IP in the ISAM

3FL 00327_D AAAA WBZZA Ed 01 1 2006 Alcatel Bell N.V., All rights reserved

1

IP in 7302 ISAM

7302/5523 advanced operator


2

Objectives

After completing this section, youll be able to: Contrast IP aware bridging with IP routing Create a VRF with CLI (both on service hub and on asam-core) Create layer 3 interfaces and map interfaces to VRF Configure IP parameters

Configure IP-addresses Specify routes in the VRF ARP proxy functionality parameters


3

Table of contents

IP aware bridge mode

IP routed mode

IP related configuration General principles Overview commands ASAM-CORE Overview commands SHUB


4

Forwarding modes General

Different forwarding modes for different forwarding decisions:

Networkside User

side

ANTEth-VLAN

L3+L3L2+L2

7302 ISAM

PPPoA to PPPoE translation IP aware Bridge

L2+

PPP termination L3+ RoutedL3

VLAN Cross-Connect (CC)Intelligent Bridge (IB)

L2Forwarding mode Decision

This chapter

> Different forwarding modes are supported in order to make it fit into different network models of different operators.

> If the DSLAMs are mainly connected to a bridged metro(politan) ethernet network (E-MAN), the MAC scalability may become an issue when only layer 2 forwarding is done in the DSLAM. In that case the MAC addresses of all end-user terminals will have to be learned in the metro-Ethernet network, while the MAC tables of bridges are quite limited. In that case, it will probably be better to use the layer 2+ or L3 forwarding function of the ISAM.

> However, if IP routers are used in the metro Ethernet Network close to the DSLAMs, MAC scalability will not be an issue, and layer 2 forwarding in the DSLAM may be an interesting option, because in general layer 2 means less configuration effort. With 7302 ISAM, operators have the flexibility to choose the forwarding mode which best fits in their network.

> In general, the previous layer 2 and layer 3 forwarding functions are an overkill for network-VPN services towards business customers, given the number of connections to the same VPN from one DSLAM will be mostly only one, or only very few connections per VPN. In such cases, the VLAN cross-connect mode of the ISAM is much more appropriate for these business users:

less configuration effort, avoid too many bridges or routers in one VPN.


5

IP aware bridging versus IP routing

IP aware bridging

IP routing: 2 VLANs

E-MANNetworkIP

Network

NT

IBIPR

MACR

VRF

LT

FWIPB

MACB

IPAMACA

Edge Router ISAM

No IPLTMACLT

Layer 2 terminated VLAN

E-MANIP

Network

NT

IP@ER

Layer 2 terminated network port VLAN

R VRF-BlueLTFW

VRF-yellowV-VLAN

Layer 2 terminated VLAN

> In case of IP-aware bridging theres only one VLAN. The VLAN mode is layer 2 terminated, both at asam-core and at the service hub.Theres only a VRF at the asam-core. The service hub remains an intelligent bridge. The VLAN is associated to this VRF. The IP-interfaces in the VRF are unnumbered.

> In case of IP-routing, there are two VLANs: an internal VLAN, configured at service hub and asam-core and an external VLAN, only to be configured at the service hub.

external VLAN mode layer 2 terminated network port internal VLAN mode V-VLAN at SHUB; mode layer 2 terminated at asam-core

> Each VLAN will be associated to a VRF. In routed mode, the IP-interfaces will get IP-addresses.

The VRF on the service hub will be in fast path mode, which means it can transport data traffic. Until now, there can only be one VRF on the service hub in fast path mode (so only one full router). However, there can be additional VRFs that are used to transport control traffic.

On the asam-core you will typically define several VRFs (max. 127).


IP aware bridge L2+ forwarding 7302/5523 Advanced operator

> IP aware bridging is considered to be layer 2+ forwarding. The forwarding decision is made based upon the IP-address, but theres no real routing. Based upon the IP-address, a certain VLAN will be selected (layer 2!). Now theres no mapping between a port and a VLAN (pure layer 2 forwarding), but an IP-address and a VLAN (layer 2+ forwarding).


7

General overview

The 7302 ISAM terminates: IP on the user side IP/Ethernet, on the network side

Forwarding based on destination IP address Bridged like model

From network viewpoint, users on ISAM and IP-edge belong to same subnet

Userside

7302 ISAM

Phys layerATMEthIP

Phys layerATMIP

Eth (VLAN)IP

Phys layerEthIP

L2+Networkside

> VR = Virtual Router


8

IP aware bridge

Simple network model - bridge like model edge router thinks that users on ISAMs are directly connected LT board no individual public IP-address

LT cant be addressed as a next-hop by the edge router Aggregation at DSLAM level within a VRF

Forwarding based on IP addresses IP forwarder on LT, bridge on NT

POTS,ISDN

CPE

7302 ISAM

LTE-MANNetwork

GENT

FWIBVRF-Blue

VRF-RED

Edge Router


9

E-MANNetwork

IP forwarding network model

Same network model as bridged model for residential subscribers

No IP-address allocated to ISAM Forwarding on LT based on IP address

Lightweight VRFUnnumbered interfaces at ISAMNo routing protocols supported

EMANEdge ISAM CPE

IP subnet

IP address 7302 ISAM

SHub EthDSLATMIP

DSLATMIP

IP aware Bridge

LTIB FW


10

Principle

Upstream forwarding Based on static routes defined by operator

Downstream forwarding Statically defined by operator or automatically learned by looking at passing DHCP messages

