:
If direct user-to-user communication at L2 would be allowed, this would give malicious
users an easy way to find out the MAC address of other users, and then try to take it
over. Note: blocking duplicate MAC-addresses will solve most of it, but if the malicious
user is waiting until the MAC-address has aged, and then tries to take it for himself, he
blocks the other user.
• Accounting for traffic:
If we would allow for user to user communication directly in the ISAM, we would also
have to introduce mechanisms to measure and account for the traffic. Not just for billing
purposes (most services will likely not use volume-based billing), but also for features
such as legal intercept. So in other words, this kind of peer-to-peer traffic would be
“hidden” to the operator, and in particular for peer to peer traffic operators will probably
not like that.

Broadcast messages & flooding DS
Blocking of broadcast & flooding in the downstream

Avoids messages unintentionally distributed to all users
For some applications forwarding of BC is “needed”
Solution: Make BC flooding / BC discarding a configurable option per VLAN
Ethernet BR
CPE
ISAM PC
BRAS
BC or unknown
☺ MAC DA
CPE
PC
CPE
PC
ISAM
22
> In a normal bridge when a message is received with a destination MAC-address not yet in the
self-learning table, the message is broadcast to all the other interfaces.
Also broadcast messages are flooded to all interfaces
In an Intelligent bridge you want to avoid that in the downstream, messages are
unintentionally distributed to all users. Therefore you need to put mechanisms in place that
together with the systems set up in the upstream, will inhibit BC messages to be sent to all
users and avoid the flooding of messages with unknown MAC DA to all users.
> For some applications it is useful that flooding BC is possible. A solution for these applications
is e.g. to make flooding BC/discarding BC a configurable option per VLAN.

Intelligent Bridge
Bridge: learning, aging, forwarding

lookup MAC DA done based on VLAN and MAC-address
intelligent bridging enhancements implemented on ISAM
LT and SHUB have

independent MAC-address learning
independent MAC-address aging
aging timers are configurable [10...1000000] sec
Recommended default value is 300 sec
aging timer per VLAN
aging timers are configurable [-1,10...1000000] sec
Default value –1 use system Aging timer on LT
23
> The Service Hub and the LTs autonomously learn MAC addresses. They also autonomously
age on these MAC addresses. Aging timers are configurable. The idea is that the Service Hub
is configured with the same aging timer than the one of the IWF of the LT. This is needed to
avoid conflicts, e.g. when the MAC address is aged on the Service Hub, then the Service Hub
could learn the MAC address on another interface with unpredictable behavior as a
consequence.
Once a MAC address is aged, then no downstream communication is possible until the
address is learnt again in the upstream direction.
> So it’s important that the MAC ageing time is properly configured, otherwise data-plane
connectivity may be lost between the network and the ISAM end-users (nightly SW download
on STB, incoming VoIP calls, …)
– In case of PPPoE traffic the MAC aging time can be kept small, because PPP has a
built-in keep-alive mechanism
– In case of DHCP-based service scenario's, the MAC ageing time must be taken in
the same order of magnitude as the DHCP lease time

IB Configuration of SYSTEM and/or per VLAN aging timer
LT
Si
SH
UB de
sid
Pe
e
rV
LA
N
24
> CLI Commands: System aging timers IACM and SHUB

• Configure bridge ageing-time [10...1000000]
• Configure bridge shub ageing-time [10...1000000]
> CLI Command: MAC aging PER VLAN (IACM)

• Configure vlan id 200 aging-time [-1,10...1000000]
Default value –1 IACM system settings are used.

LT self-learning
only in the upstream - when initiated from user logical port
Self-learning can be disabled per user logical port.

In case of self-learning, limiting number of MAC addresses is
possible.
Learning of Source
Mac@ within VLAN
NO selflearning
LT MacA
x
To Service MacB
Hub y
MacC
z
25
> We call the LT IWF half a bridge as it only learns MAC addresses in the upstream direction.
This has as a consequence that no connection can be initiated from the network side if the
MAC address on the user side is not known or has not been learned yet.

Self learning in the Service Hub
Self-learning implemented for both upstream and downstream

Discard all user unicast frames with MAC DA known on an
ASAM or subtending port
No user to user communication
Learning of Source
Mac@ within VLAN
Service LT MacA
Hub
X’
E-MAN U’
MacB
Y’ LT
B A
B C
E-MAN V’ Z’ LT
MacC
26

Blocking of user to user communication
Port mapping on the service hub/NT

An interface can only communicate with its mapping ports
Control 8 Network Control X Network

link links link links
User links
Service
Service
Hub
Hub
1 15 16
subtending
1 15 16 link
ASAM links ASAM links
27
> This is what prevents user-to-user communication when users are on different LTs.

Port mapping
Port mapping is used to …

block user to user communication on the service hub
NT
Control link
LT
E-MAN
network
links
LT
ASAM links
subtending
links
user links
28
> It is possible that a VLAN used to transport user frames will contain ASAM/ subtending / user
interface(s) and a network interface(s) or even more ASAM interfaces and subtending
interfaces …. Possibly also both an ASAM and a subtending interface can be present in the
same VLAN. The question arrises how we prevent user to user communication within the
same VLAN
> The blocking of user-to user communication on the Service Hub is provided by port mapping
> This way we allow L2 bi-directional communication with supporting tagged frames (within the
same VLAN) only between network ports and ASAM ports, between network ports and
subtending ports, between network ports and user ports, between the controller port and each
ASAM port and between the controller and the network ports and subtending ports.
> The drawing in the slide gives you the different possible links and the flooding strategy
(Layer2) of the frames.
> The handling of control protocol frames (Radius, VBAS, IGMP, ARP and DHCP) and internal
communication at a layer higher than the MAC layer is not in the scope of the rules explained
hereafter.
> Frames received over a network interface: can be (layer 2) forwarded by the Service Hub to
the ASAM, the user, the subtending, and the control interfaces. In PPPoE demo, ISM1 related
ports are at the same position as network interface.
> Frames received over an ASAM interface: can be forwarded to the network interfaces and to
the control interface.
> Frames received over a subtending interface: can be forwarded to the network interfaces or to
the control interface.
> Frames received over a user interface: can be forwarded to the network interfaces or to the
control interface.
> Frames received over the control interface: can be (layer 2) forwarded to the network, the
subtending, the user, the ASAM interfaces.

