VLAN bridging and routing_v03 by yaofenji


									SpeedTouch R6.1


>Jan Wuyts@thomson.net
>Technical Presales Manager
Hierarchical module overview
      Interface Architecture Modules
>According to OSI model                                                                                                           LoopBack
             Layer 1 : Physical
                 >   ATM Phonebook menu
                 >   ATM menu
             Layer 2 : Datalink                                                                                                IP Forwarding
                 >   IP menu =>IPoA interface
  •                     IPoA with destination an ATM interface
                 >   Eth menu => ETHoA interface
  •                     Ethoa with destination an ATM interface
                 >   Eth bridge menu => bridge interfaces                                                                       IP Interface(s)
  •                     Bridge with destination an ATM interface
  •                     Part of the bridge (also eth1, eth2, eth3 and eth4 and
                 >   PPPoA and PPPoE
             Layer 3 : Network                                                         ARP

                 >   IP menu => IP interface
  •                     IP with destination IPoA, EthoA or LAN interface                                                                             iARP

  •                     IP routing, receive-only RIPv1/2
                 >   NAT : NAT menu                                                     IPoE /            PPPoE             PPPoE RELAY                   IPoA   Multilink PPP
                 >   Streams : connection menu
                 >   ALG : connection menu
             Layer 4/5 : Transport                                                             Ethernet Interface(s)
                 >   Firewall menu : stateful firewall                                  (Physical Ports, OBC Bridge Port, VLAN)                   PPPoA

             Layer 6 : Presentation
                     Not applicable
             Layer 7 : Application                                                                    Bridge
                 >   Not applicable

                                                                                                                   ATM Bundle

VLAN (802.1p & 802.1q)
Bridging and Routing
over a single PVC
in SpeedTouch
Business Products
Ethernet Protocol Structure
                                                                     Logical Link Control      802.2
    Layer 7       Application
                                                                        MAC Bridging           802.1Q
    Layer 6       Presentation
    Layer 5         Session                                        Media Access Control                     Ethernet-Specific
    Layer 4        Transport

    Layer 3        Network                                            Physical Signaling       802.3

    Layer 2        Data Link
    Layer 1         Physical

                 OSI Model                                      Major IEEE Sublayers
                                                      1518 Bytes  Length  64 Bytes

               64 bits          48 bits     48 bits        16 bits          46 to 1500 Bytes             32 bits

                              Destination   Source                                                       Frame
              Preamble          MAC          MAC                                   Data/LLC              Check
                               Address      Address                                                     Sequence

6                                             Ethernet Frame Structure
  Virtual LAN (VLAN) Capability

> Virtual LAN and priority capabilities are provided by 802.1q/p:
       a VLAN tag is provided by 802.1Q to identify VLAN membership
           >   Limited to 4096 VLANs
       the VLAN tag has a 3-bit priority field that allows 8 possible service classes
        (matches DiffServ’s 8 possible classes)
> Why VLANS?
       LAN scalability:
           >   limits broadcast domains (limits broadcast storms);
           >   also limits multicast, chatty protocols, etc., reducing overall network traffic.
         Network efficiency: traffic flows from different VLANS can be segregated
         Allows non-physical grouping of nodes that share similar resources
         Allows easy changing of LAN membership
         Reduces the amount of level 3 (IP) routing
         Security: limits snooping

Standardization and tagging
    > IEEE 802.1Q : Virtual Bridged Local Area Networks
          Defines VLAN bridge operation (extension of 802.1D)
          Defines VLAN tag

       Ethernet Frame
       Dest MAC SourceMAC   EthType                           Ethernet SDU                            Padding   FCS
          6         6         2                                                                                 4
                                                                    Max 1500 bytes

                                                     Max 1518 bytes

       VLAN Frame
       Dest MAC SourceMAC     TPID        TCI       EthType              Ethernet SDU                 Padding   FCS
          6         6          2          2           2                                                         4
                                                                                Max 1500 bytes

                                                     Max 1522 bytes

       VLAN Stack Frame
         TPID SourceMAC TCI
       Dest MAC = 0x8100, TPID     = priority (3bit) + CFIEthType + VID (12bit) SDU
                                     TCI     TPID    TCI   (1bit)        Ethernet                     Padding   FCS
          6         6         2       2         2     2         2                                                4
                                                                                     Max 1500 bytes
          Defines dynamic VLAN group membership mechanism, STP protocol
                                  Max 1526 bytes
           impact, etc.