E-MANNetwork

Edge Router

IPNetwork

ISP/Internet NT

IB

IPoE/IPoAuntaggedIPoEIPoE

Forwarding decision based on IP DA (L2+)Layer 2 forwarding(normal bridging)

VLANVRF-Blue

LT

FW

> On the LT we have 2 forwarding information bases. One for the upstream forwarding decision and one for the downstream forwarding decision. These two FIBs are totally independent of each other, I.e. when a packet is forwarded in the upstream only the upstream FIB is looked at and for the downstream direction only the downstream FIB is consulted

> With this mechanism when a packet is sent in the upstream and no specific route is defined, the packet is always forwarded towards an edge router (next hop - default or specific). Or in other words, packets are always sent to an ER i.e. forced to pass through ER independently of the IP DA . This way user-to-user traffic is fully blocked.

> In the downstream direction the subscriber IP address is learned through DHCP snooping. Manual configuration is possible but not common, needed for example when static IP addresses are assigned at CPE side.


11

ARP proxy (1/2)

E-MANNetworkIP

Network

NT

IBIPR

MACR

VRF

LT

FWIPB

MACB

IPAMACA

Edge Router ISAM

No IPLTMACLT

ISAM ARP reply: MACLT has IPRISAM has already learned IPA

user ARP: who has IPR

ISAM ARP: who has IPR

ER ARP reply: MACR has IPRISAM hasnt yet

learned MACR of IPR

> ARP proxy on the LT on the user side> LTs provide ARP proxy (for the user subnets) on the user interfaces> When an ARP request is received from a subscriber line the LT will respond to the ARP

request with its own MAC-address when both users (IPDA and IPSA) are in the same subnet or in case the target IP address is the gateway IP address of the end user (statically configured or snooped). At the same time he will learn the MAC-address of the end user.

> If the user (IPSA) on the other hand is not learnt (statically configured or snooped) on the incoming interface the LT will not reply to the ARP message and will discard the package (anti-IP-spoofing)

> The LT will also discard the ARP message when source and target users are learnt on the same interface since in that case the users can communicate via the internal interface at the user side.

> When the ISAM initiates the ARP request it will use as an IP source address in the ARP message the source IP address of the message that arrived in the ISAM triggering this ARP request.


12

ARP proxy (2/2)

ER ARP: who has IPA

ISAM ARP reply: MACLT has IPA

ISAM has already learned IPA

E-MANNetworkIP

Network

NT

IBIPR

MACR

VRF

LT

FWIPB

MACB

IPAMACA

Edge Router ISAM

No IPLTMACLT

ISAM ARP: who has IPA

user ARP reply: MACA has IPAISAM hasnt yet

learned MACA of IPA

> ARP initiated by LT towards the end user> The LT is going to send an ARP packet towards the end user if he receives an IP packet

destined for one of his users but he does not know the MAC address. The ARP request is only sent on the relevant interface (no BC to all users)

> When the ISAM initiates the ARP request it will use as an IP source address in the ARP message the source IP address of the message that arrived in the ISAM triggering this ARP request.


13

Basic configuration set-up

Basic topology Single service : e.g. HSI Single IP edge One single subscribers IP pool One VLAN in the access

network, shared by all ISAMs

ISAM configuration All ISAMs configured identically One IP Aware Bridge per ISAM One default route to the IP edge Subscribers configuration self-

learned

NT

NT

LT

LT

E-MANNetwork

ISAM 1

ISAM 2IP11WWW IPW

One IP pool for the access network (shared VLAN) : easy IP subnet mgmt, efficient IP pool usage

IP subnet on VLAN X

> IP11 is the default router for each ISAM and for each residential gateway. Theres only one single IP pool for the whole access network (shared VLAN): easy IP subnet management, efficient IP pool usage.


14

MACA/IPA MACLT1/IPX

IP

IPA IPx: different subnets (upstream)

NTLTE-MAN

Network

ISAM 1

LT1MACLT1

IPW

ISAM 2

Discard if IPA is not known on this interface. Learn SRC-IP/SRC-MAC relation.

forwarding table: IPX next-hop IP-address? ARP lookup or request next-hop MAC-address

MACXIPX

ARP: who has IPR

IPRMACR

IPAMACA

ARP reply: MACLT has IPR

ARP reply: MACR has IPRMACLT1/IPA MACR/IPXIPX

ARP (from MACLT1/IPA): who has IPR

> One single IP pool (shared VLAN)> SN1 = subnet 1> LPM = Longest Prefix Match

> User sends ARP request to resolve the default routers IP address (IP11). If the source IP-address is not learned on this interface, the LT will discard the ARP

request. (anti-IP-address spoofing) If the source IP-address is already learned on this interface, the LT will act as an ARP

proxy. The ARP reply contains the MAC-address of the LT and the IP-address of the default gateway for subnet 1 (provider edge router).

> User sends frame to IPx in subnet 2. The MAC DA is the MAC-address of the LT.> The LT receives the message and consults its statically configured upstream VRF FIB. That

way the next-hop IP-address is retrieved (= IP address of the provider edge router) The LT looks up the entry in the ARP-table (if aged, then a new ARP request will be issued by the LT). The LT will retrieve the next-hop MAC address and Provider VLAN on which the provider edge resides.

> The LT forwards the frame on the P-VLAN to the edge router.


