D2s 2.Intelligent Bridging.pdf

7302-7360 ISAMR4.6 High Cap. NT/5520 AMS - L2 & PPPoX forwardingStudent Guide

Copyright © 2013 Alcatel-Lucent. All Rights Reserved.

COPYRIGHT © ALCATEL-LUCENT @@YEAR. ALL RIGHTS RESERVED.

Student GuideTAC42051_V1.1-SG Edition 2.0

Passing on and copying of this document, use and communication of its contents not permitted without written authorization from Alcatel-Lucent

@@COURSENAME@@PRODUCT

3COPYRIGHT © ALCATEL-LUCENT 2013. ALL RIGHTS RESERVED.

Course outline

1. Technologies

1. L2 Technology

2. Layers Intro

2. NE Operation

1. ISAM as a L2/iBridge

2. IHUB L2 Forwarding

3. Intelligent Brigding IACM

4. Enhanced Intelligent Bridging

5. VMAC

6. PPPoX Handling in ISAM

7. ISAM as a L2-CC

8. Cross Connect IACM

3. Maintenace

1. IHUB Mirroring

Welcome to 7302-7360 ISAM

R4.6 High Cap. NT/5520 AMS - L2 & PPPoX forwarding

1. Technologies

1. L2 Technology

2. Layers Intro

2. NE Operation

1. ISAM as a L2/iBridge

2. IHUB L2 Forwarding

3. Intelligent Brigding IACM

4. Enhanced Intelligent Bridging

5. VMAC

6. PPPoX Handling in ISAM

7. ISAM as a L2-CC

8. Cross Connect IACM

3. Maintenace

1. IHUB Mirroring


@@COURSENAME@@PRODUCT

4COPYRIGHT © ALCATEL-LUCENT 2013. ALL RIGHTS RESERVED.

Course objectives

� Upon completion of this course, you should be able to:

� Explain Ethernet as a technology and elements of ethernet frames� Understand VLANs (virtual local area network) and how they are supported by the Ethernet.

� Explain different ways to establish IP connectivity to access the Internet,� Give an overview of the different forwarding modes that are available,� Describe and Configure a L2 service onto the ISAM & interconnect of end users to the respective L2 service for Residential Bridge and the different,Cross Connect modes

� Associate an RB or XC VLAN to a bridge port,� Explain and enable virtual MAC addresses implementation,� Describe Enhanced Intelligent Bridging and explain how it differs from plain Layer 2 forwarding,

� Retrieve Enhanced Intelligent Bridging data from the ISAM,� Configure Enhanced Intelligent Bridging on the ISAM with AMS and CLI,� Describe the different models for PPP handling in the ISAM,� Describe and configure mirroring

7302-7360 ISAM


Upon completion of this course, you should be able to:

� Explain Ethernet as a technology and elements of ethernet frames

� Understand VLANs (virtual local area network) and how they are supported by the Ethernet.

� Explain different ways to establish IP connectivity to access the Internet,

� Give an overview of the different forwarding modes that are available,

� Describe and Configure a L2 service onto the ISAM & interconnect of end users to the respective L2 service for Residential Bridge and the different,Cross Connect modes

� Associate an RB or XC VLAN to a bridge port,

� Explain and enable virtual MAC addresses implementation,

� Describe Enhanced Intelligent Bridging and explain how it differs from plain Layer 2 forwarding,

� Retrieve Enhanced Intelligent Bridging data from the ISAM,

� Configure Enhanced Intelligent Bridging on the ISAM with AMS and CLI,

� Describe the different models for PPP handling in the ISAM,

� Describe and configure mirroring


Your feedback is appreciated!

Please feel free to Email your comments to:

[email protected]

Please include the following training reference in your email:

TAC42051_V1.1-SG Edition 2.0

Thank you!

7302-7360 ISAM � R4.6 High Cap. NT/5520 AMS - L2 & PPPoX forwardingNE Operation � ISAM as a L2/iBridge

2 � 1 � 1COPYRIGHT © ALCATEL-LUCENT 2013. ALL RIGHTS RESERVED.

Module 1ISAM as a L2/iBridge

Section 2NE Operation

7302-7360 ISAM



TAC42050-HO03 Edition I2.0

Learning experience powered byAlcatel-Lucent University



Section 2 � Module 1 � Page 1



Module objectives

After attending this session, you will be able to:• Describe the forwarding mode “intelligent Bridging” (Residential Bridge VLAN)






Table of Contents

1 Introduction 7

2 Intro Standard Bridging 10

3 Intelligent Bridging 14

4 Intelligent Bridging types 29

5 Intelligent Bridging (MPLS) 32

Page

1 Introduction 71.1 General Overview 81.2 Intelligent Bridging overview 92 Intro Standard Bridging 102.1 Standard bridging concept 112.2 Security/scalability issue with standard bridging 122.3 Standard bridging: Issues 133 Intelligent Bridging 143.1 The intelligent bridging model 153.2 Intelligent Bridging: shared VLAN per protocol 183.3 Intelligent Bridging: Shared VLAN service 193.4 Intelligent Bridging: VLAN association 203.5 Intelligent bridging: network issues 213.6 Broadcast messages & flooding US 223.7 Broadcast messages & flooding DS 233.8 Secure MAC address learning 243.9 Duplicate MAC-address learning 253.10 Intelligent Bridging, things to consider 263.11 Intelligent Bridge: Summary 284 Intelligent Bridging types 294.1 I-Brigde Modes 304.2 Summary: Intelligent Bridge mode 315 Intelligent Bridging (MPLS) 325.1 Unified forwarding model for Access + Aggregation 335.2 MPLS Applications - Virtual Private LAN Service (VPLS) 34






1 Introduction






Networkside User

side

7302 ISAM

Eth-VLAN

L2Eth - VLAN

Anything

Phys layer

ATM/AAL

Eth – (VLAN)

Anything

Phys layer

Eth – (VLAN)

Anything

• layer 2 forwarding

• Ethernet layer must be present at both sides

• encapsulation at CPE must include Ethernet

Phys layer

GEM

Eth – (VLAN)

Anything

Intelligent Bridge (IB)VLAN Cross-Connect (CC)Enhanced iBridge

L2

Forwarding mode Decision

Forwarding models capable of handling DHCP traffic

Forwarding models capable of handling PPP traffic

1 Introduction

1.1 General Overview

CPE




In case the 7302 ISAM performs L2 forwarding, it means that the internal forwarding is

basically done on layer 2 information. The layer 2 is Ethernet, including the concept of

VLANs.

In both layer 2 forwarding models (intelligent bridge as well as cross-connect), the ISAM

can accept tagged frames coming from a user. The operator can configure exactly which

tag is to be expected on the bridge port and frames carrying another tag will be discarded

(filter).

In case of VLAN translation, the user sends tags that are recognized, but only have a local

meaning and will immediately be translated into a network vlan.

In case of cross-connect, it is possible to have C-VLAN transparency (where only the S-

VLAN is configured in the ISAM). In that case, the user can send any C-VLAN. The ISAM

will not filter based on C-VLAN. See section on cross-connect.



1 Introduction

1.2 Intelligent Bridging overviewShared VLAN

Switch73xx

BTVVLAN

HSIVLAN

VideoVLAN

VLAN per service

VoIP VLAN

Aggregation Network

IP backboneNetwork

Content Network

IP Router

Ethernet switch

Home Network

Access Network

Internet

New services

Video server

Callserver

Most customers require a VLAN per service between ISAM and EMAN, which is




Most customers require a VLAN per service between ISAM and EMAN, which is

Intelligent Bridging per service in ISAM.



2 Intro Standard Bridging







2.1 Standard bridging concept

• MAC bridges can interconnect all kinds of LANs together

• no guaranteed delivery of frames

• a bridge learns MAC addresses

• flooding occurs when destination MAC address is broadcast, multicast

or unknown

• if you do not know, send it to everybody,

except on the interface where the frame was received

• if the destination MAC address has been learned, the frame is

forwarded to the indicated interface







2.2 Security/scalability issue with standard bridging

• broadcast frames (ARP, PPPoE-PADI…) are forwarded to

all users & flooding to all ports

• MAC-address of a user is exposed to other users

• broadcast storms

Ethernet

BRASDSLAM

DSLAM

BR

BC or unknown MAC DA

��


CPE

CPE

CPE




The issue on the slide occurs with standard Ethernet bridges. Operators using VPLS in the E-

MAN will not have this issue!




2.3 Standard bridging: Issues

• Broadcast storms

• Security

• broadcast frames are forwarded to all users

• Customers identified by MAC-address (not guaranteed unique)

• Restrictions on services and revenues:

• IP edge device has no info on the access line

• so not possible to limit the # of sessions per access line

• user-to-user communication possible without passing the BRAS

NOT FIT FOR USE IN PUBLIC NETWORKS

Scalability:




Scalability:

�Broadcast storms

� Broadcast frames are flooded over the entire aggregation network . This

generates an important amount of traffic, that can result in service degradation or

denial of service.

