University

VLAN forwarding modes and IB

7302-7330/5523 operator part 1 section D

Alcatel-Lucent University Antwerp

Alcatel-Lucent University Antwerp

1

Objectives
What is a Residential Bridge VLAN = Intelligent Bridge VLAN
Understand how the RB-VLAN is behaving
Creation of a RB-VLAN via AWS and CLI
The RB-VLAN association on an ATM over xDSL port
The RB-VLAN association on an ETH over xDSL Port
Application purpose of the RB-VLAN

Table of contents
Forwarding modes

: general .

p.4

Layer 2 forwarding :
The Basics
Intelligent bridging .

p.7

p.15

VLAN setup .
.
VLAN association

p.33

p.47

Exercises

P.61

University
Forwarding modes

General

Alcatel-Lucent University Antwerp

Forwarding engines
On the LT
On the NT
the forwarding engine is part of the service hub
x/Eth

x/Eth
NT

x/Eth

GE1-16

x/Eth

LT
1

IW
F

FW Engine

GE/FE
1-7

ASAM
link

FW Engine

Ethernet
links

LT
x
Forwarding Engine

Service
External Hub

x/Phys layer

EFM / user port

PVC / Logical
user port

x/ATM/Phys. Layer

x/Eth

CPE

CPE

x/Eth

Forwarding modes: General

7302 ISAM

L3+
L3
L2+
L2

Network
side

User
side

Eth-VLAN
ANT

Decision

Forwarding mode

L2

VLAN Cross-Connect (CC)

Intelligent Bridge (IB)

L2+

PPPoA to PPPoE translation

IP aware Bridge

L3

Routed

L3+

PPP termination

University
L2 Forwarding mode

Alcatel-Lucent University Antwerp

General overview
7302 ISAM
Network
side

Anything
Eth - VLAN

L2

Anything
Eth (VLAN)
ATM/AAL
Phys layer

Anything
Eth (VLAN)
Phys layer

Eth-VLAN

layer 2 forwarding
Ethernet layer must be present at both sides.
encapsulation at CPE must include Ethernet

User
side

Two L2 forwarding modes

the intelligent bridging (IB): one (or more) circuits per VLAN
Forwarding based upon MAC addresses and VLAN

the cross-connect (CC): one (or more) VLANs per circuit

Forwarding based upon
User side: PVC for ATM or DSL port for EFM
Network side: Single or stacked VLAN tag

External
Eethernet
links

L2 functionalities

NT

Control/Mgt
function
Control link

LT 16

ASAM link

FE

Aggregation
function

GE/FE
1-7
GE1 ..16

IWF
AS
AM

Service Hub
GE116

Standard VLAN
enabled bridge.

lin
k

LT 1
U
S
E
R

IWF

Special VLAN
enabled bridge.
PVC /
Logical user
port

10

P
O
R
T
S

ISAM

GE
E-MAN
Network

POTS,ISDN

NT

LT
CPE

Anything

Anything
ETH-ATM Ethernet
Interworking
Ethernet
Layer 2
Function
Layer 2
LLC
(IWF)

Ethernet
Layer 2

(+ MAC
Control)

(+ MAC
Control)
EthSwitchEth
PHY

11

PHY

FE/GE

EthSwitchEth
FE/GE

GE

GE

SNAP

Ethernet
Layer 2
LLC
SNAP

AAL5

AAL5

ATM

ATM

PHY

xDSL?

University
Intro
Standard Bridging

Alcatel-Lucent University Antwerp

12

Standard bridging concept

MAC bridges can interconnect all kinds of LANs together
No guaranteed delivery of frames
A bridge learns MAC addresses
Flooding occurs when destination MAC address is broadcast,
multicast or unknown, :
If you do not know, send it to everybody

If the destination MAC address has been learned, the frame is

forwarded to the indicated interface

13

Security/scalability issue with standard bridging

Broadcast frames (ARP, PPPoE-PADI) forwarded to
all users & flooding to all ports.
MAC-address of a user is exposed to other users
Broadcast storms

