University
VLAN forwarding modes and IB
7302-7330/5523 operator part 1 section D
Alcatel-Lucent University Antwerp
Alcatel-Lucent University Antwerp
1
�Objectives
What is a Residential Bridge VLAN = Intelligent Bridge VLAN
Understand how the RB-VLAN is behaving
Creation of a RB-VLAN via AWS and CLI
The RB-VLAN association on an ATM over xDSL port
The RB-VLAN association on an ETH over xDSL Port
Application purpose of the RB-VLAN
�Table of contents
Forwarding modes
: general .
p.4
Layer 2 forwarding :
The Basics
Intelligent bridging .
p.7
p.15
VLAN setup .
.
VLAN association
p.33
p.47
Exercises
P.61
�University
Forwarding modes
General
Alcatel-Lucent University Antwerp
�Forwarding engines
On the LT
On the NT
the forwarding engine is part of the service hub
x/Eth
x/Eth
NT
x/Eth
GE1-16
x/Eth
LT
1
IW
F
FW Engine
GE/FE
1-7
ASAM
link
FW Engine
Ethernet
links
LT
x
Forwarding Engine
Service
External Hub
x/Phys layer
EFM / user port
PVC / Logical
user port
x/ATM/Phys. Layer
x/Eth
CPE
CPE
x/Eth
�Forwarding modes: General
7302 ISAM
L3+
L3
L2+
L2
Network
side
User
side
Eth-VLAN
ANT
Decision
Forwarding mode
L2
VLAN Cross-Connect (CC)
Intelligent Bridge (IB)
L2+
PPPoA to PPPoE translation
IP aware Bridge
L3
Routed
L3+
PPP termination
�University
L2 Forwarding mode
Alcatel-Lucent University Antwerp
�General overview
7302 ISAM
Network
side
Anything
Eth - VLAN
L2
Anything
Eth (VLAN)
ATM/AAL
Phys layer
Anything
Eth (VLAN)
Phys layer
Eth-VLAN
layer 2 forwarding
Ethernet layer must be present at both sides.
encapsulation at CPE must include Ethernet
User
side
�Two L2 forwarding modes
the intelligent bridging (IB): one (or more) circuits per VLAN
Forwarding based upon MAC addresses and VLAN
the cross-connect (CC): one (or more) VLANs per circuit
Forwarding based upon
User side: PVC for ATM or DSL port for EFM
Network side: Single or stacked VLAN tag
�External
Eethernet
links
L2 functionalities
NT
Control/Mgt
function
Control link
LT 16
ASAM link
FE
Aggregation
function
GE/FE
1-7
GE1 ..16
IWF
AS
AM
Service Hub
GE116
Standard VLAN
enabled bridge.
lin
k
LT 1
U
S
E
R
IWF
Special VLAN
enabled bridge.
PVC /
Logical user
port
10
P
O
R
T
S
�ISAM
GE
E-MAN
Network
POTS,ISDN
NT
LT
CPE
Anything
Anything
ETH-ATM Ethernet
Interworking
Ethernet
Layer 2
Function
Layer 2
LLC
(IWF)
Ethernet
Layer 2
(+ MAC
Control)
(+ MAC
Control)
EthSwitchEth
PHY
11
PHY
FE/GE
EthSwitchEth
FE/GE
GE
GE
SNAP
Ethernet
Layer 2
LLC
SNAP
AAL5
AAL5
ATM
ATM
PHY
xDSL?
�University
Intro
Standard Bridging
Alcatel-Lucent University Antwerp
12
�Standard bridging concept
MAC bridges can interconnect all kinds of LANs together
No guaranteed delivery of frames
A bridge learns MAC addresses
Flooding occurs when destination MAC address is broadcast,
multicast or unknown, :
If you do not know, send it to everybody
If the destination MAC address has been learned, the frame is
forwarded to the indicated interface
13
�Security/scalability issue with standard bridging
Broadcast frames (ARP, PPPoE-PADI) forwarded to
all users & flooding to all ports.