� Bridges have to learn MAC-addresses of all devices connected to the network

Security

�Broadcast frames (ARP, PPPoE - PADI, …) are forwarded to all users

� MAC-address of a user is exposed to other users

Customer segregation

�Customers are identified by MAC-address, and MAC-addresses are not guaranteed unique

� Undesirable & unstable behavior: user B gets traffic destined to user A and vice

versa.

PADI = PPPoE Active Discovery Initiation packet (which is broadcasted). This is the first

message in the initialization phase to establish a PPPoE session.



3 Intelligent Bridging







3.1 The intelligent bridging model

• special layer 2 behavior needed in an access environment

• IB with VLAN tagging

• Intelligent Bridge (IB) means

• distinction between network ports and user ports

• frames from a user always sent towards the network

• no user to user communication

• prevent broadcast traffic from escalating

• avoid broadcast or flooding to all users

• secure MAC-address learning within a VLAN

• avoid MAC-address duplication over multiple ports

• protocol filtering

• may lead to a frame being forwarded, sent to a host processor, discarded or

forwarded & sent to a host processor

In a standard bridge all ports are treated equally. The special thing about Intelligent Bridging is that it makes




In a standard bridge all ports are treated equally. The special thing about Intelligent Bridging is that it makes

a distinction between network ports and user ports.

With Intelligent Bridging, frames received from a user will always be sent towards the network and never to

another user. All traffic received from a user interface is forwarded only on the uplink, and never to other

users. This protects a user's MAC-address from being exposed to other users; and also ensures that user's

traffic is passing through the IP edge point where it can be charged for.

� Unicast frames: user-to-user communication is not permitted.

� Broadcast and multicast frames from a user are only forwarded to the interface towards the network and

not to all other users.

A second difference with standard bridging is the prevention of broadcast storms:

In a standard bridge, a broadcast frame will be sent to all ports in a particular VLAN. In case of an Intelligent

Bridging, this is not done.

Depending on the type of broadcast frame (depending on the protocol above Ethernet e.g. DHCP) the

treatment will be different. Each protocol will deal with the restriction of Intelligent Bridging in a different

way. In all cases a broadcast to all users is avoided. For example, broadcast as a consequence of flooding

(when the MAC DA is unknown) or in case of multicast.

Another difference with standard bridging is the way MAC addresses are learned: protection is built in to avoid

the use of the use of the same MAC address over multiple ports, within one VLAN.

With intelligent bridging only the following types of frames are accepted from the user ports: IP, ARP, PPPoE,

IGMP and EAPOL (used for 802.1x). Other frames will be discarded, including multicast data frames coming

from user ports.




3.1 The intelligent bridging model [cont.]

• multiple users connected to 1 VLAN ID (aggregation of multiple subscribers

within a service/provider VLAN)

• why VLAN translation (customer vlan to network vlan)

• wholesale per service

• Drivers: VDSL and Eth offer more BW, so it makes sense to wholesale this “in

pieces” rather than the complete DSL line as a whole

• Consequences: Model with VLANs on DSL line; behaviour equivalent to multi-VC

model on ATM/ADSL

• VLAN per service and per provider in the aggregation network

• Service provider is free to choose CPE configuration, but VLANs in aggregation

network are under control of ILEC

• ultimately 1 subscriber (1 line) may have to support 2 HSIA services or 2

video services from different service providers




Intelligent bridging allows multiple users to share a single VLAN.

There are many operators who base their network architecture on one PVC per service when

connecting ADSL subscribers. Once those operators start deploying VDSL, they are

immediately confronted with the issue, that their is no similar approach for EFM interfaces.

That’s why VLAN Translation was introduced.

This requirement is driven by the wholesale model. Operators want to use a network

model, whereby; a given user can be subscribed to a different service provider for each

service. Therefore, they want to have separate "circuits" per service all the way to the CPE.

They are looking at a model of VLAN/service on the DSL line, and VLAN/service/ISP in the

aggregation network.




3.1 The intelligent bridging model [cont.]

• IB-VLAN has:

• 1 or more user logical ports, subtending ports or user Ethernet ports

• 1 or more network ports

Internet

E-MANNetwork

ISP2

ISP1

E-MANNetwork

IP

Internet

ISP

Corporate

Login to ISP or corporate

BRAS

Routing to the correct ISP is based on the VLAN-id

Routing to the correct ISP is done based on user-id and password in the BRAS




In case of Intelligent bridging multiple users are connected to the same VLAN, or in other

words we have aggregation at the DSLAM level within a VLAN.

In the figure at the left, we see multiple VLAN bridges supported in 1 DSLAM, which connect

to different Service Providers (SP) (wholesale). Each SP is connected to the DSLAM with a

specific VLAN-ID. The user ports are connected to the VLAN of their corresponding SP.

Multiple user ports can be associated to a single VLAN-ID.

• Users 2 and 5 are connected to the ISP1 VLAN.

• Users 1, 3 & 4 are connected to the ISP2 VLAN.

The MAC address lookup is performed in the forwarding table of the respective VLAN. With

the principle that we have 1 VLAN ID per {IP-edge-DSLAM} pair means that in each Ethernet

switch the SP has its own forwarding table.

In the figure at the right we see that the routing to the correct SP is based on user-id and

password and that all the users are connected with the same VLAN-ID to the BRAS.




3.2 Intelligent Bridging: shared VLAN per protocol • Setup with singe PVC modem setup

• Only relevant in architecture with BRAS support

DHCP Server

BTV

HSI PPPoE

73xx ISAM

VLAN per service (IPoE/PPPoe)-”protocol”BTV distinction

IPoE

PPPoE

xxx

PPPoExxx

IPoE

= PVID

PVC per user/EFM

IPoE

Router

BRAS

L2 service

BTV

HSI PPPoE

IPoE@

Switch




Frames received from end users are untagged:

• User port can be mapped to multiple VID using port-Protocol based association

or PVID




3.3 Intelligent Bridging: Shared VLAN service

• Setup with multiple PVC modem model

Router

BRAS

Switch

73xx ISAM

n PVC/VLAN per user

BTV

VoIP

VLAN per serviceBTV distinction

HSI

Video

@

BTV

VoIP

HSI

Video

@

L2 service

DHCP Server

@




Frames received from end users are tagged:

• On logical port define different VIDs and configure frames received from end-

user as tagged

• Send frames back to the subscriber to be set as Single Tagged




3.4 Intelligent Bridging: VLAN association

•VLAN Translation, frames received from end users are tagged:

• VLAN/service

• VLAN/service/provider

VLAN per service & per provider

VLAN 10 (HSIA, SP1)

VLAN 20 (VoD, SP1)

VLAN 30 (BTV, SP1)

VLAN 40 (Voice, SP3)

VLAN 11 (HSIA, SP2)

VLAN 21 (VoD, SP2)

VLAN 31 (BTV, SP2)

Network VLAN

Bridge 10

Bridge 20

MCast

Bridge 40

Bridge 11

Bridge 21

ISAMBridge Port

VLAN per service & per provider

VLAN 1 (HSIA)

VLAN 2 (Video)

VLAN 3 (Voice)

VLAN 5 (HSIA)

VLAN 6 (Video)

Subscriber VLAN

CPE

There are many operators who base their network architecture on one PVC per service




when connecting ADSL subscribers. Once those operators start deploying VDSL, they

need to use the VLAN as a "PVC emulation".

The ISAM support the ability to emulate a multi-PVC configuration on an EFM interface

using the VLAN as a "PVC emulation", i.e. it is possible to associate a set of VLAN Ids at

the subscriber interface with a set of forwarding engines being chosen from the

following list:

• VLAN-CC (Transparent or Protocol aware): In this case, the C-VLAN received at the

user side is either forwarded as a C-VLAN CC or encapsulated into an S-VLAN (VLAN

stacking).

• i-Bridge: In this case, the VLAN received at the user side will be bridged into an i-

bridge identified by the same VLAN Id.

• IP Routing

Additionally, in case of VLAN-CC or i-Bridge, we support VLAN translation to make

wholesaling possible without impacting the CPE configuration. Starting from a set of

pre-defined C-VLAN tags at the CPE side (i.e. the same for all CPEs), it is possible to

retag the received packet with a new C-VLAN (VLAN-CC or i-bridge) or a stacked VLAN

(VLAN-CC), so that the traffic can be passed to the VLAN associated with the

combination of service provider and service.




3.5 Intelligent bridging: network issues

Problem:If user A can obtain the MAC@ of User C, since the Ethernet switch learns all Mac @ , user to user communication is possible

��

IP edge ISAM

VLAN1

BR

ISAM

Ethernet

CPE

CPE




On the previous slides, we learned how user-to-user communication is avoided inside the

ISAM. But, it is also important to mention that a VLAN must be unique between an [IP-edge-

ISAM] pair in the Ethernet network to support the Intelligent Bridging feature. For example,

take the network configuration shown above, where 2 ISAMs with the same VLAN ID are

connected to the IP edge via the EMAN network through a single VLAN. Or in other words a

single VLAN exists between ISAM1, ISAM2, and the IP-edge).

In this case, the Ethernet switch learns all user MAC addresses and if user A can obtain the

MAC address of user C, then user A can send traffic directly to user C without going to the

IP-edge. This is not acceptable: in Intelligent Bridging mode no direct user to user

communication is allowed in the network.