Upstream
Only user to network allowed

<-- <-- <-- BC User A - LT1
Network SHUB LT --> User B - LT1
--> User C - LT4
--> User D
--> S-ASAM
<-- <-- <-- Unknown MAC DA User A - LT1

--> User C - LT4
--> User D
--> S-ASAM
<-- <-- <-- Known MAC DA User A - LT1

--> User C - LT4
--> User D
--> S-ASAM
29
> The ISAM only allows user to network communication in the upstream,
• Blocked on the same LT by the IWF
• Blocked by the port mapping configuration on the SHUB (see later)
> This is valid for all cases, i.e. Broadcast (BC), Unknown MAC Destination Address and Known
MAC Destination address.
> unicast frames with unknown destination MAC addresses are flooded to the networkside.
• no user to user communication within the LIM
• no flooding from user to user port
• broadcast frames are flooded towards the NW port …
> frames with known destination MAC addresses aren’t forwarded to user ports, but to the
networkside
• No user to user communication within the LT

Downstream
Broadcast control configurable per VLAN in IB mode

BC --> --> --> User A - LT1
Network SHUB --> LT -->if BC allowed User B - LT1
--> --> User C - LT4
--> User D
--> S-ASAM
Unknown MAC DA --> --> --> User A - LT1

Network SHUB --> LT --> User B - LT1
--> --> User C - LT4
--> User D
--> S-ASAM
Known MAC DA --> --> --> User A - LT1

Network SHUB --> LT --> User B - LT1
--> --> User C - LT4
--> User D
--> S-ASAM
30
> Broadcast from Network to User only allowed if enabled by the operator, per VLAN in IB
mode.
> For the ‘unknown MAC DA case’, the LT will not forward the frames to the users.
> In case of a known MAC DA, all frames are forwarded.
> unicast frames with known MAC DA are forwarded to the appropriate logical user port
• unicast frames with unknown MAC DA are discarded
• No flooding from NW port to user port
• No user to user communication
> By default broadcast as a consequence of flooding, which happens in case of standard

bridging when the MAC DA is unknown or in case of multicast, is avoided with intelligent
bridging.

Duplicate MAC-address learning
port Mac@
x Mac A Mac A
y Mac A
Port x
ETH
? Port y
Mac A
Packet with destination address Mac A
Problem:
2 users with same MAC-address,
forwarding engine can’t distinguish
Traffic from duplicate MAC-address in separate DSLAM, can be

distinguished as separate flows in the Ethernet switches of the
aggregation Network, when different VLAN id per DSLAM is used
31
> If a user on line x is using a certain MAC-address and a second user on a different line y is
trying to connect with the same MAC-address, a mechanisme should be there so that that
MAC-addresses will only appear once in the (filtering db) learning table of that VLAN.
> If this would not be done, then the MAC-address would be overwritten in the bridge's learning
table, such that traffic is forwarded either to user A or B in a rather unpredictable way. so this
feature allows to guarantee uniqueness of MAC-addresses in the aggregation network.
> In the 7302 ISAM specific rules are implemented making sure that the MAC-address will only
be learned once, this is what they call secure MAC-address learning
> We are not only resolving the customer segregation issue but we also avoid that in case of a
malicious user, user 1 cannot take over the MAC-address of user 2 (MAC-address anti-
spoofing, blocking duplicate MAC-address)
> PS: MAC-addresses are supposed to be unique per VLAN. They are not necessarily unique
for the complete system.

Secure MAC address learning
Service Hub LT
MAC movement to highest Blocking duplicate MAC-address
priority
Static MAC-addresses never
Within priority 2 , always disappear from learning table
MAC Movement
Within priority 3 , MAC NT
movement only when feature is
enabled in the VLAN
Control link
1
LT
E-MAN network links,
2 ASAM links
outband MGT link 3 IWF
2
LT
3 IWF
subtending
3
links
3
user links
32
> On the IWF

If the MAC-address was already configured or learnt on another user logical port, the MAC-
address won’t be learnt on the second port and the frame is dropped (Conflict alarm)
> On the Service Hub
You have the possibility to provision, if MAC movement is allowed or not on a per VLAN
basis. The default value is no MAC movement .
Mac movement means that in case the same MAC-SA is received on a second interface , the
MAC-address will enter the learning table of that interface and is removed from the 1st
If you do not perform MAC movement, it means that the duplicate MAC-address is not learnt
on the 2nd interface and the frames are discarded
> If the Service Hub receives a frame with MAC SA on a different interface than previously
learnt, then it will apply the following rules:
> Control interface has first priority: Learning a MAC address on the control interface will
always take priority on the learning of MAC addresses on a network, an ASAM user or
subtending interface, irrespective of the order of learning.
> Network interface has second priority: In case the MAC address is first learnt on a subtending,
ASAM or user port, and then on an Ethernet network interface, then this movement of the
MAC address will be learnt (meaning that the MAC address on the subtending, user or ASAM
port is removed). In case the Duplicate MAC-address is learnt on a network interface but it
was learnt before on another NW interface the last one takes priority.
> ASAM link, subtending link, user link have third priority. If the duplicate MAC address is
received on a ASAM, user or subtending port, and the same MAC address is already learnt on
an Ethernet network interface in the same VLAN, then the MAC address is not learnt and the
frame is dropped.
> If the duplicate MAC address is learnt on a DSLAM, user or subtending port, and the same
MAC address was already learnt on a port within this priority the action will depend on the
configuration of the VLAN. ( MAC movement allowed or not – configurable per VLAN).
> Well-known MAC addresses (e.g., MAC addresses allocated for IEEE protocols, ...) will not be
learnt. Also the MAC address of the Service Hub is a well known MAC address.