MAC-address of a user is exposed to other users
Broadcast storms
BC or unknown MAC DA
Ethernet BR
CPE
BRAS
BC or unknown MAC DA
DSLAM
CPE
PC
PC
CPE
DSLAM
14
PC
�Standard bridging: Issues
Broadcast storms
Security
Broadcast frames are forwarded to all users
Customers identified by MAC-address (not guaranteed unique)
Restrictions on services and revenues:
IP edge device has no info on the access line
So not possible to limit the # of sessions per access line
User-to-user communication possible without passing the BRAS
NOT FIT FOR USE IN PUBLIC NETWORKS
15
�University
Intelligent Bridging
Alcatel-Lucent University Antwerp
16
�The intelligent bridging model (1/3)
Multiple users connected to 1 VLAN ID
IB-VLAN has:
Note: Tagged frames
not supported for IB if
Rel. <3.1
1 or more user logical ports, subtending ports or user Ethernet ports
1 or more network ports
Internet
Internet ISP1
ISP
IP
ISP2
E-MAN
Network
E-MAN
Network
BAS
Corporate
Routing to the
correct ISP is
based on the
VLAN-id
17
Routing to the correct
ISP is done based on
user-id and password
in the BRAS
Login to
ISP or
corporate
�The intelligent bridging model (2/3)
Why VLAN Translation (customer vlan to network vlan)
Wholesale per service
Drivers: VDSL and Eth offer more BW, so it makes sense to
wholesale this in pieces rather than the complete DSL
line as a whole
Consequences: Model with VLANs on DSL line; behaviour
equivalent to multi-VC model on ATM/ADSL
VLAN per service and per provider in the aggregation network
Service provider is free to choose CPE configuration, but
VLANs in aggregation network are under control of ILEC
Ultimately 1 subscriber (1 line) may have to support 2 HSIA
services or 2 video services from different service providers.
18
�The intelligent bridging model (3/3)
Special layer 2 behavior needed in an access environment
IB with VLAN tagging
Intelligent Bridge (IB) means
distinction between network ports and user ports
Frames from a user always sent towards the network
No user to user communication
prevent broadcast traffic from escalating
avoid broadcast or flooding to all users
secure MAC-address learning within a VLAN
avoid MAC-address duplication over multiple ports
protocol filtering
may lead to a frame being forwarded, sent to a host
processor, discarded or forwarded & sent to a host
processor
19
�Intelligent bridging: network issues
BR
VLAN1
CPE
ISAM
IP edge
Ethernet
MACA
Problem:
If user A can obtain the
MAC@ of User C, since the
Ethernet switch learns all Mac
@ , user to user
communication is possible
20
CPE
ISAM
MACB
�Broadcast messages & flooding US
Upstream BC frames & flooding only forwarded towards
network port(s) within a VLAN
1 VLAN per IP-edge
Reduction of flooding in the aggregation network.
No user-to-user communication without passing the BRAS
BC or unknown Mac DA
VLAN 1
Ethernet BR
VLAN 2
BRAS
ISAM
CPE
CPE
ISAM
PC B
PC
CPE
21
PC A
�Broadcast messages & flooding DS
Blocking of broadcast & flooding in the downstream
Avoids messages unintentionally distributed to all users
For some applications forwarding of BC is needed
Solution: Make BC flooding / BC discarding a configurable
option per VLAN
Ethernet BR
CPE
ISAM
BRAS
BC or unknown
MAC DA
CPE
CPE
ISAM
22
PC
PC
PC
�Intelligent Bridge
Bridge: learning, aging, forwarding
lookup MAC DA done based on VLAN and MAC-address
intelligent bridging enhancements implemented on ISAM
LT and SHUB have
independent MAC-address learning
independent MAC-address aging
aging timers are configurable [10...1000000] sec
Recommended default value is 300 sec
23
�LT self-learning
only in the upstream - when initiated from user logical port
Self-learning can be disabled per user logical port.
In case of self-learning, limiting number of MAC addresses is
possible.