Another issue is that in such a configuration, an ISAM would receive all broadcast / flooded

frames from any ISAM in the VLAN, with potential performance issues as a consequence.




3.6 Broadcast messages & flooding US

• upstream BC frames & flooding only forwarded towards network

port(s) within a VLAN

• 1 VLAN per IP-edge

• reduction of flooding in the aggregation network

• no user-to-user communication without passing the BRAS

Ethernet

BRAS

PC A

ISAM

PCISAM

PC B


BR

☺☺☺☺

VLAN 1

VLAN 2

CPE

CPE

CPE




Blocking user-to-user communication at Layer 2:

The principle is to avoid 2 users connected to the same ISAM communicating with each other

directly at Layer 2. In this case, when user A sends a message with destination MAC-address

B, that message is sent to the uplink, not to user B.

In case of PPP this is not an issue, since all messages coming from the DSL users will have

destination MAC-address equal to the MAC-address of the BRAS

The objective is that all traffic passes through a Layer 3 box. The motivation is twofold:

�Security:

If direct user-to-user communication at L2 would be allowed, this would give malicious

users an easy way to find out the MAC address of other users, and then try to take it

over. Note: blocking duplicate MAC-addresses will solve most of it, but if the malicious

user is waiting until the MAC-address has aged, and then tries to take it for himself, he

blocks the other user.

�Accounting for traffic:

If we would allow for user-to-user communication directly in the ISAM, we would also

have to introduce mechanisms to measure and account for the traffic. Not just for

billing purposes (most services will likely not use volume-based billing), but also for

features such as legal intercept. So in other words, this kind of peer-to-peer traffic

would be “hidden” to the operator. Peer-to-peer traffic operators will probably not like

that.




3.7 Broadcast messages & flooding DS

• blocking of broadcast & flooding in the downstream

• Avoids messages unintentionally distributed to all users

• For some applications forwarding of BC is “needed”

• Solution: Make BC flooding / BC discarding a configurable option per VLAN

ISAM

Ethernet

BRASISAM


BR

☺☺☺☺

CPE

CPE

CPE




In a normal bridge, when a message is received with a destination MAC-address not yet in

the self-learning table, the message is broadcast to all the other interfaces. Also broadcast

messages are flooded to all interfaces. In an Intelligent bridge you want to avoid

broadcasting downstream, where messages are unintentionally distributed to all users.

Therefore, you need to put mechanisms in place that together with the systems set up in

the upstream, will inhibit BC messages to be sent to all users and avoid the flooding of

messages with unknown MAC DA to all users.

For some applications, it is useful that flooding BC is possible. A solution for these

applications is to make flooding BC/discarding BC a configurable option per VLAN.




3.8 Secure MAC address learning• configure maximum number MAC-addresses per port

• prevents attacks that would fill up the bridging tables

• subscription rules: maximum devices connected simultaneously

• configure MAC-addresses for discarding

port Max

Mac@

x 2

MacAETH

Port x

Connected via PPPoE

MacBMacC

bridged

IP

port Mac@

x MacA

x MacB

PADI with source address=MacC

ISAM

VLAN Discard Mac@

ID 00-08-02-E9-F2-9D

Internet

ISP

BRAS

There are two motivations to block the number of MAC-addresses per port:




There are two motivations to block the number of MAC-addresses per port:

• Security: avoid that a malicious user can fill up all the complete bridging table of devices in

the network (DSLAM and others), by sending traffic with different MAC addresses.

• Service differentiation: by limiting the number of MAC addresses per port, the operator can

offer different types of service subscriptions to the user, limiting or allowing a certain

number of devices to connect simultaneously to the network. For this application, it is clear

that the limitation should be configurable per port.

Note: In this example the users PCs are connected to the internet via PPPoE. In that case, the BRAS

also has the possibility to limit the number of PPPoE sessions per user-id. Within PPPoE, the unique

PPPoE session-id can be used to provide this additional security. The BRAS can use the PPPoE

session-id for user-identification during the session itself, which is linked to an earlier

username/password given during the PPPoE session set-up. The BRAS knows that a user has been

given so many sessions. If you have maximum sessions on a VP/VC basis, you can also limit the

number of PPPoE sessions per VP/VC. However, in the case of Ethernet Backhaul, the BRAS has no

info on the VP/VC sessions.

Within DHCP, there is no information that identifies the user. In that case, limiting the number of

MAC-addresses learned per port on the DSLAM is a possible solution. But what about a multi-edge

environment? .

If we want the DHCP server itself to limit the number of sessions per user, the DHCP request needs

to provide the information that defines the user ( VP/VC , port …). This is possible by implementing

DHCP-option 82 (shown later).

During the creation of a RB-VLAN, in the Residential Bridge VLAN service template, a list of MAC-

addresses for discarding traffic can be added.




3.9 Duplicate MAC-address learning

• Traffic from duplicate MAC-address in separate DSLAM, can be distinguished

as separate flows in the Ethernet switches of the aggregation Network, when

different VLAN id per DSLAM is used

port Mac@

x Mac A

y Mac A

Mac A

Mac A

ETHPort x

Port y

Packet with destination address Mac A

Problem:2 users with same MAC-address, forwarding engine can’t distinguish

�� ?




If a user on line x is using a certain MAC-address and a second user on a different line y is

trying to connect with the same MAC-address, a mechanism should be there so that that

MAC-addresses will only appear once in the (filtering db) learning table of that VLAN.

If this would not be done, then the MAC-address would be overwritten in the bridge's

learning table, such that traffic is forwarded either to user A or B in a rather unpredictable

way. So this feature allows to guarantee uniqueness of MAC-addresses in the aggregation

network.

In the 7302 ISAM, specific rules are implemented making sure that the MAC-address will be

learned once. This is called secure MAC-address learning

We are not only resolving the customer segregation issue bu,t we also avoid that a

malicious user (user 1) cannot take over the MAC-address of user 2 (MAC-address anti-

spoofing, blocking duplicate MAC-address).

Note: MAC-addresses are supposed to be unique per VLAN. They are not necessarily unique

for the complete system.




3.10 Intelligent Bridging, things to consider

• Security Services!

• IP edge has no info on the line id

• Solutions: PPP-connections (BRAS) or DHCP option 82…

• User can access network with a different IP address than the assigned IP

address

• Pure layer 2 device

• No support for duplicate MAC-addresses on the same ISAM

• Within the same VLAN

• Scalability

• Switches learn all MAC addresses of all end-users

• IP edge learns all MAC addresses & IP addresses of all end-users




Anti-IP spoofing: blocking of traffic when user tries to connect to the network with an IP address different

than the IP address which was assigned to him.




3.10 Intelligent Bridging, things to consider [cont.]

• Advised to use unique VLAN per [IPedge-DSLAM]-pair in EMAN

• Avoid user-to-user communication

• Traffic management per DSLAM

• Complex IP network configuration

• When 1 VLAN shared by multiple DSLAMs

• User to user traffic in EMAN

• Easy IP network configuration

• One single subnet for all DSLAMs

• MAC-address spoofing

• Standard MAC address learning at EMAN level

• Traffic will be rerouted to any spoofed MAC address







3.11 Intelligent Bridge: Summary

•Aggregation of multiple subscribers within a service/provider VLAN• Forwarding based on MAC• Line ID addition (PPPoE relay/DHCP opt 82)• Security at layer 2:

• secure MAC learning• no user-to-user traffic (difference between network and user ports)• Blocking of downstream broadcast storms

• Service VLAN stacking supported from R4.5 • Evolved to Enhanced I-bridge

Video - VLAN

VoIP- VLAN

VoD and BTV

VoIP

IBridges for VoIP/HSI/Video

VLAN

VDSL line(PTM)

VLAN

VLANUser 1

HSI

VoIP

VoD+BTV

VLAN

VDSL line(PTM)

VLAN

VLANUser 2

HSI

VoIP

VoD+BTV

HSI – VLAN HSI

IB

IB

IB

@

@

1) TR-101 N:1 model is supported by 7302/7330 I-bridge forwarding model.

2) This forwarding model is an ‘access-based’ evolution of the standard Ethernet bridge




2) This forwarding model is an ‘access-based’ evolution of the standard Ethernet bridge

model, generally used through the IP/Ethernet network.

3) Forwarding is based on the Destination MAC address of the incoming frame, keeping in

mind that frames can only be bridged inside the same VLAN.

4) Hence, several subscriber ports can be assigned to the same VLAN, leading to the

concept of VLAN per service. In this structure, all traffic belonging to one service is

grouped in one VLAN so subscriber identification cannot be done based on VLAN. To

help with this, 7302/7330 is able to insert the line ID in some frames, helping BRAS

(for PPP traffic) or edge routers (for IP traffic) to do subscriber management.

5) So, what is different compared to standard bridging? Mainly, security aspects since

7302/7330 is directly connected to subscribers (secured MAC learning = no duplicated

MACs at subscriber side; no user-to-user communication = to avoid unmanaged traffic

through the network; no broadcast downstream = avoids providing potentially

dangerous information from one subscriber to another).