BC or unknown MAC DA

Ethernet BR
CPE
BRAS

BC or unknown MAC DA

DSLAM

CPE

PC

PC

CPE
DSLAM
14

PC

Standard bridging: Issues

Broadcast storms
Security
Broadcast frames are forwarded to all users

Customers identified by MAC-address (not guaranteed unique)

Restrictions on services and revenues:
IP edge device has no info on the access line
So not possible to limit the # of sessions per access line

User-to-user communication possible without passing the BRAS

NOT FIT FOR USE IN PUBLIC NETWORKS

15

University
Intelligent Bridging

Alcatel-Lucent University Antwerp

16

The intelligent bridging model (1/3)

Multiple users connected to 1 VLAN ID
IB-VLAN has:

Note: Tagged frames

not supported for IB if
Rel. <3.1
1 or more user logical ports, subtending ports or user Ethernet ports
1 or more network ports
Internet

Internet ISP1
ISP

IP

ISP2

E-MAN
Network

E-MAN
Network
BAS

Corporate
Routing to the
correct ISP is
based on the
VLAN-id
17

Routing to the correct

ISP is done based on
user-id and password
in the BRAS

Login to
ISP or
corporate

The intelligent bridging model (2/3)

Why VLAN Translation (customer vlan to network vlan)
Wholesale per service
Drivers: VDSL and Eth offer more BW, so it makes sense to
wholesale this in pieces rather than the complete DSL
line as a whole
Consequences: Model with VLANs on DSL line; behaviour
equivalent to multi-VC model on ATM/ADSL

VLAN per service and per provider in the aggregation network

Service provider is free to choose CPE configuration, but
VLANs in aggregation network are under control of ILEC

Ultimately 1 subscriber (1 line) may have to support 2 HSIA

services or 2 video services from different service providers.

18

The intelligent bridging model (3/3)

Special layer 2 behavior needed in an access environment
IB with VLAN tagging

Intelligent Bridge (IB) means

distinction between network ports and user ports
Frames from a user always sent towards the network
No user to user communication

prevent broadcast traffic from escalating

avoid broadcast or flooding to all users

secure MAC-address learning within a VLAN

avoid MAC-address duplication over multiple ports

protocol filtering
may lead to a frame being forwarded, sent to a host
processor, discarded or forwarded & sent to a host
processor

19

Intelligent bridging: network issues

BR
VLAN1
CPE
ISAM

IP edge
Ethernet

MACA

Problem:
If user A can obtain the
MAC@ of User C, since the
Ethernet switch learns all Mac
@ , user to user
communication is possible

20

CPE

ISAM

MACB

Broadcast messages & flooding US

Upstream BC frames & flooding only forwarded towards
network port(s) within a VLAN
1 VLAN per IP-edge
Reduction of flooding in the aggregation network.
No user-to-user communication without passing the BRAS
BC or unknown Mac DA
VLAN 1

Ethernet BR
VLAN 2

BRAS

ISAM

CPE

CPE

ISAM

PC B
PC

CPE
21

PC A

Broadcast messages & flooding DS

Blocking of broadcast & flooding in the downstream
Avoids messages unintentionally distributed to all users
For some applications forwarding of BC is needed
Solution: Make BC flooding / BC discarding a configurable
option per VLAN
Ethernet BR
CPE
ISAM

BRAS

BC or unknown
MAC DA

CPE

CPE
ISAM
22

PC

PC

PC

Intelligent Bridge
Bridge: learning, aging, forwarding
lookup MAC DA done based on VLAN and MAC-address
intelligent bridging enhancements implemented on ISAM

LT and SHUB have

independent MAC-address learning
independent MAC-address aging
aging timers are configurable [10...1000000] sec
Recommended default value is 300 sec

23

LT self-learning
only in the upstream - when initiated from user logical port
Self-learning can be disabled per user logical port.
In case of self-learning, limiting number of MAC addresses is
possible.

