VLAN Forwarding Modes and IB

7/22/2019 VLAN Forwarding Modes and IB

1/75

TAC03001 _D Ed01 1 2008 Alcatel Bell N.V., All rights reserved

Alcatel-Lucent University Antwerp 1

University

VLAN forwarding modes and IB

Alcatel-Lucent University Antwerp

University

7302-7330-735x ISAM / 5520 AMS operator part 1 section D

During class please switch offyour mobile, pager or other that may interrupt.

Entry level requirements:

> You are familiar with the theoretical concepts of Ethernet and VLANs.

> You can configure equipment and interworking function(basic configuration) on ISAMs usingthe 5520AMS.


2/75


2

Objectives

After attending this session, you should be able to:

Describe what a Residential Bridge VLAN (= Intelligent BridgeVLAN) is

Explain how the RB-VLAN is behaving

on LT

on SHUB

Create a RB-VLAN via AMS and CLI

on ASAM-CORE

on service hub

Associate a RB-VLAN to Ethernet ports on the service hub

Associate a RB-VLAN to a bridge port

with or without VLAN translation


3/75


3

Table of contents

Forwarding modes: general . . . . p. 4

Layer 2 forwarding: The Basics . . . . . p. 7

Intelligent bridging . . . . . . p. 15

VLAN setup . . . . . . . . p. 33

VLAN association . . . . . . p. 47

Exercises . . . . . . . . p. 61


4/75



University

Forwarding modes

General


5/75


5

Forwarding engines

On the LT

On the NT the forwarding engine is part of the service hub

NT

ServiceHub

GE1-16

ExternalEthernetlinks

GE/FE1 - 7

ASAMlink

PVC / Logicaluser port

x/ATM/Phys. Layerx/Eth x/Ethx/Eth

CPE

Forwarding

Engine

LT 1IWF

FW

Engine

x/Eth x/Phys layer x/Ethx/Eth

LT x

CPEEFM / user port

FW

Engine

> We mentioned earlier that the LT contains the Inter Working Function and the service hub(that is hosted on the NT) the aggregation function. Both of them perform forwarding, and forthat purpose, the Inter Working Function provides a forwarding engine (i.e. a bridge).


6/75


6

Forwarding modes: General

Networkside User

side

ANT

Eth-VLAN

L3

L2+L2

7302 ISAM

PPPoE EngineL2+

RoutedL3

Intelligent Bridge (IB)VLAN Cross-Connect (CC)Enhanced iBridge

L2

Forwarding modeDecision

> Different forwarding modes are supported in order to make it fit into different network modelsof different operators.

> If the DSLAMs are mainly connected to a bridged Metro Ethernet network, the MAC scalability

may become an issue when only layer 2 forwarding is done in the DSLAM.In that case the MAC addresses of all end-user terminals will have to be learnt in the Metro-Ethernet network, while the MAC tables of some bridges may be quite limited. In that case, itwould probably be better to use the layer 2+ or L3 forwarding function of the ISAM. (However,we mustnt exaggerate this issue: most bridges can learn many MAC-addresses without anyproblem!)

> However, if IP routers are used in the Metro Ethernet Network close to the DSLAMs, MACscalability will not be an issue, and layer 2 forwarding in the DSLAM may be an interestingoption, because in general layer 2 means less configuration effort. With 7302 ISAM,operators have the flexibility to choose the forwarding mode which best fits in their network.

> In general, the previous layer 2 and layer 3 forwarding functions are an overkill for network-VPN services towards business customers, given the number of connections to the sameVPN from one DSLAM will be mostly only one, or only very few connections per VPN. In suchcases, the VLAN cross-connect mode of the ISAM is much more appropriate for thesebusiness users:

less configuration effort,

avoid too many bridges or routers in one VPN.


7/75



University

L2 Forwarding mode


8/75


8

General overview

Networkside Userside

7302 ISAM

Eth-VLAN

L2Eth - VLANAnything

Phys layer

ATM/AAL

Eth (VLAN)

Anything

Phys layer

Eth (VLAN)

Anything

layer 2 forwarding

Ethernet layer must be present at both sides.

encapsulation at CPE must include Ethernet

> In case the 7302 ISAM performs L2 forwarding, it means that the internal forwarding isbasically done on layer 2 information. The layer 2 is Ethernet, including the concept of VLANs.

> In both layer 2 forwarding models (intelligent bridge as well as cross-connect), the ISAM can

accept tagged frames coming from a user. The operator can configure exactly which tag is tobe expected on the bridge port and frames carrying another tag will be discarded (filter).

> In case of VLAN translation, the user sends tags that are recognized, but only have a localmeaning and will immediately be translated into a network vlan.

> In case of cross-connect, it is possible to have C-VLAN transparency (where only the S-VLANis configured in the ISAM). In that case, the user can send no matter what C-VLAN. TheISAM will not filter based on C-VLAN. See section on cross-connect.


9/75


9

Two L2 forwarding modes

the intelligent bridging (IB): one (or more) circuits per VLAN

Forwarding based upon MAC addresses and VLAN

the cross-connect (CC): one (or more) VLANs per circuit

Forwarding based upon

User side:

bridge port on PVC for ATM or

(subscriber VLAN on) bridge port on DSL port for EFM

Network side: Single or stacked VLAN tag

> The ISAM 7302 provides a special Layer 2 behavior that results from being deployed in anaccess environment. I.e. it supports the 'cross connect mode' and it supports the 'IntelligentBridging mode'.

> In cross-connect mode, a particular VLAN-id is associated to one user connection only.

> In intelligent bridging mode, multiple user connections can be associated with each virtualLAN.

> The mode can be configured per VLAN. A particular VLAN can operate in only one of thesemodes at a time. A port however can be assigned to one or more VLAN cross-connects at atime and can therefore operate simultaneously in cross-connect or intelligent bridging mode.This is especially true for the Ethernet port, since it must belong to every VLAN configured.


10/75


10

L2 functionalities

ASAM link

PVC / Logicaluser port

LT 16

IWF

Standard VLANenabled bridge. Special VLAN

enabled bridge.

LT 1

IWF

ASAMlink

External

Eethernet

links

GE1-16

NT

Aggregationfunction

Service Hub

Control link

Control/Mgt function

FE

GE1 ..16

GE/FE1 - 7

USER

PORTS

> In general the aggregation function implemented by means of the Service Hub, on the NT,behaves as a standard bridge. A few extra features make that the Service Hub can beconfigured to behave in the IB mode or XC mode.

> The Service Hub (Ethernet Switch) is composed of:1) the Ethernet transceiver function2) the Forwarding Engine, providing the Ethernet L2 switching function3) the switch, providing network (trunk) ports, cascade / subtending (trunk) ports, userEthernet ports, NT(control) Ethernet port (on ECNT-A only!), Out-band management Ethernetport and ASAM (LT) Ethernet ports.

> It is the IWF (Interworking Function) on the LT board that serves as the ATM to Ethernetinterworking device.

> In the upstream direction (ingress bridge port on ATM PVC port), the IWF on the LT receivestraffic on the ATM PVC port, reassembles the Ethernet frames from the ATM cells andforwards them towards theSHUB and thus to the E-MAN network.