15

IP

IPX IPA: different subnets (downstream)

NTLTE-MAN

Network

ISAM 1

LT1MACLT1

IPW

MACXIPX

IPRMACR

IPAMACA

IPX IPAARP: who has IPA

MACA ?

ARP reply: MACLT1 has IPA

IPA known? ARP policy trusted?Learn IP/MAC relation

MACR /IPX MACLT1/IPA MACA ?ARP (from MACLT1/IPR): who has IPA

ARP reply: MACA has IPAMACLT1/IPX MACA /IPA

> As soon as the reply from IP x to IP A is received by the edge router, different lookups need to be done:

Longest prefix match in VRF to find the directly attached users ARP lookup or request to resolve IP A. The ARP request will be broadcast, so multiple

ISAMs may get it. All ISAM where IPA is not present in the downstream FIB, will discard the ARP request. In this example IP A is known in ISAM 1. The ARP reply will provide the MAC-address of the LT.

Frame is sent to LT1 on ISAM1. Lookup in downstream FIB of VRF associated with the incoming Provider-VLAN. The

interface lookup results in: PVC (ATM) Physical port (EFM)

ARP lookup or request (ARP request is not broadcast to all users, but only send on a specific interface). The result is the MAC-address of the end-user.

Finally, the frame is sent to the end user.


16

IP

IPA IPB: same subnet

NTLTE-MAN

Network

ISAM 1

LTMACLT1

IPW

MACXIPX

IPAMACA

LTMACLT2

ISAM 2 IPBMACBARP: who has IPB

ARP reply: MACLT has IPBIPB & IPA in same network?

MACA/IPA MACLT1/IPBforwarding table: IPB next-hop IPaddress? ARP lookup or request next-hop MACaddress

ARP reply: MACR has IPRMACLT1/IPA MACR/IPB

ARP (from MACLT1/IPA): who has IPR

MACB ? ARP: who has IPBARP reply: MACLT2 has IPB

MACR / IPB MACLT1/IPAMACB ?

etc. ARP (from MACLT2/IPR): who has IPB

IPRMACR

> Same mechanism when IPA and IPB are allocated to users on the same ISAM!


17

IP

Configuration Multiple IP pools

Only one gateway defined on ISAMs: For example IP11

Secured ARP handling at IP edge must be disabled No check if ARP IPSA within same subnet as target IPDA

NT

NT

LT

LT

E-MANNetwork

ISAM 1

ISAM 2

IP11

IPW PE

IP22

IP23

IP21

IP12

IP13

Disable secured ARP Gateway for ISAMs!

IP subnets on VLAN X

> Subscribers IP pools IP pools requested in function of penetration Scattered IP pools and therefore different subnets

> For traffic coming from either subnet on the IP forwarder the ISAM looks at the same table. With other words the ISAM might only have one default route but 2 or more subnet

> No IP address allocated to ISAM but Proxy ARP at ISAM level

> The edge equipment should disable secured ARP as it might get ARP requests originating from an IP address in a different range.

Example: when IP22 sends traffic the ISAM might trigger an ARP request to his gateway which is clearly in a different subnet (IP11). See next slides

No security issue : only known IP addresses are allowed to ARP(anti IP@ -spoofing at ISAM)

> In this example IPA wants to send a packet to an IP-address in a different subnet Default router of RG is IP11 for subscriber IP pool 1 (red subnet)Default router of RG is IP12 for subscriber IP pool 2 (blue subnet)Default router of the ISAM is IP11 (see ISAM upstream FIB).


18

IP

User to user communication IPA(SN1) IPB (SN2)

NTLTE-MAN

Network

ISAM 1

LTMACLT1

IPW

MACXIPX

IPAMACA

LTMACLT2

ISAM 2 IPBMACBARP: who has IPR1

ARP reply: MACLT1 has IPR1MACA/IPA MACLT1/IPBIPB next-hop IPaddress? (IPR1)IPR1 next-hop MACaddress?

ARP reply: MACR1 has IPR1MACLT1/IPA MACR1/IPB

ARP (from MACLT1/IPA): who has IPR1

ARP: who has IPBARP reply: MACLT2 has IPB

ETC.

IPR1 / MACR1

IPR2MACR2

IP routing from SN1 to SN2

IP SN1

IP SN2

MACR2 / IPA MACLT2/IPB

> In this example IPA wants to send a packet to IPB, which is in a different subnet but both are transported over the same VLAN.> IPR2 is the known gateway for the end users residing in subnet 2 (SN2)> IPR1 is the known gateway for the end users residing in subnet 2 (SN1)> IPR1 is the default gateway of the forwarding table in the ISAMs


19

Forwarding over subnets!

IP

User to user communication IPB(SN2) IPA (SN1)

NTLTE-MAN

Network

ISAM 1

LTMACLT1

IPW

MACXIPX

IPAMACA

LTMACLT2

ISAM 2 IPBMACBARP: who has IPR2

ARP reply: MACLT2 has IPR2MACB/IPB MACLT2/IPA

IPA next-hop IPaddress? (=IPR1)IPR1 next-hop MACaddress?

ARP reply: MACR1 has IPR1MACLT2/IPB MACR1/IPA

ARP (from MACLT2/IPB): who has IPR1

ARP: who has IPAARP reply: MACLT1 has IPA

IPR1 / MACR1

IPR2MACR2

IP routing from SN2 to SN1

IP SN1

IP SN2

MACR1 / IPB MACLT1/IPAETC.