NO selflearning
To Service
Hub
Learning of Source
Mac@ within VLAN
LT
MacA
x
y
z
24
MacB
MacC
�Self learning in the Service Hub
Self-learning implemented for both upstream and downstream
Discard all user unicast frames with MAC DA known on an ASAM
or subtending port
No user to user communication
Learning of Source
Mac@ within VLAN
Service
Hub
E-MAN
LT
U
Y
E-MAN
MacA
MacB
LT
B A
B C
LT
MacC
25
�Blocking of user to user communication
Port mapping on the service hub/NT
An interface can only communicate with its mapping ports
8 Network
links
Control
link
15
ASAM links
26
X
Network
links
User links
Service
Hub
Service
Hub
Control
link
16
15
ASAM links
16
subtending
link
�Port mapping
Port mapping is used to
block user to user communication on the service hub
NT
Control link
LT
E-MAN
network
links
ASAM links
subtending
links
user links
27
LT
�Upstream
Only user to network allowed
<-Network
<-SHUB
LT
<-- BC
-->
User A - LT1
User B - LT1
User C - LT4
User D
S-ASAM
LT
<-- Unknown MAC DA
-->
User A - LT1
User B - LT1
User C - LT4
User D
S-ASAM
LT
<-- Known MAC DA
-->
User A - LT1
User B - LT4
User C - LT4
User D
S-ASAM
-->
-->
-->
<-Network
<-SHUB
-->
-->
-->
<-Network
<-SHUB
-->
-->
-->
28
�Downstream
Broadcast control configurable per VLAN in IB mode
BC -->
Network
SHUB
Unknown MAC DA -->
Network
SHUB
Known MAC DA -->
Network
29
SHUB
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
-->
LT
-->
-->if BC allowed
-->
User A - LT1
User B - LT1
User C - LT4
User D
S-ASAM
LT
-->
-->
-->
User A - LT1
User B - LT1
User C - LT4
User D
S-ASAM
LT
-->
-->
-->
User A - LT1
User B - LT1
User C - LT4
User D
S-ASAM
�Duplicate MAC-address learning
port
Mac@
Mac A
Mac A
ETH
Mac A
Port x
Port y
Packet with destination address
Mac A
Mac A
Problem:
2 users with same MAC-address,
forwarding engine cant
distinguish
Traffic from duplicate MAC-address in separate DSLAM, can be
distinguished as separate flows in the Ethernet switches of the
aggregation Network, when different VLAN id per DSLAM is used
30
�Secure MAC address learning
Service Hub
LT
MAC movement to highest
priority
Within priority 2 , always
MAC Movement
Within priority 3 , MAC
movement only when feature is
enabled in the VLAN
E-MAN
network links,
outband MGT
link
Blocking duplicate MAC-address
Static MAC-addresses never
disappear from learning table
NT
1 Control link
3
IWF
LT
subtending
links
31
LT
ASAM links
IWF
3
3
user links
�Secure MAC address learning
Configure maximum number MAC-addresses per port
Prevents attacks that would fill up the bridging tables
Subscription rules: maximum devices connected simultaneously.
Configure MAC-addresses for Discarding
Internet
ISP
MacC
IP
MacB
Port x
bridge
d
ETH
BAS
MacA
PADI with source address=MacC
ISAM
VLAN
ID
32
Discard Mac@
00-08-02-E9-F2-9D
port
x
Max
Mac@
2
port
Mac@
MacA
MacB
Connected
via PPPoE
�Intelligent Bridging, things to consider
Security Services !
IP edge has no info on the line id
Solutions: PPP-connections (BRAS) or DHCP option 82
User can access network with a different IP address than the
assigned IP address.
Pure layer 2 device
No support for duplicate MAC-addresses on the same ISAM
Within the same VLAN
Scalability
Switches learn all MAC addresses of all end-users
IP edge learns all MAC addresses & IP addresses of all end-users
33
�Intelligent Bridging, things to consider
Advised to use unique VLAN per [IPedge-DSLAM]-pair in EMAN
Avoid user-to-user communication
Traffic management per DSLAM
Complex IP network configuration
When 1 VLAN shared by multiple DSLAMs
User to user traffic in EMAN
Easy IP network configuration
One single subnet for all DSLAMs
MAC-address spoofing
Standard MAC address learning at EMAN level
Traffic will be rerouted to any spoofed MAC address
34
�University
IB vlan set up
Alcatel-Lucent University Antwerp
35
�IB VLAN set-up
VLAN set-up:
Create VLAN
Create VLAN for
service to be deployed
Creation of VLAN on SHUB and LTs
Add ports to VLAN
On SHUB and LTs
Via AWS
Service templates are used
Need to be deployed on ISAM (download)
Service mapped on specific VLAN-ID
Different versions of one template possible
36
Add ports to VLAN
�Creation of IB VLAN (AWS ) : use of service template
Parameters to configure
ANEL
System mode settings
State
Identification
Service
Definition
Create
- RB VLAN
Allocation strategy
Protocol settings
IGMP settings
MAC addresses for Discarding
Service 1 Serv id: x
Service 2
Service 3
Service 4
Service 5
Service 6
Service 7
VLAN 2 Serv id: x
VLAN 5
DEPLOY TO NE
...