NO selflearning
To Service
Hub

Learning of Source
Mac@ within VLAN
LT

MacA

x
y
z

24

MacB

MacC

Self learning in the Service Hub

Self-learning implemented for both upstream and downstream
Discard all user unicast frames with MAC DA known on an ASAM
or subtending port
No user to user communication
Learning of Source
Mac@ within VLAN
Service
Hub
E-MAN

LT

U
Y

E-MAN

MacA

MacB

LT

B A
B C
LT

MacC

25

Blocking of user to user communication

Port mapping on the service hub/NT

An interface can only communicate with its mapping ports

8 Network
links

Control
link

15

ASAM links

26

X
Network
links
User links

Service
Hub

Service
Hub

Control
link

16

15

ASAM links

16

subtending
link

Port mapping
Port mapping is used to
block user to user communication on the service hub
NT

Control link
LT

E-MAN
network
links
ASAM links

subtending
links
user links

27

LT

Upstream
Only user to network allowed
<-Network

<-SHUB

LT

<-- BC
-->

User A - LT1
User B - LT1
User C - LT4
User D
S-ASAM

LT

<-- Unknown MAC DA

-->

User A - LT1
User B - LT1
User C - LT4
User D
S-ASAM

LT

<-- Known MAC DA

-->

User A - LT1
User B - LT4
User C - LT4
User D
S-ASAM

-->
-->
-->

<-Network

<-SHUB
-->
-->
-->

<-Network

<-SHUB
-->
-->
-->

28

Downstream
Broadcast control configurable per VLAN in IB mode
BC -->
Network

SHUB

Unknown MAC DA -->

Network

SHUB

Known MAC DA -->

Network

29

SHUB

-->
-->
-->
-->
-->

-->
-->
-->
-->
-->

-->
-->
-->
-->
-->

LT

-->
-->if BC allowed
-->

User A - LT1
User B - LT1
User C - LT4
User D
S-ASAM

LT

-->
-->
-->

User A - LT1
User B - LT1
User C - LT4
User D
S-ASAM

LT

-->
-->
-->

User A - LT1
User B - LT1
User C - LT4
User D
S-ASAM

Duplicate MAC-address learning

port

Mac@

Mac A

Mac A

ETH

Mac A
Port x

Port y

Packet with destination address

Mac A

Mac A

Problem:
2 users with same MAC-address,
forwarding engine cant
distinguish

Traffic from duplicate MAC-address in separate DSLAM, can be

distinguished as separate flows in the Ethernet switches of the
aggregation Network, when different VLAN id per DSLAM is used
30

Secure MAC address learning

Service Hub

LT

MAC movement to highest

priority
Within priority 2 , always
MAC Movement
Within priority 3 , MAC
movement only when feature is
enabled in the VLAN

E-MAN

network links,
outband MGT
link

Blocking duplicate MAC-address

Static MAC-addresses never

disappear from learning table
NT

1 Control link
3

IWF

LT

subtending
links

31

LT

ASAM links

IWF

3
3

user links

Secure MAC address learning

Configure maximum number MAC-addresses per port
Prevents attacks that would fill up the bridging tables
Subscription rules: maximum devices connected simultaneously.

Configure MAC-addresses for Discarding

Internet

ISP
MacC

IP

MacB

Port x

bridge
d

ETH

BAS

MacA

PADI with source address=MacC

ISAM
VLAN
ID
32

Discard Mac@
00-08-02-E9-F2-9D

port
x

Max
Mac@
2

port

Mac@

MacA

MacB

Connected
via PPPoE

Intelligent Bridging, things to consider

Security Services !
IP edge has no info on the line id
Solutions: PPP-connections (BRAS) or DHCP option 82

User can access network with a different IP address than the

assigned IP address.
Pure layer 2 device

No support for duplicate MAC-addresses on the same ISAM

Within the same VLAN

Scalability
Switches learn all MAC addresses of all end-users
IP edge learns all MAC addresses & IP addresses of all end-users

33

Intelligent Bridging, things to consider

Advised to use unique VLAN per [IPedge-DSLAM]-pair in EMAN
Avoid user-to-user communication
Traffic management per DSLAM
Complex IP network configuration

When 1 VLAN shared by multiple DSLAMs

User to user traffic in EMAN
Easy IP network configuration
One single subnet for all DSLAMs
MAC-address spoofing
Standard MAC address learning at EMAN level
Traffic will be rerouted to any spoofed MAC address