Gateway for ISAMs!

> In this example IPA wants to send a packet to IPB, which is in a different subnet but both are transported over the same VLAN.

> IPR2 is the known gateway for the end users residing in subnet 2 (SN2)> IPR1 is the known gateway for the end users residing in subnet 2 (SN1)> IPR1 is the default gateway of the forwarding table in the ISAMs

> In above slide you will see that the ARP request from ISAM2 to discover the MAC address of IPR1 is generated from IPB. This IPB belongs to a different IP subnet than IPR1 and the edge device should be able to respond to this. In some devices this would mean that you need to disable secured ARP.


20

IP aware bridge, things to consider/ extra benefits

Scalability VLANs shared by N ISAMs: Network switches learn MAC addresses of LT cards

1:48 reduction factor easier for EMAN ARP proxy to network: ARP issued by ISAM, not by all subscribers

IP edge still learns all IP addresses of all end-users in ARP table

ISAM-1

ISAM-2

IP1MAC1

IP2MAC2IP3MAC3

IP101MAC101

IP102MAC102IP103MAC103

IP201MAC201

IP202MAC202

IP203MAC203

BR

MACMAC-LT1MAC-LT2MAC-LT3

FW

FW

IP edge

ARP

IP1IP2IP3IP101

HSIA

VoIP

BTV

VoD

VLAN 100

VLAN 200

VLAN 300

Common VLAN per Service

VLAN 400

VLAN 100VLAN 200VLAN 300VLAN 400

V L A N 1 0 0V L A N 2 0 0V L A N 3 0 0V L A N 4 0 0


21

IP aware bridge, things to consider/ extra benefits

Security MAC address translation

Subscribers MAC-address never seen by the networkfull proof security

user to user communication fully blocked even for shared VLANs ARP proxy to subscribers

No ARP broadcast to all subscribersDownstream LT knows IP-subscriber interface relationship

Anti-IP address spoofingISAM responds to ARP request by its own MAC-address if target IP DA is

not associated with the originating DSL line and IP SA is learnt


IP routingL3


23

L3 functionality - General overview

The 7302 ISAM terminates: IP from user side IP/Ethernet on the network side

Forwarding based on IP destination address Full router on ISAM SHUB

ISAM is a next hop Directly connected subnets Most feature rich but also most complex access network model Automatic propagation or route configurations

Networkside User

sideEth-VLAN

7302 ISAM

Phys layerATMEthIP

Phys layerATMIP

Eth (VLAN)IP

Phys layerEthIPL3

> VR = Virtual Router


24

IP router in the 7302 ISAM

Directly connected subnets (to users and ER) configured on ISAM ISAM is next-hop

Aggregation at DSLAM level within a full featured VRF IP forwarder on LT , router on NT

Only one full router on ISAMplanned for future: multiple full virtual routers,

but requires new NT

POTS,ISDN

CPE

7302 ISAM

LTE-MANNetwork

GEFW

VRF-Green

VRF Blue

VRF-yellow

> Only one full router on the NT: only one VRF in fast path mode that can carry data traffic.> Additional VRFs can be defined on the NT, but they can carry only control traffic.


25

IP routing network model

Aggregation at DSLAM level Routing functionality on NT IP Forwarding on LT RIP and OSPF to the network (optional) RIP to the users (optional)

IP subnetIP address

ISAM

IP Router

CPERIP VRF

EMANEdge

VRF

OSPF / RIP

OSPF / RIP

Bridge

Bridge

EthIPoE

IPDSLATMIP Eth

DSLATMIP

NT LT

FWR


26

Principle

LT behaves similar as in IP aware bridging Differences: NT is next hop & forwarding on internal VLAN only ARP proxy towards network and users

NT has complete routing functionalities Routing tables filled manually or via routing protocols Normal ARP behaviour

E-MANIP

Network

NT

IPRIPoA/IPoE untaggedIPoE (V-VLAN)IPoE (VLAN)

Forwarding decision based on IP DA (L2+)Routed (L3)

R

LT

FW

VRF-yellowVRF-BlueV-VLAN

P-VLAN


IP configurationGeneral Principles


28

Multiple Routing and Forwardings VRFs

VRF Virtual routing and forwarding IP addresses are only unique within a VRF. a VRF can be seen as the layer 3 equivalent of a VLAN.

Each VRF consists out of One or more IP interfaces IP forwarding engine Entity performing adress resolution

Uses IP-net-to-media table

VRF-2

VRF 1

IP interface 1Intf nr

VLANx-VLANy*10.1.0.9IP address VLAN ID

IP Interface table per VRF

* VLAN bundling

DA* IPint110.1.0.0/1610.1.0.1Default

Subnet Next hop

* Directly attached Direct route

IP Forwarding table per VRF

> A Virtual Routing and Forwarding (VRF) is a logical subdivision of the system resources that provide transmission and forwarding of IP packets.

> So a VRF is an instance of a router with the exception that platform resources (backpanel, power supplies, non-volatile memory, ) are typically shared between all VRFs within the system. As a consequence, IP addresses are only unique within a VRF.

> Within a single system, a VRF can be seen as the layer 3 equivalent of a VLAN.