6) What is the enhanced I-bridge? Basically a normal I-bridge in which IP address anti-

spoofing and other security features have been enabled. IP address anti-spoofing is a

mechanism that keeps track of the IP addresses allocated for each port and discards

any traffic for that port that is not destined to any of those IP addresses.

7) ISAM R4.5 provides support for VLAN Stacking (S+C VLAN) on iBridge forwarder. Better Scalability due

to VLAN stacking.

• Support for Open Access business model by dedicating a S VLAN per service provider and C VLAN per

user.



4 Intelligent Bridging types







4.1 I-Bridge Modes� Intelligent Bridging types:

� The traditional I-Bridge does not support to add / remove VLAN tag

� C-VLAN Ibridge

� Unlike traditional I-Bridge, the S+C Bridge allows for the addition / removal of a

VLAN tag. Two stacked iBridge modes are currently supported:

� S+C iBridge

� S-Tunnel iBridge

I-Bridge

SC-IBridge S-IBridge tunnel

SIBRIDGE

Any C,xS20,Any C,x

Any C, xMAC@ FWD DB

SCIBRIDGE

C10,xS30,C10,x

C10,xMAC@ FWD DB




The traditional I-Bridge in ISAM is called a C-VLAN I-Bridge and this forwarding model does not support adding

/ removing VLAN tag information on customer traffic (it has been explained previously).

In an attempt to keep with growing customer requirements and standard alignment, the ISAM platform also

support stacked VLAN Bridges. With a stacked VLAN bridge, in addition to bridging operations, the operatior

can configure ISAM to add/remove VLAN header to customer upstream / downstream traffic.

The Access Node supporting S+C bridges is considered to be a VLAN aware bridge, where each N:1 VLAN (S-

Bridge) is a separate Virtual Bridge (VB) instance. Each VB performs independent source MAC address learning

and frame forwarding processing. Unlike traditional I-Bridge, the S+C Bridge allows for the addition / removal

of a VLAN tag on upstream egress / downstream egress traffic flows.

Two stacked iBridge modes are currently supported:

• S+C iBridge (called mapped mode)

• S-Tunnel iBridge (called tunnel mode)

The S+C iBridge mode allows C-VLAN tag operations, such as C-VLAN translation, in addition to

adding/removing an S-VLAN header. This forwarding mode requires the operator to configure a VLAN Port for

each C-VLAN.

The S-Tunnel iBridge mode allows the operator to minimize provisioning by creating a tunnel VLAN port on a

specific bridge port. On this bridge port all tagged/untagged customer frames which match the tunnel VLAN

port are encapsulated by an S-VLAN header.

The S+C iBridge mode supports both protocol-unaware and protocol-aware modes of operations. For example,

DHCP option 82 insertion, PPPoE Intermediate Agent and secure forwarding (ARP Relay, DHCP Snooping, IP

anti-spoofing) is supported for protocol-aware S+C iBridge operations.

Protocol awareness is supported for customer untagged and single-tagged frames. Protocol unaware is

supported for customer untagged, single/dual/multi -tagged frames. In context of GPON and EPON access

solutions, some restrictions may apply on the ONT for the ability to support dual and multi-tagged frames.




4.2 Summary: Intelligent Bridge mode

NetVlan 11

NetVlan 31,12

NetVlan 31, 23

NetVlan 51

11 …

14…

12 …

11

1231 …

NetVlan 21

21 …

…

…

…

17 …

…

2331 …

51

ISAM

Ethernet

1

3

4

5……

IB

FDB 11

IB

FDB 21

IB

FDB 31,12

IB

FDB 31, 23

IB

FDB 51

S+C- IB(Mapped)

S-IB(Tunnel)

C-IB

2




All the upstream frames can be untagged, single tag or with several tags (for example, business services). If

the frame has several tag, the ISAM only analyzes the outer tag to forward it (in the case of C-IB does not

add any VLAN and in the case of S+C IB adds a Vlan). In the case of S-IB (tunnel mode), all the vlans are

forwared transparently and the system addes a S-Vlan.

there are 5 different combinations in the Intelligent Bridge forwarding mode:

1. Not Adding Vlan Tag in upstream. User Vlan Specific and not translated

2. Not Adding Vlan Tag in upstream. User Vlan Specific and translated

3. Adding Vlan Tag in upstream. User Vlan Specific and not translated

4. Adding Vlan Tag in upstream. User Vlan Specific and translated

5. Adding Vlan Tag in upstream. Any User Vlan and not translated



ISAM as a L2/iBridgeEnd of module




7302-7360 ISAM � R4.6 High Cap. NT/5520 AMS - L2 & PPPoX forwardingNE Operation � IHUB L2 Forwarding


Module 2IHUB L2 Forwarding


7302-7360 ISAM










Module objectives

Upon completion of this module, you will be able to:

• Give an overview of IHUB concepts

• Explain what a VPN service is

• Explain what kind of services are supported on the new software

• Give an overview of the supported forwarding models






Table of Contents

1 IHUB basic operation 7

2 IHUB L2 forwarding in the overall picture 11

3 Configuration of IHUB VLAN via AMS 16

4 Configuration of IHUB VLAN via CLI 26

Page

1 IHUB basic operation 71.1 The ISAM as a two stage box 81.2 Self learning in the IHUB 91.3 MAC movement & user-to-user communication 102 IHUB L2 forwarding in the overall picture 112.1 Supported forwarding models 122.2 VLANs on the IHUB (1/2) 132.3 L2 Services 153 Configuration of IHUB VLAN via AMS 163.1 AMS: Layer 2 173.2 AMS: Create VPLS service 183.3 AMS: VPLS service details 193.4 AMS: Create a single SAP at a time 203.5 AMS: SAP details (1/2) 213.6 AMS: Create a number of SAPs in one go (1/3) 234 Configuration of IHUB VLAN via CLI 264.1 CLI: VLANs do not show IHUB “VLANs” 274.2 CLI: Configured services info 284.3 CLI: Show v-VPLS service overview 294.4 CLI: Show in which service a SAP is used 304.5 CLI: Show overall FDB 314.6 CLI: Show per service FDB 32






1 IHUB basic operation







1.1 The ISAM as a two stage box

•… will do ethernet switching

• on the NT – IHUB

• on the LT - IWF

•ethernet switch = forwarding engine

• interworking = ATM �� ethernet

LT

IWF FW

Engin

e

NT

xDSL

GPON

P2P-eth

ethernet ethernet

ethernet (encapsulated)

IHUB FW

Engin

e

atm gem …







1.2 Self learning in the IHUB

•Self-learning implemented for both upstream and downstream

•Discard all user unicast frames with MAC DA known on an ASAM or

subtending port

• No user-to-user communication

Learning of Source Mac@

within VLAN

E-MAN

LT

LT

IHUB

E-MAN

X’

Y’

Z’

MacA

MacB

MacC

U’

V’

B� A B� C

LT







1.3 MAC movement & user-to-user communication

From To MAC movement User-to-user communication

Residential Residential Disabled Disabled

Residential Regular Enabled Enabled (including broadcast and multicast

flooding)

Regular Regular Enabled Enabled (including broadcast and multicast

flooding)

Regular Residential Disabled Enabled (including broadcast and multicast

flooding)

•All ports on the IHUB have a category attribute to drive:

• Secure MAC address learning / MAC movement

• User-to-user communication

•The port category can be:

• regular = network uplink ports

• residential = user facing ports (local and remote LT, subtending, and direct user

ports)

•The following rules for MAC movement & port-to-port communication apply:

Note: User-to-user communication can be enabled per V-VPLS instance




Note: User-to-user communication can be enabled per V-VPLS instance

(required for ISAM-V).

MAC address learning can be disabled per V-VPLS instance.



2 IHUB L2 forwarding in the overall picture







2.2 VLANs on the IHUB (1/2)

•VLANs are always emulated by a single v-VPLS, for every forwarding

mode used on the IACM

• For (Unstacked C-VLAN) Intelligent Bridging

• For (Unstacked) C-VLAN Cross Connect

• For (Stacked) S-VLAN Cross Connect

• For the shared S-VLAN part of (Stacked) SC-VLAN Cross Connect

•VLANs have only a single ID

• The C-VLAN for Intelligent Bridging or Unstacked Cross-Connect

• The S-VLAN for Stacked Cross Connect

• Hence only the outer VLAN tag is specified







2.2 VLANs on the IHUB (2/2) [cont.]

•VLANs need SAPs (a port with a tag being the v-VPLS VLAN ID)

• One of more regular ports (network side)

• One or more residential ports (LT side)

• For Residential Bridge and L2 Terminated: potentially all (connected) ASAM ports

• For Cross Connect: only the port for the LT where the user is connected

•VLANs are normally tagged on egress

• Always for residential ports

• For network ports: untagged on egress is possible

• By using zero as the VLAN tag of the SAP

•VLANs normally do not allow user-to-user communication

• Can be enabled per VLAN







2.3 L2 Services

: SAP

VLAN

v-VPLS

IHUB

LT

SAP -> lt:1/1/1:x

SAP -> nt-a:sfp:1:x




VLAN value used at the LT level is forwarded on IHUB by configuring a SAP (Service Access

Point) on a v-VPLS. A SAP is a combination of a physical port (in this case one of the IHUB

ports) and a VLAN ID.