37
Service Templates
on AWS
ISAM
�38
�VLAN service template states
Under construction
not ready to be deployed
Service parameters can be modified
Ready for use
Ready to be deployed to ISAM.
Cant return to status under construction
Service parameters can only be modified
via a new version of VLAN service template
Obsolete
ready for deletion
Preferred
preferred version to be deployed
39
ANEL
Service
Definition
Create
Modify
Change state
�VLAN identification
Service Name
Service Identifier
Service in ISAM is only known by service identifier
By default AWS puts Service Identifier = Service Name
Service NAME
Service Identifier
Version
Service Identifier
Version
Create Service
DEPLOY
TO NE
AWS
40
ISAM
�Residential bridge parameters
BC button not checked by
Default
Broadcast control
Only applicable in IB mode
Disabled (default):
MAC-DA
Broadcas
t
From
Service
Hub
LT
BC in IWF on LT blocked in DS
Enabled:
N
T
Allow BC in DS
MAC movement
Only applicable in IB mode
Disabled (default):
No MAC movement in SHUB
within priority 3 interfaces
Enabled:
MAC movement allowed
within priority 3 interfaces
41
SHUB
E-MAN
2
2
1
LT
3
LT
3
3
3
�Residential bridge parameters
DHCP option 82/PPPoE Relay Tag
Disabled (default):
No option 82/PPPoE information added by LT
Enabled:
Option 82/PPPoE information added by LT
Protocol Group Filter
Different from Protocol based VLAN association
3 possibilities
All :
IPoE:
PPPoE :
PPPoE + IPoE:
42
allow all protocols on VLAN
allow only IPoE on VLAN
allow only PPPoE on VLAN
allow only PPPoE and IPoE on VLAN
�Creation of IB VLAN via CLI (1/3)
Creation of VLAN in 2 steps
on SHUB
on LTs (ASAM-CORE)
VLAN mode according to forwarding model
Create VLAN
Mode i.f.o service to be deployed
Create VLAN on LT
Residential bridge
43
Create VLAN on SHUB
Residential bridge
�Creation of IB VLAN via CLI (2/3)
VLAN mode
SHUB
LTs (ASAM-core)
Intelligent Bridge
Residential bridge
Residential bridge
IP aware Bridge
(forwarding)
Layer2 Terminated *
Layer2 Terminated *
Routed
Layer2 Terminated
NW port & v-vlan *
Layer2 Terminated *
PPP termination in
forwarding mode
Layer2 Terminated *
Layer2 Terminated *
PPP termination in
routed mode
Layer2 Terminated
NW port & v-vlan *
Layer2 Terminated *
Model
* : see next chapters
45
�Creation of IB VLAN via CLI (3/3)
Vlan ID range: 1 to 4093
Exluding the VLAN ID used for management
Create VLAN on ASAM-CORE
configure vlan id < VLAN ID> mode <VLAN Mode >
Optional parameters
[no] name <VLAN name>
[no] priority <VLAN Priority>
[no] broadcast frames
[no] Protocol filter <pass -protocol group>
[no] PPPoE relay only for RB vlan
[no] dhcp-option-82 only for RB vlan
Create VLAN on SHUB
configure vlan shub id <VLAN ID> mode <VLAN Mode >
Optional parameters
[no] name <VLAN name>
[no] mac-move-allow
46
�VLAN service template: Allocation strategy
When service is deployed on ISAM, it is mapped to one VLAN-ID
VLAN ID in function of allocation strategy
User select = At download VLAN-ID per ISAM is defined
Shared with VLAN-ID = ISAMs share the same VLAN-ID
User Select
Y
LO
P
DE
TO
Give
VLAN-ID/NE
Shared with VLANID