29

Virtual routers on the ISAM

Independent of each other On ASAM CORE (LTs)

127 VRFs can be defined On SHUB

127 VRFs can be created. VRF 0 is a default one which can not be deleted, created

or modified. Only 1 VRF as a full router

LT

VRF-Green

VRF-RED

LT

VRF-Green

VRF-RED

VRF-B

VRF-A

NT

> On asam-core, theres no default vrf 0. Only on the service hub, vrf 0 is a default. Vrf 0 can neither be deleted nor modified.

> On the service hub, only one VRF can carry data traffic (fast path mode).


30

configuration on VRF - General

Create VLANs VLAN mode i.f.o forwarding mode

Create VRF VRF mode i.f.o forwarding mode

Create L3 interface(s) & map interface(s) to VRF Interface can be on network side and/or user side

Configure IP parameters IP address on the interface Routing information in the VRF Configuration for

ARP proxy functionality

VRFVLAN

.a interfacenot explicitely mapped on VLAN

.b interfaceexplicitely mapped on VLAN Cr e a t e VLAN


31

Interfaces one-to-one mapping example

DA* IPint210.39.0.2/16DA* IPint110.38.0.2/16

10.39.0.1Default

Subnet Next hop

* Directly attached Direct route

VLAN 110.38.0.2IP interface 1IP interface 2

Intf nr

VLAN 210.39.0.2

IP address VLAN IDIP Interface table per VRF

[email protected]@video-VLAN210.39.0.1

IP@ MAC@-VLAN-IDIP net-to-media table - Layer 2 mapping table

IP Forwarding table per VRF

10.38.0.2/16

VRF

10.39.0.2/16

10.38.0.1/16MAC@edge

10.39.0.1/16MAC@edge

VLAN 1

VLAN 2


IP on ASAM-CORE

Overview commands


33

VLAN creation

VLAN mode i.f.o forwarding model

ASAM-CORE: configure vlan id mode layer2-terminated

SHUB: configure vlan shub id mode layer2-terminated configure vlan shub id mode v-vlan internal configure vlan shub id mode layer2-term-nwport external

Layer2 TerminatedLayer2 Terminated NW port & v-vlan

Routed

Layer2 TerminatedLayer2 TerminatedIP aware Bridge(forwarding)

LTs (ASAM-core)SHUBVLAN mode

FW Model

> How to create a VLAN in the correct mode with CLI and/or AWS, is explained in the 7302/5523 Handson course chapter VLAN creation.The 7302/5523 Handson course is part of the 7302/5523 operator curriculum.

> On the ASAM core both for IP forwarding as for IP routing the VLAN mode is layer 2 terminated.

> On the SHUB we have seen in previous chapters the structure is different for both IP forwarding: one VLAN on SHUB > mode layer2-terminated (function has no real

difference with residential bridge on SHUB) IP routing: at least two VLANs on SHUB > one in mode V-vlan for forwarding of traffic

between NT and LTs, this V-vlan (virtual vlan) is using the same ID number as the layer2-terminated vlan on the LTs. And another one on the SHUB in mode layer2-term-nwport for forwarding of traffic between the NT and the network, the ID used by this one is different than the one used by the v-vlan.


34

VRF in ASAM-CORE

Creation of the VRF on ASAM-CORE (LTs) configure ip vrf name mode

VRF mode: Forwarder = for IP aware bridge router = for routed mode , LTs are aware NT is next hop

Once VRF is created optional parameters become available: Route-destination: Route entries for the VRF step Network-itf: step User-itf: step Gateway-itf: step

> The VRF-ID is the ID that uniquely defines a certain VRF. In the ASAM-CORE the VRF-ID can range from 1 to 127.


35

LTPC

Interfacing from the VRF

Create the L3 interfaces and mapping to VRF

Create network interface: Go to VRF configure ip vrf Create interfacenetwork-itf unnumbered arp-policy trusted

Create interfaces at user side:Go to VRF configure ip vrf Create interfaceuser-itf (bridge)port

> bridgeport: IPoE> port: IPoA

Network side User side

VRF

.IP interfacemapped on VLANTowards network

.IP interfacetowards end user.

> Creation of the L3 interface on Network side and mapping to VRF.The structure of the CLI is such that the creation of the IP interfaces in the ASAM-CORE is done at VRF level. By creating the interface at that location the mapping of the interface to the VRF is done implicitely. When you create the IP interface you need to define wether the interface is an unnumbered IP interface or not and define its ARP policy.In general the IP interface at network side on ASAM-CORE needs to be unnumbered and ARP policy trusted On the network side the IP interface is created (L3 point) and mapped to a VLAN(= creation of VLAN-bind ) The VLAN-bind should appear when performing the command configure ip # info detail

> Creation of the L3 interface on user sideIn the CLI, the user interface is like the network interface created at VRF level.This interface is always unnumbered. The (bridge)port has to be created prior to the L3 interface creation (via the AWS or CLI).The is Rack/shelf/slot/port:VP:VC. In case of EFM ofcourse, no VP:VC is defined


36

IP VRF parameters

ARP proxy functionalities: define user gateway and network ID configure ip vrf

gateway-itf ip-address Only needed in case of static IP address configuration of end users

Routing information upstream configure ip vrf

route-dest next-hop direct:network:

Routing information downstream configure ip vrf

route-dest next-hop direct:user-(bridge)port: Only needed in case of static IP address configuration of end users

> Routing information upstream in routing configuration command upstream, is Rack/shelf/slot/port:VP:VC. In case of EFM, no VP:VC is defined


37

AWS tools

AWS: Learned ARP entries & IP addresses Adding routes in routing table Select IP interface and then from menu