> In the downstream direction the network interface of the Service Hub receives the Ethernetframes and forwards them towards the correct egress port on the Service Hub. Once theEthernet frame is received on the ingress Ethernet port of the IWF, the frame is forwardedtowards the correct user logical port where the received Ethernet frames are segmented intoATM cells and forwarded toward the correct ATM PVC ports.

> The Service Hub and the IWFs on the LTs behave (as much as possible) as two independentLayer 2 systems: they both will learn and age independently on MAC addresses.

> The control function is involved in the management of the data plane.( see later)


11/75


11

POTS,ISDN

CPE

ISAM

LT

AAL5

ATM

xDSL?

LLC

SNAP

Anything

Ethernet

Layer 2

PHY

Ethernet

Layer 2

(+ MAC

Control)

E-MANNetwork

Anything

AAL5

ATM

PHY

LLC

SNAP

Ethernet

Layer 2

GE

Ethernet

Layer 2

(+ MAC

Control)

ETH-ATM

InterworkingFunction(IWF)

Eth

GE

Eth

FE/GE

Switch

GE

Eth

FE/GE

Eth

PHY

Switch

NT

> The customers CPE is connected to the ASAM-Core with an ATM interface. It is the IWF onthe LT that provides the interworking between the ATM and the Ethernet/VLAN technology.The Service Hub will behave as a standard bridge with some enhancements and perform

layer 2/Ethernet forwarding> The layer 2 access offered via the IWF does not offer the same capabilities as the traditional

ATM Layer 2 access offered by the ASAM.A traditional ATM Layer 2 access network is transparent for everything on top of ATM and assuch supports many more frame encapsulation techniques at the CPE.The proposed E-MAN/ATM layer 2 access supports only CPEs using Ethernet over ATM,encapsulated by AAL5 and RFC2684 bridged

> In the case that the 7302 ISAM performs layer 2 forwarding and the Ethernet switches inbetween (EMAN) are working as bridges. In that case the Ethernet L2 environment isterminated in the IP edge (typically the BRAS).


12/75



University

IntroStandard Bridging


13/75


13

Standard bridging concept

MAC bridges can interconnect all kinds of LANs together

No guaranteed delivery of frames

A bridge learns MAC addresses

Flooding occurs when destination MAC address is broadcast,

multicast or unknown, :

If you do not know, send it to everybody

If the destination MAC address has been learned, the frame is

forwarded to the indicated interface


14/75


14

Security/scalability issue with standard bridging

Broadcast frames (ARP, PPPoE-PADI) forwarded to

all users & flooding to all ports.

MAC-address of a user is exposed to other users

Broadcast storms

Ethernet

BRAS PCCPE

DSLAM

PC

CPE

DSLAM

PCCPE

BR

BC or unknown MAC DA


> The issue on the slide occurs with standard Ethernet bridges. Operators using VPLS in the E-MAN will not have this issue!


15/75


15

Standard bridging: Issues

Broadcast storms

Security Broadcast frames are forwarded to all users

Customers identified by MAC-address (not guaranteed unique)

Restrictions on services and revenues:

IP edge device has no info on the access line

So not possible to limit the # of sessions per access line

User-to-user communication possible without passing the BRAS

NOT FIT FOR USE IN PUBLIC NETWORKS

> Scalability:

Broadcast storms

Broadcast frames are flooded over the entire aggregation network . This generatesan important amount of traffic, that can result in service degradation or denial ofservice

Bridges have to learn MAC-addresses of all devices connected to the network

> Security

Broadcast frames (ARP, PPPoE - PADI, ) are forwarded to all users

MAC-address of a user is exposed to other users

> Customer segregation

customers are identified by MAC-address, and MAC-addresses are not guaranteedunique

undesirable & unstable behaviour: user B gets traffic destined to user A and viceversa.

> PADI = PPPoE Active Discovery Initiation packet (which is broadcasted). This is the firstmessage in the initialization phase to establish a PPPoE session.


16/75



University

Intelligent Bridging


17/75


17

The intelligent bridging model (1/3)

Multiple users connected to 1 VLAN ID

IB-VLAN has:

1 or more user logical ports, subtending ports or user Ethernet ports

1 or more network ports

Internet

E-MANNetworkISP2

ISP1

Routing to the

correct ISP is

based on the

VLAN-id

Routing to the correct

ISP is done based on

user-id and password

in the BRAS

E-MANNetwork

IP

Internet

ISP

Corporate

BAS

Login to ISPor corporate

Note: Tagged frames notsupported for IB if Rel. In case of Intelligent bridging multiple users are connected to the same VLAN, or in otherwords we have aggregation at DSLAM level within a VLAN.

> In the figure at the left we see multiple VLAN bridges supported in 1 DSLAM, to connect to

different Service Providers (SP) (wholesale). Each SP is connected to the DSLAM with aspecific VLAN-ID. The user ports are connected to the VLAN of their corresponding SP.Multiple user ports can be associated to a single VLAN-ID.Users 2 and 5 are connected to the ISP1 VLANUsers 1, 3 & 4 are connected to the ISP2 VLAN.The MAC address lookup is performed in the forwarding table of the respective VLAN. Withthe principle that we have 1 VLAN ID per {IP-edge-DSLAM} pair this means that in eachEthernet switch the SP has its own forwarding table.

> In the figure at the right we see that the routing to the correct SP is based on user-id andpassword and that all the users are connected with the same VLAN-ID to the BRAS.


18/75


18


Why VLAN Translation (customer vlan to network vlan)

Wholesale per serviceDrivers: VDSL and Eth offer more BW, so it makes sense to wholesale

this in pieces rather than the complete DSL line as a whole

Consequences: Model with VLANs on DSL line; behaviour equivalent to

multi-VC model on ATM/ADSL

VLAN per service and per provider in the aggregation network

Service provider is free to choose CPE configuration, but VLANs in

aggregation network are under control of ILEC

Ultimately 1 subscriber (1 line) may have to support 2 HSIA

services or 2 video services from different service providers.

> There are many operators who base their network architecture on one PVC per service whenconnecting ADSL subscribers. Once those operators start deploying VDSL, they areimmediately confronted with the issue, that their is no similar approach for EFM interfaces.

Thats why we have introduced VLAN Translation.> Requirement is driven by the wholesale model. Operators wants to use a network model

whereby a given user can be subscribed to a different service provider for each service.Therefore they want to have separate "circuits" per service all the way up to the CPE. Theyare looking at a model of VLAN/service on the DSL line, and VLAN/service/ISP in theaggregation network.


19/75


19


Special layer 2 behavior needed in an access environment

IB with VLAN tagging Intelligent Bridge (IB) means

distinction between network ports and user ports

Frames from a user always sent towards the network

No user to user communication

prevent broadcast traffic from escalating

avoid broadcast or flooding to all users

secure MAC-address learning within a VLAN

avoid MAC-address duplication over multiple ports

protocol filteringmay lead to a frame being forwarded, sent to a host processor,

discarded or forwarded & sent to a host processor

> In a standard bridge all ports are treated equally. The special thing about Intelligent Bridgingis that it makes a distinction between network ports and user ports.