Note: A SAP in the ISAM can be of only one type, q-tagged. Unlike the SAP in IPD

equipment, that can be either untagged, q-tagged or q-in-q tagged.



3 Configuration of IHUB VLAN via AMS







3.1 AMS: Layer 2

equipment

Select NE

Infrastructure

Layer 2

VLAN section shows IHUB “VLANs” as read-only stubs for the actual v-VPLS services







3.2 AMS: Create VPLS service

equipment

Select NE

Infrastructure

Layer 2

Create - L2 Service

L2 Services

See Next Slide

To delete a VPLS, you first have to lock it.







3.3 AMS: VPLS service details

Configure service vpls 300 customer 1 v-vpls vlan 3000 no shutdown

The service ID can be different from the VLAN ID, though it may be good practice to




make them equal. However. service IDs live in a shared namespace between all types

of services (e.g. L2 and L3). So conflict must be avoided and since the service ID has a

huge range [1, 2147483647], it can be useful to derive the service ID from the VLAN in

a logical way (e.g. adding a digit).




3.4 AMS: Create a single SAP at a time

equipment

Select NE

Infrastructure

Layer 2

VPLS Services

VPLS Service

Create VPLS SAP

See Next Slide

To delete a SAP, you first have to lock it.







3.5 AMS: SAP details (1/2)







3.5 AMS: SAP details (2/2) [cont.]

Configure service vpls300 sap lt:1/1/1:3000







3.6 AMS: Create a number of SAPs in one go (1/3)

equipment

Select NE

Infrastructure

Layer 2

L2 Services

L2 Service x

Actions:

Create Port SAPs

See Next Slide







3.6 AMS: Create a number of SAPs in one go (2/3) [cont.]







3.6 AMS: Create a number of SAPs in one go (3/3) [cont.]

The two SAPs created in previous slide






4 Configuration of IHUB VLAN via CLI







4.1 CLI: VLANs do not show IHUB “VLANs”

leg:isadmin>configure>vlan# info

configure

#-------------------------------------------------------------------------------

echo "vlan"

#-------------------------------------------------------------------------------

vlan

broadcast-frames

priority-policy port-default

id 151 mode residential-bridge

name CES

in-qos-prof-name name:Default_TC0

exit


pppoe-relay-tag true

in-qos-prof-name name:all-in-one

circuit-id-pppoe physical-id

remote-id-pppoe customer-id

exit


name VLAN3000







4.2 CLI: Configured services info

leg:isadmin>configure>service# info

----------------------------------------------

customer 1 create

description "Default customer"

exit

customer 10 create

description "ALUniv-A"

exit

ies 10 customer 10 create

interface "mgmt" create

address 172.31.79.190/25

sap nt:vp:1:4080 create

exit

exit

no shutdown

exit

sap nt-a:xfp:1:3000 create

exit

sap lt:1/1/1:3000 create

exit


exit

exit

vpls 4080 customer 10 v-vpls vlan 4080 create

stp

shutdown

exit


exit

no shutdown

exit


description "CES"

user-user-com

stp

shutdown

exit


exit


exit

no shutdown

exit


shutdown

description "VLAN3000"

stp

shutdown

exit







4.3 CLI: Show v-VPLS service overview

leg:isadmin># show service service-using v-vpls

=========================================================

Services

=========================================================

ServiceId Type Adm Opr CustomerId Service Name Template Used

-------------------------------------------------------------------------------

151 v-VPLS Up Up 1

300 v-VPLS Down Down 11

4080 v-VPLS Up Up 10

-------------------------------------------------------------------------------

Matching Services : 3

-------------------------------------------------------------------------------







4.4 CLI: Show in which service a SAP is used

leg:isadmin># show service sap-using sap lt:1/1/1:3000

==================================================

Service Access Points Using Port lt:1/1/1:3000

==================================================

PortId SvcId Ing. Egr. Adm Opr

Fltr Fltr

--------------------------------------------------------------------

lt:1/1/1:3000 300 none none Up Down

--------------------------------------------------------------------

Number of SAPs : 1

--------------------------------------------------------------------







4.5 CLI: Show overall FDB

leg:isadmin># show service fdb-mac

=======================================================

Service Forwarding Database

=======================================================

ServId MAC Source-Identifier Type Last Change

Age

-------------------------------------------------------------------------------

151 00:12:72:00:27:66 sap:lt:1/1/3:151 L/0 06/28/2012 23:21:06

4080 00:03:ba:73:47:b1 sap:nt-a:xfp:1:4080 L/0 06/13/2012 15:29:39

4080 00:03:ba:86:dd:39 sap:nt-a:xfp:1:4080 L/0 07/09/2012 16:14:55

4080 00:03:ba:cf:90:d3 sap:nt-a:xfp:1:4080 L/0 06/13/2012 15:29:32

4080 00:0d:9d:d3:37:64 sap:nt-a:xfp:1:4080 L/0 07/09/2012 15:43:05

4080 00:13:21:f2:b4:ab sap:nt-a:xfp:1:4080 L/0 07/09/2012 16:18:32

4080 00:14:4f:5f:20:ca sap:nt-a:xfp:1:4080 L/0 06/13/2012 15:29:33

4080 00:14:4f:cb:17:ac sap:nt-a:xfp:1:4080 L/0 06/13/2012 15:29:32

--------------------------------------------------------------------------------------------------

No. of Entries: 20

--------------------------------------------------------------------------------------------------

Legend: L=Learned; P=MAC is protected







4.6 CLI: Show per service FDB

leg:isadmin># show service id 151 fdb detail

=======================================================

Forwarding Database, Service 151

=======================================================

ServId MAC Source-Identifier Type Last Change

Age

-------------------------------------------------------------------------------

151 00:12:72:00:27:66 sap:lt:1/1/3:151 L/0 06/28/2012 23:21:06

-------------------------------------------------------------------------------

No. of MAC Entries: 1

-------------------------------------------------------------------------------

Legend: L=Learned; P=MAC is protected

=======================================================






Module summary

Upon completion of this module, you are able to:

• Give an overview of IHUB concepts

• Explain what a VPN service is

• Explain what kind of services are supported on the new software

• Give an overview of the supported forwarding models






IHUB L2 ForwardingEnd of module




7302-7360 ISAM � R4.6 High Cap. NT/5520 AMS - L2 & PPPoX forwardingNE Operation � Intelligent Brigding IACM


Module 3Intelligent Bridging IACM


7302-7360 ISAM










Module objectives

After attending this session, you should be able to:• Overview of a Residential Bridge VLAN (= Intelligent Bridge VLAN)

• Explain how the RB-VLAN is behaving on LT

• Create a RB-VLAN via AMS and CLI on IACM

• Associate a RB-VLAN to a bridge port with or without VLAN translation






Table of Contents

1 Intro Intelligent Bridging 7

2 Configuration: Create the IB VLAN 15

3 Configuration: IB VLAN association on bridge port 27

4 Exercises 53

5 Annex A: Basic GPON QoS configs 63

Page

1 Intro Intelligent Bridging 71.1 The ISAM as a two stage box 81.2 Intelligent Bridge mode in 7302 ISAM 91.3 Intelligent Bridge 101.4 LT self-learning 111.5 Upstream 121.6 Downstream 131.7 Secure MAC address learning 142 Configuration: Create the IB VLAN 152.1 IB VLAN set-up 162.2 Creation of IB VLAN on NE 172.3 Creation of IB VLAN on IACM 182.4 Modifying IB VLAN on IACM 222.5 IB Configuration of SYSTEM and/or per VLAN aging timer 232.6 Residential bridge parameters 242.7 Creation of IB VLAN via CLI 252.8 Residential bridge parameters 263 Configuration: IB VLAN association on bridge port 273.1 Logical user port – xDSL/ATM 283.2 Logical user port – VDSL/EFM or P2PEth 293.3 Logical user port - GPON 303.4 IB VLAN association of port on IACM 313.5 IB VLAN association 323.6 IB VLAN association of port on IACM 333.7 IB VLAN association of port on IACM 343.8 Configuration of the port on VLAN in IB 353.9 Create VLAN association on bridge port 363.10 Define PVID on bridge port 38




3.10 Define PVID on bridge port 383.11 RB VLAN association with VLAN translation 393.12 IB VLAN association of port on IACM (CLI) 403.13 Deletion of VLAN 413.15 VLAN related show commands 433.16 Stacked-IB (S+C-Ibridge) 443.17 S+C IBridge association with VLAN translation 483.18 Stacked-IB (S-Ibridge) 503.19 Stacked-IB (CLIs) 524 Exercises 535 Annex A: Basic GPON QoS configs 635.1 Ingress QoS profile 645.2 Bandwidth profile 65



1 Intro Intelligent Bridging







1.1 The ISAM as a two stage box

•… will do Ethernet switching

• on the NT – xHUB

• on the LT - IWF

•Ethernet switch = forwarding engine

• interworking = ATM �� Ethernet

LT

IWF FW Engine

NTxDSL

GPON

P2P-eth

ethernet ethernet

ethernet (encapsulated)

xHUB FW Engine

atm gem …

CPE






LT

External Ethernet

links ASAM link


1.2 Intelligent Bridge mode in 7302 ISAM

• IB mode

VP/VC VLAN

8/35 100

8/37 100

Ph. Port

8/37

Ph port

EFM

VLAN

x 100

FW Engine

FW Engine

8/35

xHUB

1-16

100

100 100

…




Remember, MAC-addresses are used in the forwarding decision.