Service > Ethernet/IP >

Double-click


IP on SHUB

Overview commands


39

VLAN creation

VLAN mode i.f.o forwarding model

ASAM-CORE: configure vlan id mode layer2-terminated

SHUB: configure vlan shub id mode layer2-terminated configure vlan shub id mode v-vlan internal configure vlan shub id mode layer2-term-nwport external

Layer2 TerminatedLayer2 Terminated NW port & v-vlan

Routed

Layer2 TerminatedLayer2 TerminatedIP aware Bridge(forwarding)

LTs (ASAM-core)SHUBVLAN mode

FW Model

> How to create a VLAN in the correct mode with CLI and/or AWS, is explained in the 7302/5523 Handson course chapter VLAN creation.The 7302/5523 Handson course is part of the 7302/5523 operator curriculum.

> On the ASAM core both for IP forwarding as for IP routing the VLAN mode is layer 2 terminated.

> On the SHUB we have seen in previous chapters the structure is different for both IP forwarding: one VLAN on SHUB > mode layer2-terminated (function has no real

difference with residential bridge on SHUB) IP routing: at least two VLANs on SHUB > one in mode V-vlan for forwarding of traffic

between NT and LTs, this V-vlan (virtual vlan) is using the same ID number as the layer2-terminated vlan on the LTs. And another one on the SHUB in mode layer2-term-nwport for forwarding of traffic between the NT and the network, the ID used by this one is different than the one used by the v-vlan.


40

VRF in SHUB

Creation of a VRF on SHUB configure ip shub vrf name :

VRF-mode:slow-path-mode: only for control functions (DHCP relay, RADIUS) fast-path-mode: for data traffic and control functions Only one VRF in fast-path-mode !

Once VRF is created 2 optional commands are available Definition of routing option Configuration of routing information

refer to step

> Only one VRF can be in fast path mode, this is the VRF that you want to use for the forwarding of data packets and possibly want to run routing protocols. In the case a DHCP relay agent or external authentication is required in routed mode, the respective IP configuration for these functions need to be done in the routed VRF.

> When you define a VRF, you specify if you want to allow user-to-user-communication or not: ena/dis-user-user-com.


41

Interfacing from the VRF

Creation of the L3 interface(s) & map interface(s) to VRF interfaces on VRF SHUB:

Network interfaces.Interfaces towards LTs

Interface directly created on top of VLAN configure interface shub vlan-id admin-status

Map interface to VRFConfigure interface shub ip vrf-id

VRF

VLAN IP interface

Cr e a t e VLAN

> Defining if the interface that you are creating on the Service Hub is a network interface or a user interface is implicitely done when the VLAN is mapped on the interface

The interface that you define on the SHUB is a network interface in the following cases.VLAN mode of the VLAN-ID to which the interface is mapped is:- Residentiel bridge- Layer2-Terminated- Layer2-term-nwport The interface that you define on the SHUB is a user interface when the VLAN mode of the VLAN-ID to which the interface is mapped is v-vlan mode

> By performing the command configure interface shub vlan-id you did not only map the interface to the vlan, but implicitely created the L3 interface. At this point when you perform the command configure interface shub# info detail, you will not only see the interface vlan-id with its parameters popping-up, but also the interface ip .At this point however the L3 interface is not yet mapped to a vrf. (no ver-id # value = 0)The mapping to the VRF is done in the next step.


42

IP VRF parameters

Configuration of IP parameters Step 1 : Configuration of IP address on the interface Step 2: Bring up the interface

Interface needs to be down for configuration of the IP address on the interface.

Step 3: Routing information on the VRF

Step 4: Enabling routing protocols on the interfacesISAM supports RIPv2 and OSPF

>


43

IP VRF parameters

Step 1: Configuration of IP address on the interface Configure interface shub ip ip-addr

Step 2: Bring up the interface Configure interface shub vlan-id admin-status

Vlan admin-status needs to be down for (re)configuration of IP address

Step 3: Routing information in VRF network side and user side Configure ip shub vrf route-dest x next-hop vlan-id

> For default route, route-dest is 0.0.0.0/0


44

AWS tools

Edit routes in the VRF of SHUB: EML USM: Views VRF Service Hub

Select VRF and edit routes: EML USM: Service Ethernet/IP IP route


Exercises


46

IP routing: configuration

1. Create and configure VLAN On ASAM-CORE On service hub

2. Create VRF / interfaces + routes On service hub On ASAM-CORE

3. Configure user port

E-MANIP

Network

ISP/Internet

NT

IP@ERVLAN 190

R VRF-BlueLTFW

VRF-yellowV-VLAN 666

Routed mode

(Of course, the VLANs can have other ids.)> vlan 190 is external (from the service hub to the network); vlan 666 is internal.


47

1. Create and configure VLAN

On ASAM-CORE Configure vlan id 666 name mode layer2-terminated

># egress-port:lt:1/1/[4..19]

On SHUB Configure vlan shub id 190 name mode layer2-term-nwport

># egress-port:network:2 Configure vlan shub id 666 name mode v-vlan

E-MANIP

Network

ISP/Internet

NT

IP@ERVLAN 190

R VRF-BlueLTFW

VRF-yellowV-VLAN 666

Routed mode

> vlan 190 is external (from the service hub to the network); vlan 666 is internal. Vlan 190 only needs to be created on the service hub, not on the ASAM-CORE.