34

University
IB vlan set up

Alcatel-Lucent University Antwerp

35

IB VLAN set-up
VLAN set-up:
Create VLAN

Create VLAN for

service to be deployed

Creation of VLAN on SHUB and LTs

Add ports to VLAN

On SHUB and LTs

Via AWS
Service templates are used
Need to be deployed on ISAM (download)
Service mapped on specific VLAN-ID

Different versions of one template possible

36

Add ports to VLAN

Creation of IB VLAN (AWS ) : use of service template

Parameters to configure
ANEL

System mode settings

State
Identification

Service
Definition
Create
- RB VLAN

Allocation strategy
Protocol settings
IGMP settings
MAC addresses for Discarding
Service 1 Serv id: x
Service 2
Service 3
Service 4
Service 5
Service 6
Service 7

VLAN 2 Serv id: x

VLAN 5

DEPLOY TO NE

...
37

Service Templates
on AWS

ISAM

38

VLAN service template states

Under construction
not ready to be deployed
Service parameters can be modified

Ready for use

Ready to be deployed to ISAM.
Cant return to status under construction
Service parameters can only be modified
via a new version of VLAN service template

Obsolete
ready for deletion

Preferred
preferred version to be deployed

39

ANEL

Service
Definition

Create
Modify
Change state

VLAN identification
Service Name
Service Identifier
Service in ISAM is only known by service identifier
By default AWS puts Service Identifier = Service Name

Service NAME
Service Identifier
Version
Service Identifier
Version

Create Service
DEPLOY
TO NE

AWS
40

ISAM

Residential bridge parameters

BC button not checked by
Default

Broadcast control
Only applicable in IB mode
Disabled (default):

MAC-DA
Broadcas
t

From
Service
Hub

LT

BC in IWF on LT blocked in DS
Enabled:
N
T

Allow BC in DS

MAC movement
Only applicable in IB mode
Disabled (default):
No MAC movement in SHUB
within priority 3 interfaces
Enabled:
MAC movement allowed
within priority 3 interfaces
41

SHUB

E-MAN

2
2

1
LT

3
LT

3
3
3

Residential bridge parameters

DHCP option 82/PPPoE Relay Tag
Disabled (default):
No option 82/PPPoE information added by LT

Enabled:
Option 82/PPPoE information added by LT

Protocol Group Filter

Different from Protocol based VLAN association
3 possibilities
All :
IPoE:
PPPoE :
PPPoE + IPoE:

42

allow all protocols on VLAN

allow only IPoE on VLAN
allow only PPPoE on VLAN
allow only PPPoE and IPoE on VLAN

Creation of IB VLAN via CLI (1/3)

Creation of VLAN in 2 steps
on SHUB
on LTs (ASAM-CORE)

VLAN mode according to forwarding model

Create VLAN
Mode i.f.o service to be deployed

Create VLAN on LT
Residential bridge

43

Create VLAN on SHUB

Residential bridge

Creation of IB VLAN via CLI (2/3)

VLAN mode

SHUB

LTs (ASAM-core)

Intelligent Bridge

Residential bridge

Residential bridge

IP aware Bridge
(forwarding)

Layer2 Terminated *

Layer2 Terminated *

Routed

Layer2 Terminated
NW port & v-vlan *

Layer2 Terminated *

PPP termination in
forwarding mode

Layer2 Terminated *

Layer2 Terminated *

PPP termination in
routed mode

Layer2 Terminated
NW port & v-vlan *

Layer2 Terminated *

Model

* : see next chapters

45

Creation of IB VLAN via CLI (3/3)

Vlan ID range: 1 to 4093
Exluding the VLAN ID used for management

Create VLAN on ASAM-CORE

configure vlan id < VLAN ID> mode <VLAN Mode >
Optional parameters
[no] name <VLAN name>
[no] priority <VLAN Priority>
[no] broadcast frames
[no] Protocol filter <pass -protocol group>
[no] PPPoE relay only for RB vlan
[no] dhcp-option-82 only for RB vlan

Create VLAN on SHUB

configure vlan shub id <VLAN ID> mode <VLAN Mode >
Optional parameters
[no] name <VLAN name>
[no] mac-move-allow