In the upstream direction, the incoming user port (without the MAC DA) is sufficient for the

7302 ISAM to identify the outgoing upstream port and the C-VLAN tag. This C-VLAN is the

port-based default VLAN configured for this user port.

In the downstream direction, the MAC-address is sufficient for the 7302 ISAM to identify the

outgoing user port.

A particular VLAN ID can be configured :

�For a number of user ports in the 7302 ISAM.

�Only once over all 7302 ISAMs in the complete Ethernet network to which the 7302 ISAM

is connected.




1.3 Intelligent Bridge

•bridge: learning, aging, forwarding

• lookup MAC DA done based on VLAN and MAC-address

• intelligent bridging enhancements implemented on ISAM

•independent MAC-address learning

• independent MAC-address aging

• aging timers are configurable �[10...1000000] sec

• Recommended default value is 300 sec

• aging timer per VLAN

• aging timers are configurable �[-1,10...1000000] sec

• Default value –1 � use system Aging timer on LT




The xHUB and the LTs autonomously learn MAC addresses. They also autonomously age these MAC addresses.

Aging timers are configurable. The idea is that the xHUB is configured with the same aging timer as the one

of the IWF of the LT. This is needed to avoid conflicts, e.g. when the MAC address is aged on the xHUB, then

the xHUB could learn the MAC address on another interface with unpredictable behavior as a consequence.

Once a MAC address is aged, then no downstream communication is possible until the address is learned again

in the upstream direction.

So it’s important that the MAC ageing time is properly configured, otherwise data-plane connectivity may be

lost between the network and the ISAM end-users (nightly SW download on STB, incoming VoIP calls, …)

� In case of PPPoE traffic the MAC aging time can be kept small, because PPP has a built-in keep-

alive mechanism

� In case of DHCP-based service scenario's, the MAC ageing time must be taken in the same order of

magnitude as the DHCP lease time




1.4 LT self-learning

• only in the upstream - when initiated from user logical port

• Self-learning can be disabled per user logical port.

• In case of self-learning, limiting number of MAC addresses is possible.

LT

To Service xHUB

Learning of Source Mac@ within VLAN

NO selflearning

x

y

z

MacA

MacB

MacC




We call the LT IWF half a bridge as it only learns MAC addresses in the upstream direction.

This has as a consequence that no connection can be initiated from the network side if the

MAC address on the user side is not known or has not been learned yet.




1.5 Upstream

• only user to network allowed

<-- <-- <-- BC User A - LT1

Network SHUB LT --> User B - LT1

--> User C - LT4

--> User D

--> S-ASAM

<-- <-- <-- Unknown MAC DA User A - LT1


--> User C - LT4

--> User D

--> S-ASAM

<-- <-- <-- Known MAC DA User A - LT1


--> User C - LT4

--> User D

--> S-ASAM

The ISAM only allows user to network communication in the upstream,




The ISAM only allows user to network communication in the upstream,

�Blocked on the same LT by the IWF

�Blocked by the port mapping configuration on the xHUB (see later)

This is valid for all cases, i.e. Broadcast (BC), Unknown MAC Destination Address and Known

MAC Destination address.

Unicast frames with unknown destination MAC addresses are flooded to the network side.

�no user-to-user communication within the LIM

�no flooding from user to user port

�broadcast frames are flooded towards the NW port …

Frames with known destination MAC addresses aren’t forwarded to user ports, but to the

network side

�No user-to-user communication within the LT




1.6 Downstream

• broadcast control configurable per VLAN in IB mode

BC --> --> --> User A - LT1

Network SHUB --> LT -->if BC allowed User B - LT1

--> --> User C - LT4

--> User D

--> S-ASAM

Unknown MAC DA --> --> --> User A - LT1

Network SHUB --> LT --> User B - LT1

--> --> User C - LT4

--> User D

--> S-ASAM

Known MAC DA --> --> --> User A - LT1

Network SHUB --> LT --> User B - LT1

--> --> User C - LT4

--> User D

--> S-ASAM




Broadcast from Network to User is only allowed if enabled by the operator, per VLAN in IB

mode.

For the ‘unknown MAC DA case’, the LT will not forward the frames to the users.

In case of a known MAC DA, all frames are forwarded.

unicast frames with known MAC DA are forwarded to the appropriate logical user port

�unicast frames with unknown MAC DA are discarded

�No flooding from NW port to user port

�No user to user communication

By default broadcast as a consequence of flooding, which happens in case of standard

bridging when the MAC DA is unknown or in case of multicast, is avoided with intelligent

bridging.



CPE


1.7 Secure MAC address learning •xHUB

• MAC movement to highest priority

• Within priority , always MAC

Movement

• Within priority , MAC movement

only when feature is enabled in the

VLAN

• LT

• Blocking duplicate MAC-address

• Static MAC-addresses never disappear from learning table

user links

subtending links

E-MAN network links,outband MGT link

ASAM links

NT

LT

LT

Control link

IWF

IWF

1

2

3

3

3

3

2

2

3

CPE

CPEASAM links




On the IWF

If the MAC-address was already configured or learned on another user logical port, the MAC-

address won’t be learned on the second port and the frame is dropped (Conflict alarm).



2 Configuration: Create the IB VLAN







2.1 IB VLAN set-up

• VLAN set-up:

• � create VLAN

• creation of Residential BridgeVLAN on IACM

• � Add ports to VLAN

• on LTs

• Via AMS

• Different versions of one VLAN possible

�Create VLAN for service to be deployed

� Add ports to VLAN

For GPON, there is alreadysome QoS stuff

to explain and configure:

see Annex A




Here you’ll learn how to:

�Create a VLAN on IACM, either using 5520AMS or using CLI

�Add ports to a VLAN.




2.2 Creation of IB VLAN on NE

Network

Select NE

Infrastructure

Layer 2

Create VLAN

VLAN

See Next Slide

S-VLAN Id = 0




5520AMS doesn’t use templates for VLANs. The only way to configure VLANs is on the NE

itself.

For a residential bridge VLAN, the S-TAG = 0. No stacked VLANs for intelligent bridging!

(The reason why you see the S-VLAN id is that the same screens are used for cross-connect,

where you can have stacked VLANs.)




2.3 Creation of IB VLAN on IACM

mode: RB




Not all parameters can be configured here already. You can configure e.g. static MAC

addresses afterwards. See further.




2.3 Creation of IB VLAN on IACM [cont.]

Secure Fwgand IP Anti-Spoofing

broadcast control

Protocol Control

(NTP,RIP)

Protocol filter (PPPoE,IPoE,IP

v6oE)










DHCP option 82

PPPoE relay tag










Virtual MAC translation

Aging & U to U control

MC control




From R3.5 � VLAN specific aging time can be set. If set, this value will override the IACM

Layer2 - Ethernet System Parameters – Forwarding Database Aging Time. If the default value

–1 is left, the IACM system parameter is used.

To avoid problems the LT aging timer must be the same as the SHUB aging timer.




2.4 Modifying IB VLAN on IACM

Static MAC addressesNetwork

Select NE

Infrastructure

Layer 2

Unicast Static MAC Address

VLAN

Select VLAN

MAC Addresses

Static

Create







2.5 IB Configuration of SYSTEM and/or per VLAN aging timer




From R3.5 � VLAN specific aging time can be set. If set, this value will override the IACM

Layer2 - Ethernet System Parameters – Forwarding Database Aging Time. If the default value

–1 is left, the IACM system parameter is used.

In this case 300s is the value

To avoid problems, the LT aging timer must be the same as the SHUB aging timer.

CLI Commands: System aging timers IACM

Configure bridge ageing-time [10...1000000]

CLI Command: MAC aging PER VLAN (IACM)

� Configure vlan id 200 aging-time [-1,10...1000000]

� Default value –1 � IACM system settings are used.




2.6 Residential bridge parameters

Broadcast control on LT

• Only applicable in IB mode

• Off (default):

- BC in IWF on LT blocked in DS

• On:

- Allow BC in DS

BC off by Default

LT

From Service

Hub

MAC-DA Broadcast




Off: BC blocked

On: BC allowed




2.7 Creation of IB VLAN via CLI

•Vlan ID range: 1 to 4093

• excluding the VLAN ID used for management

•Create VLAN on IACM

• configure vlan id < VLAN ID> mode <VLAN Mode >

CONFIGURATION OF VLAN ON IACM




CONFIGURATION OF VLAN ON IACM

Id: [2...4093,4097] vlan id

Name: optional parameter with default value: “ name “

Mode: Mandatory parameter with possible values (on IACM):

1) cross-connect, 2) residential-bridge, 3) qos-aware, 4) layer2-terminated, 5) mirror

Priority: optional parameter with default value: 0. Range: {0...7}

[no]switch-broadcast: optional parameter to control downstream broadcast frames

(default value:"discard-broadcast“). Broadcast control is configurable per VLAN: on/off

� [No] broadcast frames � ‘broadcast frames’ means: broadcast allowed (= ON)

[no] protocol filter (default: pass all).