NE
DEPLOY
TO NE
ISAM
ISAM
Give
VLAN-ID/NE
DEPLOY TO NE
WITH MUTUAL VLAN-ID
AWS
AWS
ISAM
47
ISAM
�VLAN service template transitions
M
C od
ha i fy
ng o
e r
st
at
e
w
Ne
Mo
Cha
n
Sta ge
te
Service Template
Ready for use
dif
wv
y
ers
ion
cre
a
ted
DELETE
Ch
an
ge
e
stat
nge
Ne
Service Template
Under construction
Cha
ve
od rsi
ify on
cr
e
at
ed
Modify
within version
sta
t
e
Chang
State
Service Template
Preferred
DEPLOY or
UPGRADE
Modify
New version created
48
ISAM
Service Template
Obsolete
�University
IB VLAN association
Alcatel-Lucent University Antwerp
49
�Definition of logical user port on ASAM-CORE
x/Eth
xDSL based on ATM
1 VP/VC is mapped on
1 logical user port on the IWF of the LT.
1 xDSL line can have multiple VP/VCs
IWF
FW Engine
PVC /
Logical
user port
CPE
LT 1
xDSL based on Ethernet (VDSL2/EFM)
IWF
FW Engine
ASAM
link
x/Eth
50
x/Eth
LT 1
ASAM
link
1 end user is mapped to one logical
user port on the IWF of the LT
One to one mapping
x/ATM/ADSL
EFM /
Logical
user port
CPE
X/Eth/Phys layer
x/Eth
�IB VLAN association of port on ASAM-CORE
One logical user port can be mapped to multiple VIDs
One logical port associated to CC or Residential-bridge VIDs
One logical user port can accept tagged or untagged frames
Configured on the level of VID Association
Per user logical port a PVID can be defined
Before PVID can be configured VLAN association has to be
configured
Configuration of VID within the bridged port
Support of 48 x 16 = 768 I-Bridges
on L3 LIMs
51
�IB VLAN association
Port based VLAN association
VLAN ID based on port of arrival
Untagged frames, receive port VLAN identifier PVID
Also called the default VLAN ID
Port-and-protocol-based VLAN classification
VID based on port of arrival and the protocol identifier of the
frame
Multiple VLAN-IDs associated with port of the bridge VID set
VLAN Translation
VID based on port of arrival and translated to a network VID
52
�IB VLAN association of port on ASAM-CORE
Frames received from end users
are untagged
User port can be mapped to
multiple VID using portProtocol based association or
PVID
E-MAN
Network
IPoE
PPPoE
xxx
LT
IPoE
PPPoE
xxx
CPE
= PVID
53
Frames received from end users
are tagged
On logical port define different
VIDs and configure frames
received from end-user as
tagged
Send frames back to the
subscriber to be set as Single
Tagged
E-MAN
Network
LT
CPE
�IB VLAN association of port on ASAM-CORE
VLAN Translation, frames received from end users are tagged
Subscriber
VLAN
Bridge
Port
VLAN 1 (HSIA)
Bridge 10 VLAN 10 (HSIA, SP1)
VLAN 5 (HSIA)
Bridge 11 VLAN 11 (HSIA, SP2)
VLAN 2 (Video)
Bridge 20 VLAN 20 (VoD, SP1)
MCast
CP
E
54
Network VLAN
VLAN 30 (BTV, SP1)
VLAN 31 (BTV, SP2)
VLAN 6 (Video)
Bridge 21 VLAN 21 (VoD, SP2)
VLAN 3 (Voice)
Bridge 40VLAN 40 (Voice, SP3)
VLAN per service
& per provider
VLAN per service
& per provider
�Configuration of the port on VLAN in IB
Add ports to VLAN
on SHUB
Define egress ports within
the VLAN
on ASAM-CORE
Bridge port VID mapping
External
ethernet
links
Contro
l link
Aggregatio
n function FE
Control/mgt
functions
GE/FE 1
GE/FE 2
..