Secure MAC address learning
Configure maximum number MAC-addresses per port

Prevents attacks that would fill up the bridging tables
Subscription rules: maximum devices connected simultaneously.
Configure MAC-addresses for Discarding
Internet
ISP
MacC MacB
IP
Port x
ETH bridged MacA

BAS
PADI with source address=MacC
ISAM
Connected
port Mac@ via PPPoE
VLAN Discard Mac@ port Max x MacA
Mac@
ID 00-08-02-E9-F2-9D x MacB
x 2
33
> There are 2 motivations to block the number of MAC-addresses per port :
- Security: avoid that a malicious user can fill up all the complete bridging table of devices in
the network (DSLAM and others), by sending traffic with different MAC addresses.
- Service differentiation: by limiting the number of MAC addresses per port, the operator can
offer different types of service subscriptions to the user, limiting or allowing a certain
number of devices to connect simultaneously to the network. For this application, it is
clear that the limitation should be configurable per port.
> Note:
In this example the users PCs are connected to the internet via PPPoE. In that case actually
the BAS also has the possibility to limit the number of PPPoE sessions per user-id. Within
PPPoE, the unique PPPoE session-id can be used to provide this additional security. The
BAS can use the PPPoE session-id for user-identification during the session itself which is
linked to an earlier username/password given during the PPPoE session set-up. The BAS
knows that user has been given so many sessions. If you have information on VP/VC you can
of course also additionaly limit the number of PPPoE sessions per VP/VC. In case of
Ethernet Backhaul however the BAS has no info on the VP/VC.
Within DHCP there is no information that identifies the user. In that case limiting the number
of MAC-addresses learnt per port on the DSLAM is a possible solution, but what with a multi-
edge environment? .
If we want the DHCP server itself to be able to limite the number of sessions of the user, the
DHCP request needs to provide the information that defines the user ( VP/VC , port …) This is
possible by implementing DHCP-option 82 (see later)
> During the creation of a RB-VLAN in the Residentail Bridge VLAN service template, a list of
MAC-addresses for discarding can be added.

Intelligent Bridging, things to consider
Security Services !
IP edge has no info on the line id
Solutions: PPP-connections (BRAS) or DHCP option 82…
User can access network with a different IP address than the
assigned IP address.
Pure layer 2 device
No support for duplicate MAC-addresses on the same ISAM

Within the same VLAN
Scalability
Switches learn all MAC addresses of all end-users
IP edge learns all MAC addresses & IP addresses of all end-users
34
Anti-IP spoofing: blocking of traffic when user tries to connect to the network with an IP address
different than the IP address which was assigned to him.

Intelligent Bridging, things to consider
Advised to use unique VLAN per [IPedge-DSLAM]-pair in EMAN

Avoid user-to-user communication
Traffic management per DSLAM
Complex IP network configuration
When 1 VLAN shared by multiple DSLAMs
User to user traffic in EMAN
Easy IP network configuration
One single subnet for all DSLAMs
MAC-address spoofing
Standard MAC address learning at EMAN level
Traffic will be rerouted to any spoofed MAC address
35

University
Configuring a RB VLAN

IB VLAN set-up
VLAN set-up: Create VLAN for

Create VLAN service to be deployed
Creation of VLAN on SHUB and ASAM-CORE
Add ports to VLAN Add ports to VLAN

On SHUB and LTs
Via AMS
Different versions of one VLAN possible
37
> Here you’ll learn how to:

• Distinguish different forwarding models and choose the right VLAN mode for a certain
forwarding model
• Create a VLAN on Service hub and ASAM-CORE, either using 5520AMS or using CLI
• Add ports to a VLAN.

Creation of IB VLAN
Creation of VLAN in 2 steps

on SHUB
on LTs (ASAM-CORE)
VLAN mode according to forwarding model
Create VLAN
Mode i.f.o service to be deployed
Create VLAN on ASAM-CORE Create VLAN on SHUB

Residential bridge Residential bridge
38
> The VLAN type in the service hub permits us

• to do consistency checks between SHUB and ASAM CORE (with AMS)
• to couple specific configuration behavior to a VLAN.
> Intelligent (Residential) Bridging mode: forwarding based on L2 and multiple user
connections can be associated to each VLAN.
• RB on ASAM-CORE: multiple end-user ports can be assigned to a RB VLAN
• RB on SHUB: one VLAN on the SHUB that will be associated to all (configured) network
ports and ASAM ports
– Note: When configuring with CLI, operator needs to make sure that if needed port is
added to respective VLAN. Using AMS, it depends if the egress ports on the
service hub were forbidden or not. See further.
– Note: There’s no difference when you create a VLAN as RB or L2Terminated on the
SHUB. There is however a difference on the ASAM-CORE side.