> With Intelligent Bridging, frames received from a user will always be sent towards the network

and never to another user. All traffic received from a user interface is forwarded only on theuplink, and never to other users. This avoids that a user's MAC-address is exposed to otherusers; and also assures that user's traffic is passing through the IP edge point where it can becharged for.

Unicast frames: user-to-user communication is not permitted.

Broadcast and multicast frames from a user are only forwarded to the interface towardsthe network and not to all other users.

> A second difference with standard bridging is the prevention of broadcast storms:In a standard bridge, a broadcast frame will be sent to all ports in a particular VLAN. In caseof a Intelligent Bridging this is no longer true.Depending on the type of broadcast frame (depending on the protocol above Ethernet e.g.

DHCP) the treatment will be different. Each protocol will deal with the restriction of IntelligentBridging in a different way. In all cases a broadcast to all users is avoided.E.g. Broadcast as a consequence of flooding (when the MAC DA is unknown) or in case ofmulticast.

> Another difference with standard bridging is the way how MAC addresses are learnt:protection is built in to avoid the use within one particular VLAN of the same MAC addressover multiple ports.

> With intelligent bridging only the following types of frames are accepted from the user ports:IPv4, ARP, PPPoE, IGMP and EAPOL (used for 802.1x). Other frames will be discarded,including multicast data frames coming from user ports.


20/75


20

MACBCPE

MACACPE

Intelligent bridging: network issues

Problem:

If user A can obtain the MAC@ ofUser C, since the Ethernet switch

learns all Mac @ , user to user

communication is possible

IP edge ISAM

VL NBR

ISAM

Ethernet

> On the previous slides, we learnt how user to user communication is avoided inside the ISAM.But it is also important to mention that a VLAN must be unique between an [IP-edge-ISAM]-pair in the Ethernet network to support the Intelligent Bridging feature. Take e.g. the network

configuration shown in the figure above, where 2 ISAMs with same VLAN are connected tothe IPedge via the EMAN network through a single VLAN. Or in other words a single VLANexists between ISAM1, ISAM2, and the IP-edge).

> In this case, the Ethernet switch learns all user MAC addresses and if user A can obtain theMAC address of user C, then user A can send traffic directly to user C without going to the IP-edge. This is not acceptable: in Intelligent Bridging mode no direct user to usercommunication is allowed in the network.Another issue is that in such configuration an ISAM would receive all broadcast / floodedframes from any ISAM in the VLAN, with potential performance issues as a consequence.


21/75


21

Broadcast messages & flooding US

Upstream BC frames & flooding only forwarded towards

network port(s) within a VLAN

1 VLAN per IP-edge

Reduction of flooding in the aggregation network.

No user-to-user communication without passing the BRAS

Ethernet

BRAS PC ACPE

ISAM

PC

CPE

ISAM

PC BCPE


BR

VLAN 1

VLAN 2

> Blocking user to user communication at L2

> The principle is to avoid that 2 users connected to the same ISAM will communicate with eachother directly at L2. In this case, when user A sends a message with destination MAC-address

B, that message is sent to the uplink, not to user B.In case of PPP this is not an issue, since all messages coming from the DSL users will havedestination MAC-address = MAC-address of the BRAS

> The objective is that all traffic passes a L3 box. The motivation is twofold:

Security:If direct user-to-user communication at L2 would be allowed, this would give malicioususers an easy way to find out the MAC address of other users, and then try to take itover. Note: blocking duplicate MAC-addresses will solve most of it, but if the malicioususer is waiting until the MAC-address has aged, and then tries to take it for himself, heblocks the other user.

Accounting for traffic:

If we would allow for user to user communication directly in the ISAM, we would alsohave to introduce mechanisms to measure and account for the traffic. Not just for billingpurposes (most services will likely not use volume-based billing), but also for featuressuch as legal intercept. So in other words, this kind of peer-to-peer traffic would behidden to the operator, and in particular for peer to peer traffic operators will probablynot like that.


22/75


22

Broadcast messages & flooding DS

Blocking of broadcast & flooding in the downstream

Avoids messages unintentionally distributed to all users

For some applications forwarding of BC is needed

Solution: Make BC flooding / BC discarding a configurable option per VLAN

ISAM

Ethernet

BRAS

PCCPE

ISAM

PCCPE

PCCPE

BC or unknownMAC DA

BR

> In a normal bridge when a message is received with a destination MAC-address not yet in theself-learning table, the message is broadcast to all the other interfaces.Also broadcast messages are flooded to all interfaces

In an Intelligent bridge you want to avoid that in the downstream, messages areunintentionally distributed to all users. Therefore you need to put mechanisms in place thattogether with the systems set up in the upstream, will inhibit BC messages to be sent to allusers and avoid the flooding of messages with unknown MAC DA to all users.

> For some applications it is useful that flooding BC is possible. A solution for these applicationsis e.g. to make flooding BC/discarding BC a configurable option per VLAN.


23/75


23

Intelligent Bridge

Bridge: learning, aging, forwarding

lookup MAC DA done based on VLAN and MAC-address

intelligent bridging enhancements implemented on ISAM

LT and SHUB have

independent MAC-address learning

independent MAC-address aging

aging timers are configurable [10...1000000] sec

Recommended default value is 300 sec

aging timer per VLANaging timers are configurable [-1,10...1000000] sec

Default value 1 use system Aging timer on LT

> The Service Hub and the LTs autonomously learn MAC addresses. They also autonomouslyage on these MAC addresses. Aging timers are configurable. The idea is that the Service Hubis configured with the same aging timer than the one of the IWF of the LT. This is needed to

avoid conflicts, e.g. when the MAC address is aged on the Service Hub, then the Service Hubcould learn the MAC address on another interface with unpredictable behavior as aconsequence.Once a MAC address is aged, then no downstream communication is possible until theaddress is learnt again in the upstream direction.

> So its important that the MAC ageing time is properly configured, otherwise data-planeconnectivity may be lost between the network and the ISAM end-users (nightly SW downloadon STB, incoming VoIP calls, )

In case of PPPoE traffic the MAC aging time can be kept small, because PPP has abuilt-in keep-alive mechanism

In case of DHCP-based service scenario's, the MAC ageing time must be taken inthe same order of magnitude as the DHCP lease time


24/75


24

IB Configuration of SYSTEM and/or per VLAN aging timer

LTSide

SHUBsid

e P

erVLAN

> CLI Commands: System aging timers IACM and SHUB

Configure bridge ageing-time [10...1000000]

Configure bridge shub ageing-time [10...1000000]

> CLI Command: MAC aging PER VLAN (IACM)

Configure vlan id 200 aging-time [-1,10...1000000]

Default value 1 IACM system settings are used.


25/75


25

LT self-learning

only in the upstream - when initiated from user logical port

Self-learning can be disabled per user logical port.

In case of self-learning, limiting number of MAC addresses is

possible.

LT

To Service

Hub

Learning of SourceMac@ within VLAN

NO selflearning

x

y

z

MacA

MacB

MacC

> We call the LT IWF half a bridge as it only learns MAC addresses in the upstream direction.This has as a consequence that no connection can be initiated from the network side if theMAC address on the user side is not known or has not been learned yet.