48

2a. Create VRF / interfaces + default route (SHUB)

Configure ip shub vrf 30 name VRF30 fast-path-mode:dis-user-user-com Configure interface shub vlan id 190 Configure interface shub ip 190 vrf 30 ip-addr 10.10.190.27/24 Configure interface shub vlan id 190 admin-status auto-up Configure interface shub vlan-id 666 Configure interface shub ip 666

vrf 30 ip-addr 27.27.190.1

Configure interface shub vlan-id 666 admin-status auto-up Configure ip shub vrf 30

Route-dest 0.0.0.0/0 next-hop 10.10.190.1 vlan-id 190

E-MANIP

Network

NT

[email protected]

VLAN 190

R VRF-BlueLTFW

VRF30V-VLAN 666

10.10.190.27

> Here we need to create a VRF (called VRF30) on the service hub. We disallow user to user communication (dis-user-user-com).

> Per ISAM, there can only be one VRF with fast path mode.> By associating a VLAN to a VRF, we upgrade the VLAN to layer3 functionality (VRF).> The sequence matters: first you associate a VLAN to a VRF and afterwards you can add the

IP-address (if you do in the reverse order, the IP-address you allocated earlier, will be deleted when you associate the VRF).


49

2b. Create VRF / interfaces (ASAM-CORE)

Configure ip vrf 27 name VRF27 mode router Configure ip vrf 27

network-itf 666 unnumbered arp-policy trusted Gateway-itf ip-address 27.27.190.1/24

E-MANIP

Network

NT

[email protected]

VLAN 190

R VRF27

FW

VRF30V-VLAN 666

10.10.190.272 7 . 27 . 1 90 . 1

> Create VRF27 on the ASAM-CORE.> On ASAM-CORE the IP-interface will automatically be plugged into the VRF.


50

3. Configure (user-)port

Configure user port (AWS or CLI) Configure port Create ATM TP Create IP-interface

Direct route to user (27.27.190.111/32)

E-MANIP

Network

ISP/Internet

NT

[email protected]

VLAN 190

R VRF27

FW

VRF-30V-VLAN 666

10.10.190.272 7 . 27 . 1 90 . 1

27.27.190.111

> Unlike the previous steps, these steps can be done with AWS too.> If you want to test the connection, dont forget to change the IP-address, netmask and

gateway on your PC! In this case: IP-address 27.27.190.111 netmask 255.255.255.0, gateway 27.27.190.1.


IP aware bridge configuration_______________________________________________________________

After completing the assignments in this chapter, youll be able to:- Retrieve IP-related information:-Which VRFs are created?-What is the default GW of VRF0?

-What are the IP interfaces on the Service hub associated to a particular VRF? - Create a VRF, associate an IP interface and enter routing entries.

_______________________________________________________________Alcatel 5523/7302 Advanced Operator (3FL00327-D AAAA WBZZA)Alcatel 5523 AWS: customer documentation__________________________________________________________> Perform these exercises with CLI

The first 4 questions are ment as a fast refresh of the knowledge gained in the Basic Operator course (ref Basic course)

1. VLAN 170 is used for IP aware bridging mode . Is this correct ? What should the configuration be ? Do you see any discrepancies ? Yes?No ? Why ? Verify this with CLI and AWS

2 . Which logical ports (end-users) are associated to VLAN 170?Verify this with AWS

3 . Explain the total configuration of the user logical ports on port TRAINING-d. How is the forwarding done? To which VRF(s) are the logical ports mapped. What is the difference between the configuration on logical port VP/VC 8/35 and VP/VC 8/36Verify this with AWS and CLI

4 . How many MAC-addresses can be learned on the connection 8/36? Explain !Verify this with AWS

Reference

Objectives

IP aware bridge retrieval exercises


5. What are the VRF(s) configured on the ASAM-CORE? Verify this with AWS and CLI

6. What is the index of the interface mapped to VLAN 170?Verify this with CLI

What are the different interfaces that are used/configured in VRF 17? Verify this with CLI

Is there an IP@ configured on the network interface mapped on VLAN 170?Verify this with CLI

9. Is there an IP@ configured on the network interface on port Training-d, VP/VC 8/35 mapped on VLAN 170?Verify this with CLI and AWS.

.

10. Are there any routes configured inside the ISAM which map on the interface associated to VLAN 170. (direct routes and indirect routes) Verify this with CLI.


11. What is the default of the ISAM in VRF 17? Is it correct to state that if you know the default GW of the ISAM, you also, implicitely, know the default GW of the end-user ? Explain why/why not Verify

this with CLI.

12. Are there gateway interfaces configured in this VRF? When and why are they needed?

!"#"

14. When will a frame with VLAN170 will be sent to the network ?


54

IP aware bridge - single pool one VLAN static IP

VRF with static route to user VRF with static route to gateway

E-MAN

IP

LT

VRF1X

SHUB

192.168.10.10192.168.20.10

10.10.17X.1 10.10.17X.100UNNUMBERED

BRIDGED

8/36

=> STATIC

FORWARDERMODE

L2-TERMINATEDMODE

=> USER GW

VLAN 17X

ISP

GROUP XISAM Y

1. Configure your system for IP-aware bridge setup with following configuration Configure VRF 1x (x = adslx) on the ASAM-CORE which you will be using for IP aware bridge . Give it a name of your choice.The VLAN towards the network is VLAN 17x , The default gateway of the ISAM is

10.10.17x.1 .Your end user is statically configured. He has IP@ 10.10.17x.100Make this setup work.Try to ping the gateway of the end-user. Also perform a traceroute. Explain what you see. What is the scenario when you perform a ping to the user gateway.