GE/FE 7
GE1
..
ASAM
links
LIM
IWF
LIM
IWF
GE16
PV
C
55
PV
C
�VLAN association of port on ASAM-CORE (AWS) Rel.:<3.3
Select ATM termination point
and assign VLAN to it
Add port to RB VLAN
VLAN needs to be deployed first
EML
USM
Connection
VLAN Association
Residential Bridge VLAN
Cross Connect VLAN
56
�Assign port to RB VLAN
Rel.:<3.3
VLAN with protocol
filtering: only
PPPoE allowed
Port-protocol based VLAN association: when this protocol received map it to that VLAN
57
�VLAN association of port on ASAM-CORE (AWS) Rel.:3.3
Select ATM termination point
and assign VLAN to it
Add port to RB VLAN
VLAN needs to be deployed first
EML
USM
Connection
VLAN Association
Create
58
�Assign port to RB VLAN
Rel.:3.3
Select one of the
deployed VLANs
VLAN translation: assign Subscriber Vlan and Network VLAN
No VLAN Translation: assign Network VLAN = Subscriber VLAN
59
�Assign port to RB VLAN
Rel.:3.3
PVID setting
Port-protocol based VLAN association: when this protocol received map it to that VLAN
60
�VLAN association on SHUB ports
Configured SHUB ports are automatically associated with the
VLAN when VLAN deployed from AWS
61
�Add port to a IB VLAN on the SHUB via CLI (1/2)
Attachment of ports to the VLAN included in the
configure VLAN SHUB command.
configure vlan shub id <VLAN ID>
mode residential-bridge
egress
LT-ports
Optional parameters
ports
[no]name<VLANname>
Vlan Mode
[no]macmoveallow
CC mode
[no]egressport
[no]untagport
62
ASAM links
Network
Interfaces
Restricted to
one
One or more**
Intelligent
bridge
All
One or more **
Layer 2
terminated
All
One or more **
Layer2-term
nwport
None
One or more
V-vlan
All
None
�Add port to a IB VLAN on the SHUB via CLI (2/2)
Attachment of ports to the VLAN on SHUB for IB.
Define egress ports in the configure VLAN shub command
Configure>vlan>shub>id <VLAN ID> egress-port lt:<...>
defines an ASAM-link
Configure>vlan>shub>id <VLAN ID> egress-port network:<...>
defines an external NT port
Tag mode can be configured on network ports
Configure vlan shub id <VLAN ID> untag-port network:<...>
ASAM-links support only tagged frames
63
�IB VLAN association of port on ASAM-CORE (CLI)
define VIDs in the configure bridge port command
configure bridge port 1/1/<slot>/<port>:<VP>:<VC>#
vlan-id <VLAN ID> or
vlan-id stacked <S-VLAN ID:C-VLAN ID>
VLAN Translation
Configure bridge port 1/1/<slot>/<port>:<VP>:<VC>#
vlan-id <VLAN ID> vlan-scope <local> network-vlan <VLAN ID>
Define PVIDs in the configure bridge port command
configure bridge port 1/1/<slot>/<port>:<VP>:<VC>#
pvid <VLAN ID>
64
�Deletion of VLAN
It is not possible to delete a VLAN if there are still ports
attached to the VLAN
Deleting VLAN on ASAM-CORE
configure vlan no id <VLAN ID>
Deleting VLAN on SHUB
configure vlan shub no id <VLAN ID>
65
�VLAN related show commands
Selection of multiple show vlan commands
Display list of command via Show vlan ?
Interesting commands on ASAM-CORE
Show vlan residential bridge <VLAN ID>
gives al bridge ports connected to vlan
Show vlan bridge-port-fdb < bridge port id >
Gives all MAC-adresses learned or configured on that port
Show vlan fdb <VLAN ID>
Gives you MAC -adresses learned on all ports of that vlan
Show vlan port-vlan-map <bridge port id>
Gives all the VLANS to which that port is mapped
Same commands available on shub
66
�University
Exercises
Alcatel-Lucent University Antwerp
67
�69