26/75


26

Self learning in the Service Hub

Self-learning implemented for both upstream and downstream

Discard all user unicast frames with MAC DA known on anASAM or subtending port


Learning of SourceMac@ within VLAN

E-MAN

LT

LT

ServiceHub

E-MAN

X

Y

Z

MacA

MacB

MacC

U

V

BAB C

LT


27/75


27

Blocking of user to user communication

Port mapping on the service hub/NT

An interface can only communicate with its mapping ports

ASAM links

8 Networklinks

Controllink

1 15 16

Service

Hub

ASAM links

X Networklinks

Controllink

1 15 16

Service

Hub

User links

subtendinglink

> This is what prevents user-to-user communication when users are on different LTs.


28/75


28

Port mapping

Port mapping is used to

block user to user communication on the service hub

user links

subtendinglinks

E-MAN

networklinks

ASAM links

Control link

NT

LT

LT

> It is possible that a VLAN used to transport user frames will contain ASAM/ subtending / userinterface(s) and a network interface(s) or even more ASAM interfaces and subtendinginterfaces . Possibly also both an ASAM and a subtending interface can be present in the

same VLAN. The question arrises how we prevent user to user communication within thesame VLAN

> The blocking of user-to user communication on the Service Hub is provided by port mapping

> This way we allow L2 bi-directional communication with supporting tagged frames (within thesame VLAN) only between network ports and ASAM ports, between network ports andsubtending ports, between network ports and user ports, between the controller port and eachASAM port and between the controller and the network ports and subtending ports.

> The drawing in the slide gives you the different possible links and the flooding strategy(Layer2) of the frames.

> The handling of control protocol frames (Radius, VBAS, IGMP, ARP and DHCP) and internalcommunication at a layer higher than the MAC layer is not in the scope of the rules explained

hereafter.> Frames received over a network interface: can be (layer 2) forwarded by the Service Hub to

the ASAM, the user, the subtending, and the control interfaces. In PPPoE demo, ISM1 relatedports are at the same position as network interface.

> Frames received over an ASAM interface: can be forwarded to the network interfaces and tothe control interface.

> Frames received over a subtending interface: can be forwarded to the network interfaces or tothe control interface.

> Frames received over a user interface: can be forwarded to the network interfaces or to thecontrol interface.

> Frames received over the control interface: can be (layer 2) forwarded to the network, thesubtending, the user, the ASAM interfaces.


29/75


29

Upstream

Only user to network allowed

User D

--> S-ASAM

User D

--> S-ASAM

User D

--> S-ASAM

> The ISAM only allows user to network communication in the upstream,

Blocked on the same LT by the IWF

Blocked by the port mapping configuration on the SHUB (see later)

> This is valid for all cases, i.e. Broadcast (BC), Unknown MAC Destination Address and KnownMAC Destination address.

> unicast frames with unknown destination MAC addresses are flooded to the networkside.

no user to user communication within the LIM

no flooding from user to user port

broadcast frames are flooded towards the NW port

> frames with known destination MAC addresses arent forwarded to user ports, but to thenetworkside

No user to user communication within the LT


30/75


30

Downstream

Broadcast control configurable per VLAN in IB mode

BC --> --> --> User A - LT1

Network SHUB --> LT - - >i f BC al l owed User B - LT1

--> --> User C - LT4

--> User D

--> S-ASAM

Unknown MAC DA --> --> --> User A - LT1

Network SHUB --> LT --> User B - LT1

--> --> User C - LT4

--> User D

--> S-ASAM

Known MAC DA --> --> --> User A - LT1

Network SHUB --> LT --> User B - LT1

--> --> User C - LT4

--> User D

--> S-ASAM

> Broadcast from Network to User only allowed if enabled by the operator, per VLAN in IBmode.

> For the unknown MAC DA case, the LT will not forward the frames to the users.

> In case of a known MAC DA, all frames are forwarded.

> unicast frames with known MAC DA are forwarded to the appropriate logical user port

unicast frames with unknown MAC DA are discarded

No flooding from NW port to user port


> By default broadcast as a consequence of flooding, which happens in case of standardbridging when the MAC DA is unknown or in case of multicast, is avoided with intelligent

bridging.


31/75


31

Duplicate MAC-address learning

Traffic from duplicate MAC-address in separate DSLAM, can be

distinguished as separate flows in the Ethernet switches of the

aggregation Network, when different VLAN id per DSLAM is used

Mac Ax

Mac Ay

Mac@port

MacA

MacA

ETHPort x

Port y

Packet with destination address MacA

Problem:2 users with same MAC-address,forwarding engine cant distinguish

?

> If a user on line x is using a certain MAC-address and a second user on a different line y istrying to connect with the same MAC-address, a mechanisme should be there so that thatMAC-addresses will only appear once in the (filtering db) learning table of that VLAN.

> If this would not be done, then the MAC-address would be overwritten in the bridge's learningtable, such that traffic is forwarded either to user A or B in a rather unpredictable way. so thisfeature allows to guarantee uniqueness of MAC-addresses in the aggregation network.

> In the 7302 ISAM specific rules are implemented making sure that the MAC-address will onlybe learned once, this is what they call secure MAC-address learning

> We are not only resolving the customer segregation issue but we also avoid that in case of amalicious user, user 1 cannot take over the MAC-address of user 2 (MAC-address anti-spoofing, blocking duplicate MAC-address)

> PS: MAC-addresses are supposed to be unique per VLAN. They are not necessarily uniquefor the complete system.


32/75


32

Secure MAC address learning

Service Hub

MAC movement to highest

priority

Within priority , always

MAC Movement

Within priority , MAC

movement only when feature is

enabled in the VLAN

LT

Blocking duplicate MAC-address

Static MAC-addresses neverdisappear from learning table

user links

subtendinglinks

E-MAN network links,outband MGT link

ASAM links

NT

LT

LT

Control link

IWF

IWF

1

2

3

3

3

3

2

2

3

> On the IWFIf the MAC-address was already configured or learnt on another user logical port, the MAC-address wont be learnt on the second port and the frame is dropped (Conflict alarm)

> On the Service HubYou have the possibility to provision, if MAC movement is allowed or not on a per VLANbasis. The default value is no MAC movement .Mac movement means that in case the same MAC-SA is received on a second interface , theMAC-address will enter the learning table of that interface and is removed from the 1stIf you do not perform MAC movement, it means that the duplicate MAC-address is not learnton the 2nd interface and the frames are discarded

> If the Service Hub receives a frame with MAC SA on a different interface than previouslylearnt, then it will apply the following rules:

> Control interface has first priority: Learning a MAC address on the control interface willalways take priority on the learning of MAC addresses on a network, an ASAM user orsubtending interface, irrespective of the order of learning.

> Network interface has second priority: In case the MAC address is first learnt on a subtending,ASAM or user port, and then on an Ethernet network interface, then this movement of theMAC address will be learnt (meaning that the MAC address on the subtending, user or ASAMport is removed). In case the Duplicate MAC-address is learnt on a network interface but itwas learnt before on another NW interface the last one takes priority.