VLAN modes (except for cross-connect)
VLAN mode
SHUB LTs (ASAM-core)
Model
Intelligent Bridge Residential bridge Residential bridge
IP aware Bridge
Layer2 Terminated * Layer2 Terminated *
(forwarding)
Layer2 Terminated
Routed Layer2 Terminated *
NW port & v-vlan *
* : see next chapters
39

> Routed mode: Forwarding decision in ASAM-CORE is based on L3 (IP forwarding) . SHUB
behaves as a Full router.
• L2 terminated on ASAM-CORE: association with V-VLAN based on IP DA.
• Layer2-term-nwport on SHUB: a VLAN on the SHUB will only be associated to network
ports. That means the VLAN is terminated on the SHUB.
> In Cross-connect mode different models exist

• C-VLAN cross-connect : Straightforward VLAN cross-connect model where one or more
VLANs at the EMAN side are associated with a given PVC at the user side
– CC on ASAM-CORE : only one end-user port (PVC or bridge port EFM) associated to
a specific C-VLAN
– CC on SHUB: since there’s only one user associated to a specific C-VLAN on the
SHUB one ASAM-link and one or more network ports are associated to the VLAN
• S-VLAN at the EMAN side is associated with a PVC at the user side, the C-VLANs carried
within the S-VLAN are then passed transparently to the end user.
– CC on ASAM-CORE : only one end-user port (PVC or bridge port EFM) associated to
a specific S-VLAN
– CC on SHUB: since there’s only one user associated to a specific S-VLAN on the
SHUB one ASAM-link and one or more network ports are associated to the S-VLAN
• S-VLAN/C-VLAN cross-connect mode : PVC – C-VLAN mapping, where the S-VLAN tag
can be used by the EMAN as route-identifier towards the ISAM
– CC on ASAM-CORE : Different end-user ports (PVC or bridge port EFM) can be
associated to a specific S-VLAN.
The C-VLAN identifies the user-port
– CC on SHUB: since there’s can be many users associated to a specific S-VLAN on
the SHUB all ASAM-link and one or more network ports are associated to the VLAN.

Creation of IB VLAN on NE
equipment
S-VLAN Id = 0
Select NE
Infrastructure
Layer 2
VLAN
Create VLAN see next slide

Create SHUB VLAN
41
> 5520AMS doesn’t use templates for VLANs. The only way to configure VLANs is on the NE
itself.
> For a residential bridge VLAN, the S-TAG = 0. No stacked VLANs for intelligent bridging! (The
reason why you see the S-VLAN id is that the same screens are used for cross-connect, where
you can have stacked VLANs indeed.)

Creation of IB VLAN on NE
mode: RB
protocol filter (PPPoE / IPoE)
broadcast control
PPPoE relay tag
DHCP option 82
Virtual MAC translation

42
> Not all parameters can be configured here already. You can configure e.g. static MAC
addresses afterwards. See further.
> From R3.5 VLAN specific aging time can be set. If set, this value will override the IACM
Layer2 - Ethernet System Parameters – Forwarding Database Aging Time. If on the other
hand the default value –1 is left, the IACM system parameter is used.

Modifying IB VLAN on NE
equipment Static MAC addresses
Select NE
Infrastructure
Layer 2
VLAN
Select VLAN
MAC Addresses
Static
Create
Static MAC Address

43

Creation of IB SHUB VLAN
equipment
Select NE
Infrastructure
Layer 2
VLAN
Create VLAN see next slide

Create SHUB VLAN
44
> For all SHUB VLANs, only one VLAN tag is relevant.

Creation of SHUB VLAN
Define egress ports on SHUB
45
> Tag mode can be configured on network ports

– Configure vlan shub id <VLAN ID> untag-port network:<...>
– ASAM-links support only tagged frames

Modifying SHUB VLAN
Object details
MAC movement
IGMP settings
…
46

Residential bridge parameters
BC button not checked by Default
Broadcast control on LT From

Service
Hub LT
Only applicable in IB mode MAC-DA
Broadcast
Disabled (default):
– BC in IWF on LT blocked in DS
Enabled:
– Allow BC in DS NT
MAC movement on SHUB SHUB 1

Only applicable in IB mode 2 LT
E-MAN
Disabled (default): 3
2
– No MAC movement in SHUB LT
within priority 3 interfaces 3
Enabled:
3
– MAC movement allowed
within priority 3 interfaces 3
47
> Disabled: Button not checked

> Enabled: Button checked

Residential bridge parameters
DHCP option 82/PPPoE Relay Tag

Disabled (default):
No option 82/PPPoE information added by LT
Enabled:
Option 82/PPPoE information added by LT
Protocol Group Filter

Different from Protocol based VLAN association
3 possibilities
All : allow all protocols on VLAN
IPoE: allow only IPoE on VLAN
PPPoE : allow only PPPoE on VLAN
PPPoE + IPoE: allow only PPPoE and IPoE on VLAN
48
> Protocol based VLAN association see later

Creation of IB VLAN via CLI
Vlan ID range: 1 to 4093

Exluding the VLAN ID used for management
Create VLAN on ASAM-CORE

configure vlan id < VLAN ID> mode <VLAN Mode >
Create VLAN on SHUB

configure vlan shub id <VLAN ID> mode <VLAN Mode >
egress-port network:
egress-port lt:rack/shelf/slot
49
CONFIGURATION OF VLAN ON ASAM-CORE

> Id: [2...4093,4097] vlan id Same for VLAN on SHUB
> Name: optional parameter with default value: "“ name
> Mode: Mandatory parameter with possible values (on ASAM-CORE):
1) cross-connect, 2) residential-bridge, 3) qos-aware, 4) layer2-terminated
> Priority: optional parameter with default value: 0. Range: {0...7}
> [no]switch-broadcast: optional parameter to control downstream broadcast frames
(default value:"discard-broadcast“). Broadcast control is configurable per VLAN: on/off
• [No] broadcast frames ‘broadcast frames’ means: broadcast allowed (= ON)
> [no] protocol filter (default: pass all).
Other possibilities: pass pppoe ,pass ipoe,pass pppoe-ipoe
> [no]enable-pppoe-relay: optional parameter with default value: "disable-pppoe-relay“ adding tag
for pppoe relayed traffic (rb vlan)
> [no]dhcp-opt-82-on: optional parameter with default value: "dhcp-opt-82-off“ enable adding
dhcp option 82 (rb vlan)
CONFIGURATION OF VLAN ON SHUB