Other possibilities: pass pppoe, pass ipoe, pass pppoe-ipoe

[no]enable-pppoe-relay: optional parameter with default value: "disable-pppoe-relay“ adding tag for pppoe

relayed traffic (rb vlan)

[no]dhcp-opt-82-on: optional parameter with default value: "dhcp-opt-82-off“ enable adding dhcp option 82

(rb vlan)




2.8 Residential bridge parameters

•DHCP option 82/PPPoE Relay Tag

• Disabled (default):

• no option 82/PPPoE information added by LT

• Enabled:

• option 82/PPPoE information added by LT

•Protocol Group Filter

• Different from Protocol based VLAN association

• 3 possibilities

• All : allow all protocols on VLAN

• IPoE: allow only IPoE on VLAN

• PPPoE : allow only PPPoE on VLAN

• IPv6oE: allow only IPv6oE on VLAN

• PPPoE + IPoE + IPv6: allow only PPPoE, IPoE & IPV6oE on VLAN

• Or other combinations between the three

•Ingress QoS Profile• for NGLT-x only, see annex




Protocol based VLAN association � see later



3 Configuration: IB VLAN association on bridge port







3.3 Logical user port - GPON

•GEM based encapsulation

• 1 UNI on the ONT is mapped on 1 logical user port on IWF of LT

• 1 ONT can have multiple VP/VCs

LT x

IWF FW Engine

To successfully make a bridge port a member of a VLAN, the corresponding qos interface needs to be configured

see Annex A




This enables the capability to learn Mac addresses in the LT. But currently there is no means yet

to transport data upstream, out of the ONT on to the LT. This means it is the T-CONT which still

needs to be set up (see later)!

If you try to make the bridge port member of a VLAN without the qos interface you’ll get an

error message:

�“Attach Ingress QoS Profile to Vlan Port refused due to missing bandwidth profile on Queue”




3.4 IB VLAN association of port on IACM

• One logical user port can be mapped to multiple VIDs

• One logical port associated to Cross Connect or Residential-bridge VIDs

• One logical user port can accept tagged or untagged frames• Configured on the level of VID Association

• Per user logical port a PVID can be defined• Before PVID can be configured VLAN association has to be

configured

• Configuration of VID within the bridged port

• Support of 48 x 16 = 768 I-Bridges• on L3 LIMs







3.5 IB VLAN association

• Port based VLAN association

• VLAN ID based on port of arrival

• untagged frames, receive port VLAN identifier – PVID

• Also called the default VLAN ID

• Port-and-protocol-based VLAN classification

• VID based on port of arrival and the protocol identifier of the frame

• multiple VLAN-IDs associated with port of the bridge – VID set

• VLAN Translation

• VID based on port of arrival and translated to a network VID

A VLAN bridge supports port-based VLAN classification and may support port-and-protocol-




A VLAN bridge supports port-based VLAN classification and may support port-and-protocol-

based VLAN classification.

In port-based VLAN classification within a bridge, the VLAN-ID associated with an untagged

or priority tagged frame is determined based on the port of arrival of the frame into the

bridge. This classification mechanism requires the association of a specific Port VLAN

Identifier, or PVID, with each of the bridge’s ports. In this case, the PVID for a given port

provides the VLAN-ID for untagged and priority tagged frames received through that port.

For bridges that implement port-and-protocol-based VLAN classification, the VLAN-ID

associated with an untagged or priority-tagged frame is determined based on the port of

arrival of the frame into the bridge and on the protocol identifier of the frame.

For port-and-protocol based tagging, the VLAN bridge will have to look at the Ethertype, the

SSAP, or the SNAP-type of the incoming frames. When the protocol is identified, the VID

associated with the protocol group to which the protocol belongs will be assigned to the

frame. This classification mechanism requires the association of multiple VLAN-IDs with

each of the ports of the bridge; this is known as the “VID Set” for that port.

BTV and Port & protocol-based VLAN on R3.1-3.2

�the port default VLAN must be chosen equal to the VLAN used for BTV traffic

�no protocol based VLAN must be defined for IP, otherwise we end up generating a wrong

tag when issuing IGMP messages to the end user





Frames received from end users

are untagged

• user port can be mapped to

multiple VID using port-protocol

based association or PVID

Frames received from end users

are tagged

• on logical port define different

VIDs and configure frames received

from end-user as tagged

• send frames back to the subscriber

to be set as single tagged

E-MANNetwork

CPE

LTE-MAN

NetworkCPE

LTIPoE PPPoE

xxx

= PVID

IPoE

PPPoE

xxx




Behavior of the RB VLAN Association on the AMS

Frames received by the end users are tagged

�Association Settings � Send frames back to the subscriber as: Single Tagged

Frames received from end users are untagged

�Association Settings � Send frames back to the subscriber as: Untagged





• VLAN Translation, frames received from end users are tagged

VLAN per service& per provider

VLAN per service& per provider

VLAN 1 (HSIA)Bridge 10VLAN 10 (HSIA, SP1)

VLAN 2 (Video)Bridge 20VLAN 20 (VoD, SP1)

MCast

VLAN 30 (BTV, SP1)

VLAN 3 (Voice)Bridge 40VLAN 40 (Voice, SP3)

VLAN 5 (HSIA)Bridge 11VLAN 11 (HSIA, SP2)

VLAN 6 (Video)Bridge 21VLAN 21 (VoD, SP2)

VLAN 31 (BTV, SP2)

Subscriber VLANNetwork VLAN

Bridge Port

CPE




There are many operators who base their network architecture on one PVC per service when

connecting ADSL subscribers. Once those operators start deploying VDSL, they need to use

the VLAN as a "PVC emulation".

ISAM supports the ability to emulate a multi-PVC configuration on an EFM interface using the

VLAN as a "PVC emulation", i.e. it is possible to associate a set of VLAN Id's at the subscriber

interface with a set of forwarding engines being chosen from the following list :

�VLAN-CC (Transparent or Protocol aware): the C-VLAN received at the user side is either

forwarded as a C-VLAN CC or encapsulated into an S-VLAN (VLAN stacking).

�i-Bridge: the VLAN received at the user side will be bridged into an i-bridge

identified by the same VLAN Id.

�IP Aware Bridge

�IP Routing

Additionally, in case of VLAN-CC or i-Bridge, we support VLAN translation to make

wholesaling possible without impacting the CPE configuration. Starting from a set of pre-

defined C-VLAN tags at the CPE side (i.e. the same for all CPEs), it is possible to retag the

received packet with a new C-VLAN (VLAN-CC or i-bridge) or a stacked VLAN (VLAN-CC), so

that the traffic can be passed to the VLAN associated with the combination of serivce

provider plus service.




3.8 Configuration of the port on VLAN in IB

� Add ports to VLAN

on IACMBridge port – VID mapping

on xHUB Define egress ports within the VLAN

Aggregation function

GE1

External ethernet links

ASAM links

Control link

FE

LIM

IWF

Control/mgt functions

GE16

LIM

IWF

PVC

…..

PVC

GE/FE 1

GE/FE 2

…..

GE/FE 7




�In the xHUB

� Create VLAN in RB mode

� Add NW interfaces and all ASAM interfaces to this VLAN

�In the ASAM

� Create VLAN in RB mode

� Add port to VLAN




3.9 Create VLAN association on bridge port

Network

Select VCL Bridge Port

Create

VLAN Association







3.9 Create VLAN association on bridge port [cont.]

VLAN without Translation

Send frames back to subscriber as: untagged







3.10 Define PVID on bridge port• Modify VLAN association � Object details view

select Default VLAN and click OK







3.11 RB VLAN association with VLAN translation

• VLAN Translation

Network

Select VCL Bridge Port

Create

VLAN Association

VLAN without Translation

Subscriber VLAN

Send frames back to subscriber as:

tagged




For example, you configure a RB VLAN association with VLAN translation on a VDSL EFM

bridge port. The modem is configured in such a way that it generates tagged traffic, e.g.

local subscriber VLAN 10. This subscriber VLAN is translated into the network VLAN 150.

�All frames returned to the subscriber should again have VLAN tag 10.

Configure that the frames returned to the subscriber should be single-tagged.