> ASAM link, subtending link, user link have third priority. If the duplicate MAC address isreceived on a ASAM, user or subtending port, and the same MAC address is already learnt onan Ethernet network interface in the same VLAN, then the MAC address is not learnt and theframe is dropped.

> If the duplicate MAC address is learnt on a DSLAM, user or subtending port, and the sameMAC address was already learnt on a port within this priority the action will depend on the

configuration of the VLAN. ( MAC movement allowed or not configurable per VLAN).

> Well-known MAC addresses (e.g., MAC addresses allocated for IEEE protocols, ...) will not belearnt. Also the MAC address of the Service Hub is a well known MAC address.


33/75


33

Secure MAC address learning

Configure maximum number MAC-addresses per port

Prevents attacks that would fill up the bridging tables

Subscription rules: maximum devices connected simultaneously.

Configure MAC-addresses for Discarding

2x

MaxMac@

port

MacAETH

Port x

Connectedvia PPPoE

MacBMacC

bridged

IP

Internet

ISP

BAS

MacAx

MacBx

Mac@port

PADI with source address=MacC

ISAM

00-08-02-E9-F2-9DID

Discard Mac@VLAN

> There are 2 motivations to block the number of MAC-addresses per port :- Security: avoid that a malicious user can fill up all the complete bridging table of devices inthe network (DSLAM and others), by sending traffic with different MAC addresses.

- Service differentiation: by limiting the number of MAC addresses per port, the operator canoffer different types of service subscriptions to the user, limiting or allowing a certainnumber of devices to connect simultaneously to the network. For this application, it isclear that the limitation should be configurable per port.

> Note:In this example the users PCs are connected to the internet via PPPoE. In that case actuallythe BAS also has the possibility to limit the number of PPPoE sessions per user-id. WithinPPPoE, the unique PPPoE session-id can be used to provide this additional security. TheBAS can use the PPPoE session-id for user-identification during the session itself which islinked to an earlier username/password given during the PPPoE session set-up. The BASknows that user has been given so many sessions. If you have information on VP/VC you canof course also additionaly limit the number of PPPoE sessions per VP/VC. In case of

Ethernet Backhaul however the BAS has no info on the VP/VC.

Within DHCP there is no information that identifies the user. In that case limiting the numberof MAC-addresses learnt per port on the DSLAM is a possible solution, but what with a multi-edge environment? .If we want the DHCP server itself to be able to limite the number of sessions of the user, theDHCP request needs to provide the information that defines the user ( VP/VC , port ) This ispossible by implementing DHCP-option 82 (see later)

> During the creation of a RB-VLAN in the Residentail Bridge VLAN service template, a list ofMAC-addresses for discarding can be added.


34/75


34

Intelligent Bridging, things to consider

Security Services !

IP edge has no info on the line idSolutions: PPP-connections (BRAS) or DHCP option 82

User can access network with a different IP address than theassigned IP address.

Pure layer 2 device

No support for duplicate MAC-addresses on the same ISAM

Within the same VLAN

Scalability Switches learn all MAC addresses of all end-users

IP edge learns all MAC addresses & IP addresses of all end-users

Anti-IP spoofing: blocking of traffic when user tries to connect to the network with an IP addressdifferent than the IP address which was assigned to him.


35/75


35

Intelligent Bridging, things to consider

Advised to use unique VLAN per [IPedge-DSLAM]-pair in EMAN

Avoid user-to-user communication

Traffic management per DSLAM

Complex IP network configuration

When 1 VLAN shared by multiple DSLAMs

User to user traffic in EMAN

Easy IP network configuration

One single subnet for all DSLAMs

MAC-address spoofing

Standard MAC address learning at EMAN levelTraffic will be rerouted to any spoofed MAC address


36/75



University

Configuring a RB VLAN


37/75


37

IB VLAN set-up

VLAN set-up:

Create VLANCreation of VLAN on SHUB and ASAM-CORE

Add ports to VLAN

On SHUB and LTs

Via AMS

Different versions of one VLAN possible

Create VLAN for

service to be deployed

Add ports to VLAN

> Here youll learn how to:

Distinguish different forwarding models and choose the right VLAN mode for a certainforwarding model

Create a VLAN on Service hub and ASAM-CORE, either using 5520AMS or using CLI Add ports to a VLAN.


38/75


38

Creation of IB VLAN

Creation of VLAN in 2 steps

on SHUB

on LTs (ASAM-CORE)

VLAN mode according to forwarding model

Create VLANMode i.f.o service to be deployed

Create VLAN on ASAM-COREResidential bridge

Create VLAN on SHUBResidential bridge

> The VLAN type in the service hub permits us

to do consistency checks between SHUB and ASAM CORE (with AMS)

to couple specific configuration behavior to a VLAN.

> Intelligent (Residential) Bridging mode: forwarding based on L2 and multiple userconnections can be associated to each VLAN.

RB on ASAM-CORE: multiple end-user ports can be assigned to a RB VLAN

RB on SHUB: one VLAN on the SHUB that will be associated to all (configured) networkports and ASAM ports

Note: When configuring with CLI, operator needs to make sure that if needed port isadded to respective VLAN. Using AMS, it depends if the egress ports on theservice hub were forbidden or not. See further.

Note: Theres no difference when you create a VLAN as RB or L2Terminated on theSHUB. There is however a difference on the ASAM-CORE side.


39/75


39

VLAN modes (except for cross-connect)

Layer2 Terminated *Layer2 Terminated

NW port & v-vlan *Routed

Layer2 Terminated *Layer2 Terminated *IP aware Bridge

(forwarding)

Residential bridgeResidential bridgeIntelligent Bridge

LTs (ASAM-core)SHUBVLAN mode

Model

* : see next chapters


40/75


> Routed mode: Forwarding decision in ASAM-CORE is based on L3 (IP forwarding) . SHUBbehaves as a Full router.

L2 terminated on ASAM-CORE: association with V-VLAN based on IP DA.

Layer2-term-nwport on SHUB: a VLAN on the SHUB will only be associated to networkports. That means the VLAN is terminated on the SHUB.

> In Cross-connect mode different models exist

C-VLAN cross-connect : Straightforward VLAN cross-connect model where one or moreVLANs at the EMAN side are associated with a given PVC at the user side

CC on ASAM-CORE : only one end-user port (PVC or bridge port EFM) associated toa specific C-VLAN

CC on SHUB: since theres only one user associated to a specific C-VLAN on theSHUB one ASAM-link and one or more network ports are associated to the VLAN

S-VLAN at the EMAN side is associated with a PVC at the user side, the C-VLANs carriedwithin the S-VLAN are then passed transparently to the end user.

CC on ASAM-CORE : only one end-user port (PVC or bridge port EFM) associated toa specific S-VLAN

CC on SHUB: since theres only one user associated to a specific S-VLAN on theSHUB one ASAM-link and one or more network ports are associated to the S-VLAN

S-VLAN/C-VLAN cross-connect mode : PVC C-VLAN mapping, where the S-VLAN tagcan be used by the EMAN as route-identifier towards the ISAM

CC on ASAM-CORE : Different end-user ports (PVC or bridge port EFM) can beassociated to a specific S-VLAN.The C-VLAN identifies the user-port

CC on SHUB: since theres can be many users associated to a specific S-VLAN onthe SHUB all ASAM-link and one or more network ports are associated to the VLAN.