> Mode: Mandatory parameter with possible values (on SHUB):
1) cross-connect, 2) residential-bridge, 3) layer2-terminated, 4) layer2-term-nwport,
5) v-vlan = virtual vlan, 6) reserved (internal and external communication via vlan)
> [no] mac-move-allow: for residential bridges (no) mac-address movement allowed between
priority 3 ports (ASAM ports, subtending ports and user ports on the SHUB).
> Note: Adding ports to the VLAN also with “configure VLAN” command, but not in one go
with the creation of the VLAN! You need to enter two consecutive commands. (see next
chapter – add port to VLAN)

Add port to a IB VLAN on the SHUB via CLI (2/2)
Attachment of ports to the VLAN on SHUB for IB.

Define egress ports in the “configure VLAN shub” command
Configure>vlan>shub>id <VLAN ID> egress-port lt:<...>
defines an ASAM-link
Configure>vlan>shub>id <VLAN ID> egress-port network:<...>

defines an external NT port
Tag mode can be configured on network ports

Configure vlan shub id <VLAN ID> untag-port network:<...>
ASAM-links support only tagged frames
50
> Attachment of ports to the VLAN included in the “configure VLAN SHUB” command.
• configure vlan shub id <VLAN ID>
mode residential-bridge
• Optional parameters
– [no] name <VLAN name>
– [no] mac-move-allow
– [no] egress-port
– [no] untag port
> [no] name: VLAN name (default none)
> [no] mac-move-allow: allow mac-address movement between ports with priority 3 (user ports,
ASAM ports, subtending ports). Default: no mac-address movement allowed.
> [no] egress-port: ports to be added to the VLAN. Three different types of egress-ports exist:
• LT (ASAM port)
• Network
• NT (any port on the NT, e.g. a user port or subtending port)
> [no] untag port: send frames (un)tagged on egress-port.

University
IB VLAN association on bridge port

Definition of logical user port on ASAM-CORE
x/Eth x/ATM/ADSL x/Eth
xDSL based on ATM

1 VP/VC is mapped on LT 1
1 logical user port on IWF of LT. IWF
xDSL line can have multiple VP/VCs
FW Engine
PVC / Logical
user port
CPE
xDSL based on Ethernet (VDSL2/EFM) LT 1

1 end user is mapped to one logical IWF
user port on the IWF of the LT EFM / Logical
FW Engine
One to one mapping user port
subscriber VLANs can be defined

CPE
x/Eth X/Eth/Phys layer x/Eth

52
> xDSL based on ATM

• 1 VP/VC used per service (HSI, VoIP, STB), max 8 VP/VC per xDSL line
> xDSL based on Ethernet

• VLAN per Service on UNI for all services, VLAN translation
• CPE generates the VLAN in function of the (ISP, Service), potentially requiring CPE
management in case of wholesaling
• QoS discrimination per VLAN (priority remarking, policing, …)
• Multicast replication (one VLAN only)
• Option 82 and PPP relay in ISAM (ideally with VLAN Id in option 82 or PPPoE relay tag)

IB VLAN association of port on ASAM-CORE
One logical user port can be mapped to multiple VIDs

One logical port associated to CC or Residential-bridge VIDs
One logical user port can accept tagged or untagged frames
Configured on the level of VID Association
Per user logical port a PVID can be defined
Before PVID can be configured VLAN association has to be
configured
Configuration of VID within the bridged port
Support of 48 x 16 = 768 I-Bridges
on L3 LIMs
53

IB VLAN association
Port based VLAN association

VLAN ID based on port of arrival
Untagged frames, receive port VLAN identifier – PVID
Also called the default VLAN ID
Port-and-protocol-based VLAN classification

VID based on port of arrival and the protocol identifier of the
frame
Multiple VLAN-ID’s associated with port of the bridge – VID set
VLAN Translation
VID based on port of arrival and translated to a network VID
54
> A VLAN bridge supports port-based VLAN classification, and may, in addition, support port-
and-protocol-based VLAN classification
> In port-based VLAN classification within a bridge, the VLAN-ID associated with an untagged
or priority tagged frame is determined based on the port of arrival of the frame into the bridge.
This classification mechanism requires the association of a specific Port VLAN Identifier, or
PVID, with each of the bridge’s ports. In this case, the PVID for a given port provides the
VLAN-ID for untagged and priority tagged frames received through that port.
> For bridges that implement port-and-protocol-based VLAN classification, the VLAN-ID
associated with an untagged or priority-tagged frame is determined based on the port of
arrival of the frame into the bridge and on the protocol identifier of the frame.
For port-and-protocol based tagging, the VLAN bridge will have to look at the Ethertype, the
SSAP, or the SNAP-type of the incoming frames. When the protocol is identified, the VID
associated with the protocol group to which the protocol belongs will be assigned to the
frame. This classification mechanism requires the association of multiple VLAN-IDs with each
of the ports of the bridge; this is known as the “VID Set” for that port.
> BTV and Port & protocol-based VLAN on R3.1-3.2

• the port default VLAN must be chosen equal to the VLAN used for BTV traffic
• no protocol based VLAN must be defined for IP, otherwise we end up generating a wrong
tag when issuing IGMP messages to the end user