3.12 IB VLAN association of port on IACM (CLI)

• define VIDs in the “configure bridge port” command

• configure bridge port 1/1/<slot>/<port>:<VP>:<VC>#

vlan-id <VLAN ID> or

vlan-id stacked <S-VLAN ID:C-VLAN ID>

• VLAN translation


• vlan-id <VLAN ID> vlan-scope <local> network-vlan <VLAN ID>

• define PVIDs in the “configure bridge port” command


pvid <VLAN ID>

No VLAN Translation:




No VLAN Translation:

� leg:isadmin>configure>bridge>port>1/1/2/1:8:36# vlan-id 200

� leg:isadmin>configure>bridge>port>1/1/2/1:8:35# info

�#---------------------------------------------------------------------------------------------------

�port 1/1/2/1:8:35

max-unicast-mac 4

vlan-id 200

exit

�exit

With VLAN Translation:

� leg:isadmin>configure>bridge>port>1/1/2/2:8:35# vlan-id 10 vlan-scope local network-vlan 150

� leg:isadmin>configure>bridge>port>1/1/2/2:8:35# info

�port 1/1/2/2:8:35

max-unicast-mac 4

vlan-id 10

network-vlan 150

vlan-scope local

exit

vlan-id 200

exit

�exit




3.13 Deletion of VLAN

•first remove VLAN associations on VLAN

then delete VLAN







3.14 Deletion of VLAN [cont.]

• It is not possible to delete a VLAN if there are still ports attached to

the VLAN

• Deleting VLAN on IACM

• configure vlan no id <VLAN ID>







3.15 VLAN related show commands•Selection of multiple show vlan commands

• Display list of command via “show vlan ?”

• Interesting commands on IACM

• show vlan residential bridge summary <VLAN ID>

gives all bridge ports connected to this vlan (“extensive” gives tx mode, qos profile)

• show vlan bridge-port-fdb < bridge port id (1/1/slot/port:VPI:VCI or

1/1/slot/port/ONT/ONTCard/port) >

gives all MAC-addresses learned or configured on that port with its associated vlan

• show vlan fdb <fdbid>

gives association fdbid with vlanid

• show vlan fdb-board fdb-id <fdbid>

gives you MAC-addresses learned on all ports of that vlan

show vlan dup-mac-alarm

gives you duplicate mac information







3.16 Stacked-IB (S+C-Ibridge)

Network

Select NE

Infrastructure

Layer 2

Create VLAN

VLAN







3.16 Stacked-IB (S+C-Ibridge) [cont.]

• First: S-Vlan




S+C iBridge on GPON LT from R4.3S+C iBridge on Catan/CATE DSL LT (all VDSL LTs except NVLT-C/D) and NELT-B UNI LT from R4.4.02





• Second: S+C Vlan














3.17 S+C IBridge association with VLAN translation







3.17 S+C IBridge association with VLAN translation [cont.]







3.18 Stacked-IB (S-Ibridge)

• Create a S Vlan:




S iBridge on NELT-B NNI from R4.2

S IBridge on GPON LT from R4.3




3.18 Stacked-IB (S-Ibridge) [cont.]







3.19 Stacked-IB (CLIs)

Configure a VLAN on the LT for S+C-iBridge• configure vlan id stacked:300:0 name "SC_VLAN-300" mode residential-bridge

• configure vlan id stacked:300:600 name "SC_VLAN-300-600" mode residential-bridge

Configure a VLAN on the LT for S-iBridge• configure vlan id stacked:800:0 name "SiBridge-vlan" mode residential-bridge






4 Exercises






ExercisesPerform these exercises with CLI and AMS unless specified differently

Perform these exercises on the board and ports assigned to

you to do the retrieval exercises.

1. Which VLANs are created on the NE?

2. What is the forwarding mode of VLAN 200 (cross-connect, residential bridge)?

3. What are the ports belonging to VLAN 200 on the xHUB? Explain what you see.

4. Which logical ports are associated to VLAN 200?




5. Explain the total configuration of the user logical port PVC 8/35 on port TRAINING-a .

Note : For the downstream forwarding , we assume that the xHUB knows the MAC-addresses of the end

user within the respective VLANs .

6. What happens when the end-user sends a frame with VLAN tag 200?


8. What happens when the end-user sends an untagged frame ?

9. What happens with a frame with VLAN tag 200 coming from the network?

10. What happens with a frame with VLAN tag 300 coming from the network?

11. How many MAC-addresses can be learned in VLAN 200 on the logical user port VP/VC 8/35 of port

TRAINING-a?




12. Explain the total configuration of the user logical port PVC 8/35 on port TRAINING-b.

Note : For the downstream forwarding , we assume that the xHUB knows the MAC-addresses of the

end user within the respective VLANs .

Ingress Egress

DSL port DSL port

8/358/35

150150

160160

210210

5050

150150

160160

210210

5050



15. What happens when the end-user sends an untagged frame?

16. What happens when a frame with VLAN tag 150 is sent towards the end user?







20. What happens when an untagged frame is sent towards the end user?

21. How many MAC-addresses can be learnt on the user logical port PVC 8/35 on port TRAINING-b

within VLAN 50?

For these exercises go back to the board and ports assigned to you to do the configuration exercises.

1. Go to the port that you configured before and where the modem is connected. Use CLI to apply the service with VLAN id as default VLAN 150 to PVC 8/36. Frames coming from the end user are untagged. You should be able to connect with 2 PCs. DHCP server is available on the other side .

setup




2. Check if you are able to get an IP address. from the DHCP server. Note: in function of the modem setup you need to either use VMware on the trainee PC or disconnect your PC from the AUA – LAN and connect the PC to the modem (or connect your own PC to the modem … ). Ask the teacher what to do!Force your PC to ask for a new IP-address (DHCP release/renew) � ipconfig /release and ipconfig /renew.What is the IP-address you received ? What is the IP-address of the DHCP server?

3. Check the MAC-address learnt on your bridge port using AMS and CLI.

4. Are you able to ping the PC of one of your colleagues connected to the same ISAM? Explain.

5. Use the AMS to associate logical port 8/35 with VLAN 200 as the default VLAN. Frames coming from the end user are untagged. You should be able to connect with 3 PCs to this connection. VLAN 200 terminates on a BRAS so use PPPoE to set up a connection. Check if you can surf the web. Note: in function of the modem setup PPPoE session needs to be initiated from modem or PC . Ask the trainer what to do !

Setup




6. Check the MAC-address learnt on the VP/VC 8/35 and VP/VC 8/36 with the AMS. What do you notice ? Explain what you see.

7. Use the AMS to remove the RB vlan with id 200 from the 8/35 ATM termination point on your port.

8. Use the CLI to remove the RB vlan with id 150 from the 8/36 ATM termination point on your port.

9. Create RB VLAN with VLAN ID=20x ( x = adsl-x) via CLI. All traffic type is possible within the VLAN. The VLAN is default VLAN on logical port 8/35. 4 user sessions possible on the logical port. No user line id is required for DHCP or BRAS. No MC service is deployed within the VLAN. Try to initiate a PPPoE session towards the network. Verify if your configuration works. Note: BRAS will not provide you with an IP@ ( Setup of the network currently not ready )

Setup

10. Create a Service for RB VLAN on the AMS. All traffic type is possible within the VLAN. 4 user sessions possible on the logical port. No user line id is required for DHCP or BRAS. No MC service is deployed within the VLAN. Leave status under construction. Note : unique VLAN-ID per [IP-edge – ISAM] pair to prohibit user-to-user communication.




11. You want to have line identification information on the DHCP server. Try to apply the change and explain

12. Use the AMS to associate the service you just created on VP/VC 8/36 of the port assigned to you. VLAN id to be used is VLAN 16x (x=adslx). Frames coming from the end user are untagged. VLAN 16x is the default VLAN. Check if your configuration works by setting up a DHCP session and see if you are able to receive an IP@ .

Setup

13. Release your IP address. (ipconfig /release)

14. Your management changed mind and the VLAN 16x can only be used for PPPoE traffic. Apply the change with CLI. Check if you are still able to retrieve an IP@ via DHCP. Does it work ? Why? Why not?

15. In normal operation would you normally apply such change with CLI?




16. Your management changed mind again, and now only wants IPoE traffic in VLAN 16x and disable option 82. Apply the change with AMS. Check if you are still able to retrieve an IP@ via DHCP. Does it work ? Why? Why not??

17. Can you ping the client PC from the server side on VLAN 16x? Ask the trainer to assist you since access to DHCP server is secured. First check the ARP table of DHCP server and make sure the MAC@ of your PC is no longer in the self-learning table of VLAN 16x, then issue the ping command.What do you notice? Explain.

18. Force the system to allow broadcast frames to pass through in the downstream direction. Use a CLI command to achieve this goal. Verify, and explain what you notice.

19. Delete the association with VLAN 20x from VP/VC 8/35 on your port and associate VP/VC 8/35 with VLAN 21x. VLAN 21x is a RB service and parameters are such that only PPPoE traffic is allowed on this VLAN. Perform this exercise with the AMS. Check if your setup works . What is the IP@ you get from the BRAS ?




What is the IP@ you get from the BRAS ? What is the IP@ you got from the DHCP server? Note: BRAS will not provide you with an IP@ ( Setup of the network currently not ready )

Setup

20. Try to delete VLAN 16x from the ISAM via the AMS. What happens? Explain.Note: If not possible just proceed to the next exercise after explanation

21. Version 2 of service with VLAN-ID 16x has been deployed in the entire network. Delete version 1 from the AMS.

22. Configura two stacked Ibridge. One of them must work in a mapped mode (S+C Ibridge) and the other one must be work in a tunnel mode (S Ibridge).

23. MC Teaser . Set-up a MC control-channel on VP/VC 8/36 and allow your user to see package 1 . Ask the teacher for assistance and see if you can watch some video.






Intelligent Brigding IACMEnd of module




Documents

D2s 2.Intelligent Bridging.pdf