41/75


41

Creation of IB VLAN on NE

equipment

Select NE

Infrastructure

Layer 2

Create VLAN

Create SHUB VLAN

VLAN

see next slide

S-VLAN Id = 0

> 5520AMS doesnt use templates for VLANs. The only way to configure VLANs is on the NEitself.

> For a residential bridge VLAN, the S-TAG = 0. No stacked VLANs for intelligent bridging! (The

reason why you see the S-VLAN id is that the same screens are used for cross-connect, whereyou can have stacked VLANs indeed.)


42/75


42

Creation of IB VLAN on NE

mode: RB

protocol filter (PPPoE / IPoE)

Virtual MAC translation

DHCP option 82

PPPoE relay tag

broadcast control

> Not all parameters can be configured here already. You can configure e.g. static MACaddresses afterwards. See further.

> From R3.5 VLAN specific aging time can be set. If set, this value will override the IACM

Layer2 - Ethernet System Parameters Forwarding Database Aging Time. If on the otherhand the default value 1 is left, the IACM system parameter is used.


43/75


43

Modifying IB VLAN on NE

Static MAC addressesequipment

Select NE

Infrastructure

Layer 2

Static MAC Address

VLAN

Select VLAN

MAC Addresses

Static

Create


44/75


44

Creation of IB SHUB VLAN

equipment

Select NE

Infrastructure

Layer 2

Create VLAN

Create SHUB VLAN

VLAN

see next slide

> For all SHUB VLANs, only one VLAN tag is relevant.


45/75


45

Creation of SHUB VLAN

Define egress ports on SHUB

> Tag mode can be configured on network ports

Configure vlan shub id untag-port network:

ASAM-links support only tagged frames


46/75


46

Modifying SHUB VLAN

Object details

MAC movement

IGMP settings


47/75


47

Residential bridge parameters

Broadcast control on LT

Only applicable in IB modeDisabled (default):

BC in IWF on LT blocked in DS

Enabled:

Allow BC in DS

MAC movement on SHUB

Only applicable in IB mode

Disabled (default):

No MAC movement in SHUB

within priority 3 interfacesEnabled:

MAC movement allowedwithin priority 3 interfaces

BC button not checked by Default

LT

FromServiceHub

MAC-DABroadcast

E-MAN

NT

LT

LT

1

2

3

3

3

3

2

SHUB

> Disabled: Button not checked

> Enabled: Button checked


48/75


48

Residential bridge parameters

DHCP option 82/PPPoE Relay Tag

Disabled (default):No option 82/PPPoE information added by LT

Enabled:

Option 82/PPPoE information added by LT

Protocol Group Filter

Different from Protocol based VLAN association

3 possibilities

All : allow all protocols on VLAN

IPoE: allow only IPoE on VLAN

PPPoE : allow only PPPoE on VLAN

PPPoE + IPoE: allow only PPPoE and IPoE on VLAN

> Protocol based VLAN association see later


49/75


49

Creation of IB VLAN via CLI

Vlan ID range: 1 to 4093

Exluding the VLAN ID used for management

Create VLAN on ASAM-CORE

configure vlan id < VLAN ID> mode

Create VLAN on SHUB

configure vlan shub id mode

egress-port network:

egress-port lt:rack/shelf/slot

CONFIGURATION OF VLAN ON ASAM-CORE

> Id: [2...4093,4097] vlan id

> Name: optional parameter with default value: " name

> Mode: Mandatory parameter with possible values (on ASAM-CORE):1) cross-connect, 2) residential-bridge, 3) qos-aware, 4) layer2-terminated

> Priority: optional parameter with default value: 0. Range: {0...7}

> [no]switch-broadcast: optional parameter to control downstream broadcast frames(default value:"discard-broadcast). Broadcast control is configurable per VLAN: on/off

[No] broadcast frames broadcast frames means: broadcast allowed (= ON)

> [no] protocol filter (default: pass all).Other possibilities: pass pppoe ,pass ipoe,pass pppoe-ipoe

> [no]enable-pppoe-relay: optional parameter with default value: "disable-pppoe-relay adding tagfor pppoe relayed traffic (rb vlan)

> [no]dhcp-opt-82-on: optional parameter with default value: "dhcp-opt-82-off enable addingdhcp option 82 (rb vlan)

CONFIGURATION OF VLAN ON SHUB

> Mode: Mandatory parameter with possible values (on SHUB):1) cross-connect, 2) residential-bridge, 3) layer2-terminated, 4) layer2-term-nwport,5) v-vlan = virtual vlan, 6) reserved (internal and external communication via vlan)

> [no] mac-move-allow: for residential bridges (no) mac-address movement allowed betweenpriority 3 ports (ASAM ports, subtending ports and user ports on the SHUB).

> Note: Adding ports to the VLAN also with configure VLAN command, but not in one go

with the creation of the VLAN! You need to enter two consecutive commands. (see nextchapter add port to VLAN)

Same for VLAN on SHUB


50/75


50

Add port to a IB VLAN on the SHUB via CLI (2/2)

Attachment of ports to the VLAN on SHUB for IB.

Define egress ports in the configure VLAN shub command

Configure>vlan>shub>id egress-port lt:

defines an ASAM-link

Configure>vlan>shub>id egress-port network:

defines an external NT port

Tag mode can be configured on network ports

Configure vlan shub id untag-port network:

ASAM-links support only tagged frames

> Attachment of ports to the VLAN included in the configure VLAN SHUB command.

configure vlan shub id mode residential-bridge

Optional parameters

[no] name

[no] mac-move-allow

[no] egress-port

[no] untag port

> [no] name: VLAN name (default none)

> [no] mac-move-allow: allow mac-address movement between ports with priority 3 (user ports,ASAM ports, subtending ports). Default: no mac-address movement allowed.

> [no] egress-port: ports to be added to the VLAN. Three different types of egress-ports exist:

LT (ASAM port)

Network NT (any port on the NT, e.g. a user port or subtending port)

> [no] untag port: send frames (un)tagged on egress-port.


51/75



University

IB VLAN association on bridge port


52/75


53/75


53

IB VLAN association of port on ASAM-CORE

One logical user port can be mapped to multiple VIDs

One logical port associated to CC or Residential-bridge VIDs

One logical user port can accept tagged or untagged frames

Configured on the level of VID Association

Per user logical port a PVID can be defined

Before PVID can be configured VLAN association has to beconfigured

Configuration of VID within the bridged port

Support of 48 x 16 = 768 I-Bridges

on L3 LIMs


54/75


54

IB VLAN association

Port based VLAN association

VLAN ID based on port of arrival Untagged frames, receive port VLAN identifier PVID

Also called the default VLAN ID

Port-and-protocol-based VLAN classification

VID based on port of arrival and the protocol identifier of theframe

Multiple VLAN-IDs associated with port of the bridge VID set

VLAN Translation VID based on port of arrival and translated to a network VID

> A VLAN bridge supports port-based VLAN classification, and may, in addition, support port-and-protocol-based VLAN classification

> In port-based VLAN classification within a bridge, the VLAN-ID associated with an untagged

or priority tagged frame is determined based on the port of arrival of the frame into the bridge.This classification mechanism requires the association of a specific Port VLAN Identifier, orPVID, with each of the bridges ports. In this case, the PVID for a given port provides theVLAN-ID for untagged and priority tagged frames received through that port.