Frames received from end users Frames received from end users
are untagged are tagged
User port can be mapped to On logical port define different
multiple VID using port- VIDs and configure frames
Protocol based association or received from end-user as
PVID tagged
Send frames back to the
subscriber to be set as Single
Tagged
IPoE
IPoE PPPoE
PPPoE LT xxx E-MAN LT
E-MAN CPE CPE
Network xxx Network
= PVID
55
Behavior of the RB VLAN Association on the AMS

> Frames received by the end users are tagged
• Association Settings Send frames back to the subscriber as: Single Tagged
> Frames received from end users are untagged

• Association Settings Send frames back to the subscriber as: Untagged

VLAN Translation, frames received from end users are tagged

Bridge Port
Subscriber VLAN
Network VLAN
VLAN 10 (HSIA, SP1)

Bridge 10 VLAN 1 (HSIA)
VLAN 11 (HSIA, SP2)
Bridge 11 VLAN 5 (HSIA)
VLAN 20 (VoD, SP1)
Bridge 20 VLAN 2 (Video)
VLAN 30 (BTV, SP1)
VLAN 31 (BTV, SP2)

MCast CPE
VLAN 21 (VoD, SP2)
Bridge 21 VLAN 6 (Video)
VLAN 40 (Voice, SP3)

Bridge 40 VLAN 3 (Voice)
VLAN per service VLAN per service

& per provider & per provider
56
> There are many operators who base their network architecture on one PVC per service when
connecting ADSL subscribers. Once those operators start deploying VDSL, they need to use
the VLAN as a "PVC emulation".
> The ISAM support the ability to emulate a multi-PVC configuration on an EFM interface using
the VLAN as a "PVC emulation", i.e. it is possible to associate a set of VLAN Id's at the
subscriber interface with a set of forwarding engines being chosen from the following list :
• VLAN-CC (Transparent or Protocol aware) In this case, the C-VLAN received at the user
side is either forwarded as a C-VLAN CC or encapsulated into an S-VLAN (VLAN
stacking).
• i-Bridge In this case, the VLAN received at the user side will be bridged into an i-bridge
identified by the same VLAN Id.
• IP Aware Bridge
• IP Routing
> Additionally, in case of VLAN-CC or i-Bridge, we support VLAN translation to make
wholesaling possible without impacting the CPE configuration : starting from a set of pre-
defined C-VLAN tags at the CPE side (i.e. the same for all CPEs), it is possible to retag the
received packet with a new C-VLAN (VLAN-CC or i-bridge) or a stacked VLAN (VLAN-CC),
so that the traffic can be passed to the VLAN associated with the couple (serivce provider,
service).

Configuration of the port on VLAN in IB
Add ports to VLAN
on ASAM-CORE on SHUB
Bridge port – VID mapping Define egress ports within
the VLAN
Control Control/mgt
link
External functions
ethernet Aggregation
links function FE
GE/FE 1
GE/FE 2
….. LIM
GE/FE 7
ASAM
links IWF LIM
GE1
….. IWF
GE16
PVC
PVC
57
• In the SHUB
– Create VLAN in RB mode
– Add NW interfaces and all ASAM interfaces to this VLAN
• In the ASAM
– Create VLAN in RB mode
– Add port to VLAN

Create VLAN association on bridge port (1/2)
equipment
Select configured bridge port
Create
VLAN Association
58

Create VLAN association on bridge port (2/2)
define scope (local for subscriber VLAN
send frames back to subscriber as: untagged
59

Define PVID on bridge port
Modify VLAN association Object details view
select default VLAN and click OK

60

RB VLAN association with VLAN translation
VLAN scope: local
equipment
local subscriber VLAN
Select configured bridge port
select network VLAN

Create
VLAN Association
61
> E.g. you configure a RB VLAN association with VLAN translation on a VDSL EFM bridge port.
The modem is configured in such a way that it generates tagged traffic, e.g. local subscriber
VLAN 10. This subscriber VLAN is translated into the network VLAN 150.
• All frames returned to the subscriber should again have VLAN tag 10.
Configure that the frames returned to the subscriber should be single-tagged.

IB VLAN association of port on ASAM-CORE (CLI)
define VIDs in the “configure bridge port” command

configure bridge port 1/1/<slot>/<port>:<VP>:<VC>#
vlan-id <VLAN ID> or
vlan-id stacked <S-VLAN ID:C-VLAN ID>
VLAN Translation
Configure bridge port 1/1/<slot>/<port>:<VP>:<VC>#
vlan-id <VLAN ID> vlan-scope <local> network-vlan <VLAN ID>
Define PVIDs in the “configure bridge port” command

configure bridge port 1/1/<slot>/<port>:<VP>:<VC>#
pvid <VLAN ID>
62
> No VLAN Translation:

• leg:isadmin>configure>bridge>port>1/1/4/1:8:36# vlan-id 720
• leg:isadmin>configure>bridge>port>1/1/4/1:8:36# info
• #---------------------------------------------------------------------------------------------------
• port 1/1/4/1:8:36
max-unicast-mac 4
vlan-id 720
exit
• Exit
> With VLAN Translation:

• leg:isadmin>configure>bridge>port>1/1/4/1:8:36# vlan-id 100 vlan-scope local network-
vlan 720
• leg:isadmin>configure>bridge>port>1/1/4/1:8:36# info
• #---------------------------------------------------------------------------------------------------
• port 1/1/4/1:8:36
max-unicast-mac 4
vlan-id 100
network-vlan 720
vlan-scope local
exit
• Exit