46

VLAN service template: Allocation strategy

When service is deployed on ISAM, it is mapped to one VLAN-ID
VLAN ID in function of allocation strategy

User select = At download VLAN-ID per ISAM is defined

Shared with VLAN-ID = ISAMs share the same VLAN-ID

User Select

Y
LO
P
DE

TO

Give
VLAN-ID/NE

Shared with VLANID

NE

DEPLOY
TO NE

ISAM

ISAM

Give
VLAN-ID/NE

DEPLOY TO NE
WITH MUTUAL VLAN-ID

AWS

AWS
ISAM

47

ISAM

VLAN service template transitions

M
C od
ha i fy
ng o
e r
st
at
e

w
Ne
Mo

Cha
n
Sta ge
te

Service Template
Ready for use

dif
wv
y
ers
ion
cre
a

ted

DELETE
Ch
an
ge

e
stat
nge

Ne

Service Template
Under construction
Cha

ve
od rsi
ify on
cr
e

at
ed

Modify
within version

sta
t

e
Chang
State

Service Template
Preferred
DEPLOY or
UPGRADE

Modify
New version created

48

ISAM

Service Template
Obsolete

University
IB VLAN association

Alcatel-Lucent University Antwerp

49

Definition of logical user port on ASAM-CORE

x/Eth

xDSL based on ATM

1 VP/VC is mapped on
1 logical user port on the IWF of the LT.
1 xDSL line can have multiple VP/VCs

IWF
FW Engine

PVC /
Logical
user port
CPE

LT 1

xDSL based on Ethernet (VDSL2/EFM)

IWF
FW Engine

ASAM
link

x/Eth
50

x/Eth

LT 1

ASAM
link

1 end user is mapped to one logical

user port on the IWF of the LT
One to one mapping

x/ATM/ADSL

EFM /
Logical
user port
CPE

X/Eth/Phys layer

x/Eth

IB VLAN association of port on ASAM-CORE

One logical user port can be mapped to multiple VIDs
One logical port associated to CC or Residential-bridge VIDs
One logical user port can accept tagged or untagged frames
Configured on the level of VID Association

Per user logical port a PVID can be defined

Before PVID can be configured VLAN association has to be
configured
Configuration of VID within the bridged port

Support of 48 x 16 = 768 I-Bridges

on L3 LIMs

51

IB VLAN association
Port based VLAN association
VLAN ID based on port of arrival
Untagged frames, receive port VLAN identifier PVID
Also called the default VLAN ID

Port-and-protocol-based VLAN classification

VID based on port of arrival and the protocol identifier of the
frame
Multiple VLAN-IDs associated with port of the bridge VID set

VLAN Translation
VID based on port of arrival and translated to a network VID

52

IB VLAN association of port on ASAM-CORE

Frames received from end users
are untagged
User port can be mapped to
multiple VID using portProtocol based association or
PVID

E-MAN
Network

IPoE
PPPoE
xxx

LT

IPoE
PPPoE
xxx
CPE

= PVID

53

Frames received from end users

are tagged
On logical port define different
VIDs and configure frames
received from end-user as
tagged
Send frames back to the
subscriber to be set as Single
Tagged

E-MAN
Network

LT

CPE

IB VLAN association of port on ASAM-CORE

VLAN Translation, frames received from end users are tagged
Subscriber
VLAN

Bridge
Port

VLAN 1 (HSIA)

Bridge 10 VLAN 10 (HSIA, SP1)

VLAN 5 (HSIA)

Bridge 11 VLAN 11 (HSIA, SP2)

VLAN 2 (Video)

Bridge 20 VLAN 20 (VoD, SP1)

MCast

CP
E

54

Network VLAN

VLAN 30 (BTV, SP1)

VLAN 31 (BTV, SP2)

VLAN 6 (Video)

Bridge 21 VLAN 21 (VoD, SP2)

VLAN 3 (Voice)

Bridge 40VLAN 40 (Voice, SP3)

VLAN per service

& per provider

VLAN per service

& per provider

Configuration of the port on VLAN in IB

Add ports to VLAN

on SHUB
Define egress ports within
the VLAN

on ASAM-CORE
Bridge port VID mapping

External
ethernet
links

Contro
l link

Aggregatio
n function FE

Control/mgt
functions

GE/FE 1
GE/FE 2
..
GE/FE 7
GE1
..