> For bridges that implement port-and-protocol-based VLAN classification, the VLAN-IDassociated with an untagged or priority-tagged frame is determined based on the port ofarrival of the frame into the bridge and on the protocol identifier of the frame.For port-and-protocol based tagging, the VLAN bridge will have to look at the Ethertype, theSSAP, or the SNAP-type of the incoming frames. When the protocol is identified, the VIDassociated with the protocol group to which the protocol belongs will be assigned to theframe. This classification mechanism requires the association of multiple VLAN-IDs with eachof the ports of the bridge; this is known as the VID Set for that port.

> BTV and Port & protocol-based VLAN on R3.1-3.2

the port default VLAN must be chosen equal to the VLAN used for BTV traffic

no protocol based VLAN must be defined for IP, otherwise we end up generating a wrongtag when issuing IGMP messages to the end user


55/75


55


Frames received from end users

are untagged User port can be mapped to

multiple VID using port-

Protocol based association or

PVID

Frames received from end users

are tagged On logical port define different

VIDs and configure frames

received from end-user as

tagged

Send frames back to the

subscriber to be set as Single

Tagged

E-MAN

Network CPE

LT

E-MANNetwork CPE

LTIPoE PPPoE

xxx

= PVID

IPoE

PPPoE

xxx

Behavior of the RB VLAN Association on the AMS

> Frames received by the end users are tagged

Association Settings Send frames back to the subscriber as: Single Tagged

> Frames received from end users are untagged

Association Settings Send frames back to the subscriber as: Untagged


56/75


56


VLAN Translation, frames received from end users are tagged

VLAN per service& per provider

VLAN per service& per provider

VLAN 1 (HSIA)Bridge 10VLAN 10 (HSIA, SP1)

VLAN 2 (Video)Bridge 20VLAN 20 (VoD, SP1)

MCast

VLAN 30 (BTV, SP1)

VLAN 3 (Voice)Bridge 40VLAN 40 (Voice, SP3)

VLAN 5 (HSIA)Bridge 11VLAN 11 (HSIA, SP2)

VLAN 6 (Video)Bridge 21VLAN 21 (VoD, SP2)

VLAN 31 (BTV, SP2)

Subscriber VLANNetwork VLAN

Bridge Port

CPE

> There are many operators who base their network architecture on one PVC per service whenconnecting ADSL subscribers. Once those operators start deploying VDSL, they need to usethe VLAN as a "PVC emulation".

> The ISAM support the ability to emulate a multi-PVC configuration on an EFM interface usingthe VLAN as a "PVC emulation", i.e. it is possible to associate a set of VLAN Id's at thesubscriber interface with a set of forwarding engines being chosen from the following list :

VLAN-CC (Transparent or Protocol aware) In this case, the C-VLAN received at the userside is either forwarded as a C-VLAN CC or encapsulated into an S-VLAN (VLANstacking).

i-Bridge In this case, the VLAN received at the user side will be bridged into an i-bridgeidentified by the same VLAN Id.

IP Aware Bridge

IP Routing

> Additionally, in case of VLAN-CC or i-Bridge, we support VLAN translation to makewholesaling possible without impacting the CPE configuration : starting from a set of pre-defined C-VLAN tags at the CPE side (i.e. the same for all CPEs), it is possible to retag thereceived packet with a new C-VLAN (VLAN-CC or i-bridge) or a stacked VLAN (VLAN-CC),so that the traffic can be passed to the VLAN associated with the couple (serivce provider,service).


57/75


57

Configuration of the port on VLAN in IB

Add ports to VLAN

on ASAM-COREBridge port VID mapping

on SHUBDefine egress ports withinthe VLAN

Aggregationfunction

GE1

Externalethernetlinks

ASAMlinks

Controllink

FE

LIM

IWF

Control/mgtfunctions

GE16

LIM

IWF

PVC

..

PVC

GE/FE 1

GE/FE 2

..

GE/FE 7

In the SHUB

Create VLAN in RB mode

Add NW interfaces and all ASAM interfaces to this VLAN

In the ASAM Create VLAN in RB mode

Add port to VLAN


58/75


58

Create VLAN association on bridge port (1/2)

equipment

Select configured bridge port

Create

VLAN Association


59/75


59

Create VLAN association on bridge port (2/2)

define scope (local for subscriber VLAN

send frames back to subscriber as: untagged


60/75


60

Define PVID on bridge port

Modify VLAN association Object details view

select default VLAN and click OK


61/75


61

RB VLAN association with VLAN translation

VLAN scope: local

equipment

Select configured bridge port

Create

VLAN Association

local subscriber VLAN

select network VLAN

> E.g. you configure a RB VLAN association with VLAN translation on a VDSL EFM bridge port.The modem is configured in such a way that it generates tagged traffic, e.g. local subscriberVLAN 10. This subscriber VLAN is translated into the network VLAN 150.

All frames returned to the subscriber should again have VLAN tag 10.Configure that the frames returned to the subscriber should be single-tagged.


62/75


62

IB VLAN association of port on ASAM-CORE (CLI)

define VIDs in the configure bridge port command

configure bridge port 1/1//::#vlan-id or

vlan-id stacked

VLAN Translation

Configure bridge port 1/1//::#

vlan-id vlan-scope network-vlan

Define PVIDs in the configure bridge port command

configure bridge port 1/1//::#

pvid

> No VLAN Translation:

leg:isadmin>configure>bridge>port>1/1/4/1:8:36# vlan-id 720

leg:isadmin>configure>bridge>port>1/1/4/1:8:36# info

#---------------------------------------------------------------------------------------------------

port 1/1/4/1:8:36

max-unicast-mac 4

vlan-id 720

exit

Exit

> With VLAN Translation:

leg:isadmin>configure>bridge>port>1/1/4/1:8:36# vlan-id 100 vlan-scope local network-vlan 720

leg:isadmin>configure>bridge>port>1/1/4/1:8:36# info

#---------------------------------------------------------------------------------------------------

port 1/1/4/1:8:36

max-unicast-mac 4

vlan-id 100

network-vlan 720

vlan-scope local

exit Exit


63/75


63

Deletion of VLAN

First remove VLAN associations on VLAN

Then delete VLAN


64/75


64

Deletion of VLAN

It is not possible to delete a VLAN if there are still ports

attached to the VLAN

Deleting VLAN on ASAM-CORE

configure vlan no id

Deleting VLAN on SHUB

configure vlan shub no id


65/75


65

VLAN related show commands

Selection of multiple show vlan commands

Display list of command via Show vlan ?