Deletion of VLAN
First remove VLAN associations on VLAN
Then delete VLAN
63

Deletion of VLAN
It is not possible to delete a VLAN if there are still ports

attached to the VLAN
Deleting VLAN on ASAM-CORE

configure vlan no id <VLAN ID>
Deleting VLAN on SHUB

configure vlan shub no id <VLAN ID>
64

VLAN related show commands
Selection of multiple show vlan commands

Display list of command via “Show vlan ?”
Interesting commands on ASAM-CORE
Show vlan residential bridge <VLAN ID>
gives al bridge ports connected to vlan
Show vlan bridge-port-fdb < bridge port id >
Gives all MAC-adresses learned or configured on that port
Show vlan fdb <VLAN ID>
Gives you MAC -adresses learned on all ports of that vlan
Show vlan port-vlan-map <bridge port id>
Gives all the VLANS to which that port is mapped
Same commands available on shub
65

University
Exercises

> Perform these exercises with CLI and AMS unless specified differently
Perform these exercises on the board and ports assigned to
you to do the retrieval exercises.
1. Which VLANs are created on the NE?
2. What is the forwarding mode of VLAN 200 (cross-connect, residential bridge)?
3. What are the ports belonging to VLAN 200 on the SHUB? Explain what you see.
4. Which logical ports are associated to VLAN 200?
5. Explain the total configuration of the user logical port PVC 8/35 on port TRAINING-a .
Note : For the downstream forwarding , we assume that the SHUB knows the MAC-addresses of
the end user within the respective VLANs .

> What happens when the end-user sends a frame with VLAN tag 200?
> What happens when the end-user sends a frame with VLAN tag 300?
> What happens when the end-user sends an untagged frame ?
> What happens with a frame with VLAN tag 200 coming from the network?
> What happens with a frame with VLAN tag 300 coming from the network?
6. How many MAC-addresses can be learnt in VLAN 200 on the logical user port VP/VC 8/35 of
port TRAINING-a?
7. Explain the total configuration of the user logical port PVC 8/35 on port TRAINING-b.
Note : For the downstream forwarding , we assume that the SHUB knows the MAC-
addresses of the end user within the respective VLANs .
Egress
Ingress
DSL port
DSL port
150 150
8/35
160 160
210 210
50 50

What happens when the end-user sends a frame with VLAN tag 150?
What happens when the end-user sends a frame with VLAN tag 50?
What happens when the end-user sends an untagged frame?
What happens when a frame with VLAN tag 150 is sent towards the end user?
What happens when an untagged frame is sent towards the end user?
8. How many MAC-addresses can be learnt on the user logical port PVC 8/35 on port
TRAINING-b within VLAN 50?

For these exercises go back to the board and ports assigned to you to do the
configuration exercises.
1. Go to the port that you configured before and where the modem is connected.
Use CLI to apply the service with VLAN id as default VLAN 150 to PVC 8/36.
Frames coming from the end user are untagged. You should be able to connect
with 2 PCs. DHCP server is available on the other side .
setup
2. Check if you are able to get an IP address. from the DHCP server.
Note: in function of the modem setup you need to either use VMware on the
trainee PC or disconnect your PC from the AUA – LAN and connect the PC to
the modem (or connect your own PC to the modem … ). Ask the teacher what
to do!
Force your PC to ask for a new IP-address (DHCP release/renew) ipconfig
/release and ipconfig /renew.
What is the IP-address you received ? What is the IP-address of the DHCP
server?
3. Check the MAC-address learnt on your bridge port using AMS and CLI.

4. Are you able to ping the PC of one of your colleagues connected to the same
ISAM? Explain.
5. Use the AMS to associate logical port 8/35 with VLAN 200 as the default VLAN.
Frames coming from the end user are untagged. You should be able to connect
with 3 PCs to this connection.
VLAN 200 terminates on a BRAS so use PPPoE to set up a connection. Check
if you can surf the web.
Note: in function of the modem setup PPPoE session needs to be initiated from
modem or PC . Ask the trainer what to do !
Setup
6. Check the MAC-address learnt on the VP/VC 8/35 and VP/VC 8/36 with the
AMS. What do you notice ? Explain what you see.
7. Use the AMS to remove the RB vlan with id 200 from the 8/35 ATM termination
point on your port.
8. Use the CLI to remove the RB vlan with id 150 from the 8/36 ATM termination
point on your port.

9. Create RB VLAN with VLAN ID=20x ( x = adsl-x) via CLI. All traffic type is
possible within the VLAN. The VLAN is default VLAN on logical port 8/35. 4 user
sessions possible on the logical port. No user line id is required for DHCP or
BRAS. No MC service is deployed within the VLAN.
Try to initiate a PPPoE session towards the network. Verify if your configuration
works.
Note: BRAS will not provide you with an IP@ ( Setup of the network currently not
ready )
Setup
10. Create a Service for RB VLAN on the AMS. All traffic type is possible within the
VLAN. 4 user sessions possible on the logical port. No user line id is required for
DHCP or BRAS. No MC service is deployed within the VLAN.
Leave status under construction.
Note : unique VLAN-ID per [IP-edge – ISAM] pair to prohibit user-to-user
communication.
11. You want to have line identification information on the DHCP server. Try to apply
the change and explain

12. Use the AMS to associate the service you just created on VP/VC 8/36 of the
port assigned to you. VLAN id to be used is VLAN 16x (x=adslx). Frames
coming from the end user are untagged. VLAN 16x is the default VLAN.
Check if your configuration works by setting up a DHCP session and see if
you are able to receive an IP@ .
Setup
13. Release your IP address. (ipconfig /release)
14. Your management changed mind and the VLAN 16x can only be used for
PPPoE traffic. Apply the change with CLI. Check if you are still able to
retrieve an IP@ via DHCP. Does it work ? Why? Why not?
15. In normal operation would you normally apply such change with CLI?
16. Your management changed mind again, and now only wants IPoE traffic in
VLAN 16x and disable option 82. Apply the change with AMS. Check if you
are still able to retrieve an IP@ via DHCP. Does it work ? Why? Why not??