Configuration of IP aware bridging mode


55

E-MAN

IP

LT

VRF1X

SHUB

10.10.17X.1

10.10.17X.100

BRIDGED

8/36

=> STATIC

FORWARDERMODE

=> USER GW

VLAN 17X

IP aware bridge - two IP pools - one VLAN static IP

11.11.17X.100

11.11.17X.1

L2-TERMINATEDMODE UNNUMBERED

ISP

192.168.10.10192.168.20.10

GROUP XISAM Y

2. At this stage we add the setup with a second IP-pool 11.11.17x/24 for the end users. . Towards the network we stay in the same VLAN.End-user gateway is 11.11.17x.1, the gateway of the ISAM remains unchanged. End user IP@ to use is 11.11.17x.100 What are the additional things you need to configure ? Make this setup work.Try to ping the Gateway of the ISAM and perform a traceroute. Try to ping the gateway of the end-user and perform a traceroute towards is.Explain what you see. What is the difference with scenario 1 .


IP routed configuration_______________________________________________________________Alcatel 5523/7302 Basic Operator (3FL00278 AAAA WBAAA)Alcatel 5523 AWS: customer documentation__________________________________________________________

1. Check the VLAN configuration of VLAN 1190. What can you conclude ?Verify this with AWS and CLI

2 . Check the VLAN configuration of VLAN 190. Verify this with AWS and CLI

3. What is the first VRF-ID available on the Service hub. Check this. Are there other VRFs configured on the Service hub Verify this with AWS and CLI

4. What is the routing mode of the default VRF? What does it mean ?Verify this with CLI.

Reference

IP routed retrieval exercises


5. Which interfaces are defined on the default VRF on the Service hub?What are the IP addresses of the relevant interfaces? Verify this with CLI

6 . What is the routing mode of the VRF 30 ? What does it mean ?Verify this and CLI

7. Check the Interfaces mapped on VRF 30 on the SHUBWhich of the interfaces are interfaces to the user side.Which of the interfaces are network interfaces ?Verify this with AWS and CLI

8. Are there IP@ defined on the relevant interfaces found above ? Is this necessary ? Why ? Why not ?

Verify this with CLI


9. What is the default gateway for VRF 30 on the SHUB. To which VLAN is it mapped to? Verify this with AWS the CLI.

10 . Check the configured administrative status of the interface on the SHUB mapped on VLAN 190Verify this with the CLI.

11. Check the actual status of the interface mentioned above. | Verify this with the CLI.

12. What is the VRF on the ASAM-CORE to which the internal VLAN 1190 is connected to.Check out the configuration of the VRF. What do you notice ? Verify this with the CLI.

13. On the ASAM-CORE, is there an IP@ configured on the network interface mapped on VLAN 1190 ?What is the IP-address of the network interface in VLAN 1190 ?Verify this with CLI


14. Are there any routes configured in the VRF on the ASAM-CORE on which VLAN 1190 is mapped to ? Which ones are relevant? When? Why? Why not Verify this with CLI

15. Is there a Default GW defined on VRF 20 on the ASAM-CORE? Why ? Why not ? Verify this with AWS and CLI


> Perform these excercices with the CLI 1. Configure VRF xx (x = adslx) on the SHUB. Give it a name of your choice.

2 . Create an interface on VLAN 10x0. Make sure this interface is a network interface !

3. Make sure that the interface is administratively up.

4. What is the IP-address and the default GW of the interface you just created ?

5. Map your interface to the VRF that you just created.

6. Does this configuration change the settings in the VRF?

VRF configuration on SHUB


7. Give the interface an IP address = 138.x0.x0.x0 netmask 255.255.255.0 and map it to your VRF.

8 . Check the information configured on the interface and in the VRF. What do you see?

9. Configure the default GW for the interface=138.x0.x0.1.

10 Check your configuration.

11. Is the interface at this stage ready to use? If an action is required, perform it.

12. Delete the VRF that you just created. What are the steps to follow?


62

IP routed Configuration Case

E-MAN

IP VLAN 119X

LT

VRF2X

SHUB

VRF30VLAN 19X

192.168.10.10192.168.20.10

10.10.19X.1 2Y.2Y.19X.1002Y.2Y.19X.1 UNNUMBERED

ROUTED MODE

LAYER2-TERM-NWPORT

V-VLAN& L2-T BRIDGED

8/36

=> STATIC10.10.19X.2Y

ROUTED MODE

=> USER GW

ISP

GROUP XISAM Y

VRF ON SHUB IN FAST-PATH-MODE

1.Configure your system for IP-routing with following configuration Configure VRF 2x (x = adslx) on the ASAM-CORE and use VRF 30 in the SHUB . Give them a name of your choice.The V-VLAN to use is 119x (x=adslx)The VLAN towards the network is VLAN 19x , The default gateway of the SHUB is

10.10.19x.1 .Your end user is statically configured. He has IP@ 2y.2y.19x.100Make sure that from your en-user terminal, you can ping the gateway of the ISAM. Make this setup work.

IP routing set-up configuration

Date post:	29-Oct-2015
Category:	Documents
Upload:	tony-anh-les
View:	136 times
Download:	15 times

IP in the ISAM

Documents