Interesting commands on ASAM-CORE

Show vlan residential bridge

gives al bridge ports connected to vlan

Show vlan bridge-port-fdb < bridge port id >

Gives all MAC-adresses learned or configured on that port

Show vlan fdb

Gives you MAC -adresses learned on all ports of that vlan

Show vlan port-vlan-map

Gives all the VLANS to which that port is mapped Same commands available on shub


66/75



University

Exercises


67/75


> Perform these exercises with CLI and AMS unless specified differently

Perform these exercises on the board and ports assigned to

you to do the retrieval exercises.

1. Which VLANs are created on the NE?

2. What is the forwarding mode of VLAN 200 (cross-connect, residential bridge)?

3. What are the ports belonging to VLAN 200 on the SHUB? Explain what you see.

4. Which logical ports are associated to VLAN 200?

5. Explain the total configuration of the user logical port PVC 8/35 on port TRAINING-a .Note : For the downstream forwarding , we assume that the SHUB knows the MAC-addresses ofthe end user within the respective VLANs .


68/75


> What happens when the end-user sends a frame with VLAN tag 200?

> What happens when the end-user sends a frame with VLAN tag 300?

> What happens when the end-user sends an untagged frame ?

> What happens with a frame with VLAN tag 200 coming from the network?

> What happens with a frame with VLAN tag 300 coming from the network?

6. How many MAC-addresses can be learnt in VLAN 200 on the logical user port VP/VC 8/35 ofport TRAINING-a?

7. Explain the total configuration of the user logical port PVC 8/35 on port TRAINING-b.Note : For the downstream forwarding , we assume that the SHUB knows the MAC-addresses of the end user within the respective VLANs .

IngressEgress

DSL port DSL port

8/358/35

150150

160160

210210

5050

150150

160160

210210

5050


69/75


What happens when the end-user sends a frame with VLAN tag 150?

What happens when the end-user sends a frame with VLAN tag 50?

What happens when the end-user sends an untagged frame?

What happens when a frame with VLAN tag 150 is sent towards the end user?




What happens when an untagged frame is sent towards the end user?

8. How many MAC-addresses can be learnt on the user logical port PVC 8/35 on portTRAINING-b within VLAN 50?


70/75


For these exercises go back to the board and ports assigned to you to do theconfiguration exercises.

1. Go to the port that you configured before and where the modem is connected.

Use CLI to apply the service with VLAN id as default VLAN 150 to PVC 8/36.

Frames coming from the end user are untagged. You should be able to connect

with 2 PCs. DHCP server is available on the other side .

setup

2. Check if you are able to get an IP address. from the DHCP server.Note: in function of the modem setup you need to either use VMware on the

trainee PC or disconnect your PC from the AUA LAN and connect the PC to

the modem (or connect your own PC to the modem ). Ask the teacher whatto do!

Force your PC to ask for a new IP-address (DHCP release/renew) ipconfig

/release and ipconfig /renew.

What is the IP-address you received ? What is the IP-address of the DHCP

server?

3. Check the MAC-address learnt on your bridge port using AMS and CLI.


71/75


4. Are you able to ping the PC of one of your colleagues connected to the sameISAM? Explain.

5. Use the AMS to associate logical port 8/35 with VLAN 200 as the default VLAN.

Frames coming from the end user are untagged. You should be able to connect

with 3 PCs to this connection.

VLAN 200 terminates on a BRAS so use PPPoE to set up a connection. Check

if you can surf the web.

Note: in function of the modem setup PPPoE session needs to be initiated from

modem or PC . Ask the trainer what to do !

Setup

6. Check the MAC-address learnt on the VP/VC 8/35 and VP/VC 8/36 with the

AMS. What do you notice ? Explain what you see.

7. Use the AMS to remove the RB vlan with id 200 from the 8/35 ATM termination

point on your port.

8. Use the CLI to remove the RB vlan with id 150 from the 8/36 ATM termination

point on your port.


72/75


9. Create RB VLAN with VLAN ID=20x ( x = adsl-x) via CLI. All traffic type ispossible within the VLAN. The VLAN is default VLAN on logical port 8/35. 4 user

sessions possible on the logical port. No user line id is required for DHCP or

BRAS. No MC service is deployed within the VLAN.

Try to initiate a PPPoE session towards the network. Verify if your configuration

works.

Note: BRAS will not provide you with an IP@ ( Setup of the network currently not

ready )

Setup

10. Create a Service for RB VLAN on the AMS. All traffic type is possible within the

VLAN. 4 user sessions possible on the logical port. No user line id is required for

DHCP or BRAS. No MC service is deployed within the VLAN.

Leave status under construction.

Note : unique VLAN-ID per [IP-edge ISAM] pair to prohibit user-to-user

communication.

11. You want to have line identification information on the DHCP server. Try to apply

the change and explain


73/75


12. Use the AMS to associate the service you just created on VP/VC 8/36 of theport assigned to you. VLAN id to be used is VLAN 16x (x=adslx). Frames

coming from the end user are untagged. VLAN 16x is the default VLAN.

Check if your configuration works by setting up a DHCP session and see if

you are able to receive an IP@ .

Setup

13. Release your IP address. (ipconfig /release)

14. Your management changed mind and the VLAN 16x can only be used for

PPPoE traffic. Apply the change with CLI. Check if you are still able to

retrieve an IP@ via DHCP. Does it work ? Why? Why not?

15. In normal operation would you normally apply such change with CLI?

16. Your management changed mind again, and now only wants IPoE traffic in

VLAN 16x and disable option 82. Apply the change with AMS. Check if you

are still able to retrieve an IP@ via DHCP. Does it work ? Why? Why not??


74/75


17. Can you ping the client PC from the server side on VLAN 16x?Ask the trainer to assist you since access to DHCP server is secured.

First check the ARP table of DHCP server and make sure the MAC@ of your PC is no

longer in the self-learning table of VLAN 16x, then issue the ping command.

What do you notice? Explain.

18 Force the system to allow broadcast frames to pass through in the downstream

direction. Use a CLI command to achieve this goal. Verify, and explain what you notice.

19. Delete the association with VLAN 20x from VP/VC 8/35 on your port and associate

VP/VC 8/35 with VLAN 21x.VLAN 21x is a RB service and parameters are such that only PPPoE traffic is allowed on

this VLAN.

Perform this exercise with the AMS.

Check if your setup works .

What is the IP@ you get from the BRAS ?

What is the IP@ you got from the DHCP server?

Note: BRAS will not provide you with an IP@ ( Setup of the network currently not ready )

Setup


75/75

20. Try to delete VLAN 16x from the ISAM via the AMS. What happens? Explain.Note: If not possible just proceed to the next exercise after explanation

21. Version 2 of service with VLAN-ID 16x has been deployed in the entire network. Delete

version 1 from the AMS.

22. MC Teaser .

Set-up a MC control-channel on VP/VC 8/36 and allow your user to see package 1 .

Ask the teacher for assistance and see if you can watch some video.

Date post:	10-Feb-2018
Category:	Documents
Upload:	milan-vujnovic
View:	222 times
Download:	0 times

VLAN Forwarding Modes and IB

Documents