ASAM
links

LIM
IWF

LIM
IWF

GE16

PV
C

55

PV
C

VLAN association of port on ASAM-CORE (AWS) Rel.:<3.3

Select ATM termination point
and assign VLAN to it
Add port to RB VLAN
VLAN needs to be deployed first

EML
USM

Connection
VLAN Association

Residential Bridge VLAN

Cross Connect VLAN

56

Assign port to RB VLAN

Rel.:<3.3

VLAN with protocol

filtering: only
PPPoE allowed

Port-protocol based VLAN association: when this protocol received map it to that VLAN
57

VLAN association of port on ASAM-CORE (AWS) Rel.:3.3

Select ATM termination point
and assign VLAN to it
Add port to RB VLAN
VLAN needs to be deployed first

EML
USM

Connection
VLAN Association
Create

58

Assign port to RB VLAN

Rel.:3.3

Select one of the

deployed VLANs

VLAN translation: assign Subscriber Vlan and Network VLAN

No VLAN Translation: assign Network VLAN = Subscriber VLAN

59

Assign port to RB VLAN

Rel.:3.3

PVID setting

Port-protocol based VLAN association: when this protocol received map it to that VLAN
60

VLAN association on SHUB ports

Configured SHUB ports are automatically associated with the

VLAN when VLAN deployed from AWS
61

Add port to a IB VLAN on the SHUB via CLI (1/2)

Attachment of ports to the VLAN included in the
configure VLAN SHUB command.
configure vlan shub id <VLAN ID>
mode residential-bridge
egress
LT-ports
Optional parameters
ports
[no]name<VLANname>
Vlan Mode
[no]macmoveallow
CC mode
[no]egressport
[no]untagport

62

ASAM links

Network
Interfaces

Restricted to
one

One or more**

Intelligent
bridge

All

One or more **

Layer 2
terminated

All

One or more **

Layer2-term
nwport

None

One or more

V-vlan

All

None

Add port to a IB VLAN on the SHUB via CLI (2/2)

Attachment of ports to the VLAN on SHUB for IB.
Define egress ports in the configure VLAN shub command
Configure>vlan>shub>id <VLAN ID> egress-port lt:<...>
defines an ASAM-link
Configure>vlan>shub>id <VLAN ID> egress-port network:<...>
defines an external NT port

Tag mode can be configured on network ports

Configure vlan shub id <VLAN ID> untag-port network:<...>
ASAM-links support only tagged frames

63

IB VLAN association of port on ASAM-CORE (CLI)

define VIDs in the configure bridge port command
configure bridge port 1/1/<slot>/<port>:<VP>:<VC>#
vlan-id <VLAN ID> or
vlan-id stacked <S-VLAN ID:C-VLAN ID>

VLAN Translation
Configure bridge port 1/1/<slot>/<port>:<VP>:<VC>#
vlan-id <VLAN ID> vlan-scope <local> network-vlan <VLAN ID>

Define PVIDs in the configure bridge port command

configure bridge port 1/1/<slot>/<port>:<VP>:<VC>#
pvid <VLAN ID>

64

Deletion of VLAN
It is not possible to delete a VLAN if there are still ports
attached to the VLAN
Deleting VLAN on ASAM-CORE
configure vlan no id <VLAN ID>

Deleting VLAN on SHUB

configure vlan shub no id <VLAN ID>

65

VLAN related show commands

Selection of multiple show vlan commands
Display list of command via Show vlan ?
Interesting commands on ASAM-CORE
Show vlan residential bridge <VLAN ID>
gives al bridge ports connected to vlan
Show vlan bridge-port-fdb < bridge port id >
Gives all MAC-adresses learned or configured on that port
Show vlan fdb <VLAN ID>
Gives you MAC -adresses learned on all ports of that vlan
Show vlan port-vlan-map <bridge port id>
Gives all the VLANS to which that port is mapped

Same commands available on shub

66

University
Exercises

Alcatel-Lucent University Antwerp

67

69