17. Can you ping the client PC from the server side on VLAN 16x?
Ask the trainer to assist you since access to DHCP server is secured.
First check the ARP table of DHCP server and make sure the MAC@ of your PC is no
longer in the self-learning table of VLAN 16x, then issue the ping command.
What do you notice? Explain.
18 Force the system to allow broadcast frames to pass through in the downstream
direction. Use a CLI command to achieve this goal. Verify, and explain what you notice.
19. Delete the association with VLAN 20x from VP/VC 8/35 on your port and associate
VP/VC 8/35 with VLAN 21x.
VLAN 21x is a RB service and parameters are such that only PPPoE traffic is allowed on
this VLAN.
Perform this exercise with the AMS.
Check if your setup works .
What is the IP@ you get from the BRAS ?
What is the IP@ you got from the DHCP server?
Note: BRAS will not provide you with an IP@ ( Setup of the network currently not ready )
Setup

20. Try to delete VLAN 16x from the ISAM via the AMS. What happens? Explain.
Note: If not possible just proceed to the next exercise after explanation
21. Version 2 of service with VLAN-ID 16x has been deployed in the entire network. Delete
version 1 from the AMS.
22. MC Teaser .
Set-up a MC control-channel on VP/VC 8/36 and allow your user to see package 1 .
Ask the teacher for assistance and see if you can watch some video.

Vlan Forwarding Modes and Ib PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Vlan Forwarding Modes and Ib PDF

Hochgeladen von

Copyright:

Verfügbare Formate

University

VLAN forwarding modes and IB

7302-7330-735x ISAM / 5520 AMS operator part 1 section D

Alcatel-Lucent University Antwerp Alcatel-Lucent University Antwerp

Entry level requirements:

TAC03001 _D Ed01 1 © 2008 Alcatel Bell N.V., All rights reserved

After attending this session, you should be able to:

TAC03001 _D Ed01 2 © 2008 Alcatel Bell N.V., All rights reserved

Forwarding modes: general . . . . p. 4

TAC03001 _D Ed01 3 © 2008 Alcatel Bell N.V., All rights reserved

Alcatel-Lucent University Antwerp 4

TAC03001 _D Ed01 4 © 2008 Alcatel Bell N.V., All rights reserved

x/Eth x/Eth x/Phys layer x/Eth

External EFM / user port

PVC / Logical CPE

TAC03001 _D Ed01 5 © 2008 Alcatel Bell N.V., All rights reserved

Decision Forwarding mode

TAC03001 _D Ed01 6 © 2008 Alcatel Bell N.V., All rights reserved

Alcatel-Lucent University Antwerp 7

TAC03001 _D Ed01 7 © 2008 Alcatel Bell N.V., All rights reserved

TAC03001 _D Ed01 8 © 2008 Alcatel Bell N.V., All rights reserved

the cross-connect (CC): one (or more) VLANs per circuit

TAC03001 _D Ed01 9 © 2008 Alcatel Bell N.V., All rights reserved

TAC03001 _D Ed01 10 © 2008 Alcatel Bell N.V., All rights reserved

PHY GE PHY xDSL?

TAC03001 _D Ed01 11 © 2008 Alcatel Bell N.V., All rights reserved

Alcatel-Lucent University Antwerp 12

TAC03001 _D Ed01 12 © 2008 Alcatel Bell N.V., All rights reserved

MAC bridges can interconnect all kinds of LANs together

TAC03001 _D Ed01 13 © 2008 Alcatel Bell N.V., All rights reserved

Broadcast frames (ARP, PPPoE-PADI…) forwarded to

TAC03001 _D Ed01 14 © 2008 Alcatel Bell N.V., All rights reserved

NOT FIT FOR USE IN PUBLIC NETWORKS

TAC03001 _D Ed01 15 © 2008 Alcatel Bell N.V., All rights reserved

Alcatel-Lucent University Antwerp 16

TAC03001 _D Ed01 16 © 2008 Alcatel Bell N.V., All rights reserved

Multiple users connected to 1 VLAN ID Note: Tagged frames not

Routing to the correct

TAC03001 _D Ed01 17 © 2008 Alcatel Bell N.V., All rights reserved

Why VLAN Translation (customer vlan to network vlan)

TAC03001 _D Ed01 18 © 2008 Alcatel Bell N.V., All rights reserved

Special layer 2 behavior needed in an access environment

TAC03001 _D Ed01 19 © 2008 Alcatel Bell N.V., All rights reserved

TAC03001 _D Ed01 20 © 2008 Alcatel Bell N.V., All rights reserved

Upstream BC frames & flooding only forwarded towards

> Blocking user to user communication at L2

TAC03001 _D Ed01 21 © 2008 Alcatel Bell N.V., All rights reserved

Blocking of broadcast & flooding in the downstream

TAC03001 _D Ed01 22 © 2008 Alcatel Bell N.V., All rights reserved

Bridge: learning, aging, forwarding

LT and SHUB have

TAC03001 _D Ed01 23 © 2008 Alcatel Bell N.V., All rights reserved

> CLI Commands: System aging timers IACM and SHUB

> CLI Command: MAC aging PER VLAN (IACM)

TAC03001 _D Ed01 24 © 2008 Alcatel Bell N.V., All rights reserved

only in the upstream - when initiated from user logical port

Self-learning can be disabled per user logical port.

TAC03001 _D Ed01 25 © 2008 Alcatel Bell N.V., All rights reserved

Self-learning implemented for both upstream and downstream

TAC03001 _D Ed01 26 © 2008 Alcatel Bell N.V., All rights reserved

Port mapping on the service hub/NT

Control 8 Network Control X Network

ASAM links ASAM links