   Ethernet 802.1Q/p Class of Service
   Pream.    SFD       DA   SA    Type    2 bytes     PT          Data              FCS

                                                                         Ethernet Frame
Three Bits Used for CoS
 (802.1p User Priority)
                            PRI     CFI             VLAN ID        802.1Q/p

                                                           CoS        Application
• 802.1p User Priority field also called                      7          Reserved
  Class of Service (CoS)                                      6          Reserved
• Different types of traffic are                              5       Voice Bearer
  assigned different CoS values                               4    Video Conferencing

       E.g. IP Phone                                          3      Call Signaling
                                                              2    High Priority Data
• CoS 6 and 7 are reserved for
                                                              1   Medium Priority Data
  network use
                                                              0     Best Effort Data
Benefits of using VLAN

> Increased performance : less broadcast traffic on segment, no latency
     added by routers

> Topology independence : logical networks are independent of physical

> Ease of administration : topology changes no longer require HW changes
     but can be done in SW

> Additional features : layer 2 segregation of traffic by means of VLAN

> Cost-effectiveness : less routers needed, VLAN-aware switches are used

VLAN implementation overview

 > Business segment modems (620, 608, 608WL, 605)
      Most complete VLAN implementation
        > Fullblown port isolation capabilities on all interfaces
        > VLAN tagging/untagging
        > 802.1p and IPQos priority mapping
        > VLAN routing, …

The Default configuration of the bridge
 > Defaults on e.g. ST620 (type ‘eth bridge iflist’)

                                    bridge                                            interfaces

      eth1   eth2   eth3   eth4              wlan    wds1 wds2 atm_2
                                                     atm_1       wds3        wds4

      ethif1 ethif2 ethif3 ethif4                                                      Physical
                                             wlif1                  wlif_4
                                                     wlif_2 wlif_3atm0_36
                                                     atm0_35                 wlif_5
                switch                                                                interfaces

 > Bridge interfaces
       All except OBC are connected to physical interfaces
       All except OBC and ethport1 can be detached/deleted
       Others can be added e.g. towards ATM interface
 > Functional : classical IEEE 802.1D self-learning bridging

The bridge filters

> WAN broadcast filter
        Filters broadcast from OBC to WAN bridge interfaces
        Applies to the whole bridge
        Enabled by default
        CLI : ‘eth bridge config’, parameter ‘filter’
        GUI: NOT

> Multicast filter
        Filters multicast traffic in both directions
        Can be set for each bridge port separately
        Disabled by default
        CLI : ‘eth bridge ifconfig’, parameter ‘mcastfilter’
        GUI: Expert > Connections > Bridged Ethernet (not ST612s)

The VLAN bridge

> Bridge becomes VLAN aware
      When the corresponding parameter is set manually
      In one of the following cases (automatically toggled)
         >A  physical interface is added to a newly created VLAN
         > Ethernet is directly terminated on physical interface
         > switch grouping is used

Moving ports around

> The basic functionality of a VLAN switch/bridge is the capability to
     specify VLAN membership for each port
       The OBC can only be untagged member of one VLAN
       A port can be untagged member of 1 or more VLANs
           >   If no default group member wanted => Dummy VLAN
       A port can be tagged member of 0 or more a VLANs
       A port can never be tagged/untagged in same VLAN
       ‘eth bridge vlan iflist’ lists all memberships

> The term ‘port isolation’
       often used term for a port (can be ETH, ATM, wireless) added to a new
        VLAN and removed from default
       remember traffic is NOT bridged/switched between switch ports in different

VLAN tagging concept

> Concept :
      VLAN = Bridge group with VLAN
       tagging/untagging/forwarding capabilities
      Step 1 : Create a VLAN

         > Addrule   option :
            • Enabled : shared MAC@ list
                     No identical MAC@ in different VLANs possible !
            • Disabled : independent MAC@ list

VLAN tagging concept

> Concept continued
      Step 2 : Create the WAN port(s) and adapt LAN ports if required
         > ATM PVC with LLC encapsulation and ULP=MAC
         > Add the port to the list of bridged ports

                     -Disabled : no mapping of 802.1p to internal class
                     -Overwrite : set new priority
                     -Increase : only change when new priority is ‘better’
                                     -disabled : don’set TOS byte
                                     -Precedence interpretation
                                     -DSCP interpretation

                                 Enable/disable discard of tagged ingress packets if the
                                 interface is not part of the VLAN
                                 Enable/disable receiving of untagged packets

VLAN tagging concept

> Concept continued :
      Step 3 :
         >   add ports to the VLAN and set them tagged or untagged
         >   Remove ports from default VLAN/group, if required !

                                             * : untagged

Enabling VLAN and statistics
 > Enable VLAN
                                      Allow or disallow upstream broadcasts

 > View Rx/Tx statistics

 > ! When removing a port from the ‘default’ group, all connectivity with the CPE is lost

 SpeedTouch 6xx priority mapping table


VLAN classification scenario’s

> Scenario 1 : LAN tagged, WAN tagged
                                Tagged in                    Tagged out
                                             eth4   pvc835
                                Tagged out                   Tagged in

      AcceptVLANonly and IngressFiltering enabled on both
       ports                                       All 600 series

VLAN classification scenario’s

> Scenario 2 : LAN untagged, WAN tagged
                            Untagged in                         Tagged out
                                           eth4   pvc835
                            Untagged out                        Tagged in

      AcceptVLANonly only on WAN port

                                                           All 600 series

VLAN classification scenario’s

> Scenario 3 : LAN tagged, WAN untagged
                             Tagged in                         Untagged out
                                          eth4   pvc835
                             Tagged out                        Untagged in

      AcceptVLANonly only on LAN port

                                                          All 600 series

VLAN classification scenario’s

> Scenario 4 : LAN untagged, WAN untagged
                              Untagged in                         Untagged out
                                             eth4   pvc835
                              Untagged out                        Untagged in

      AcceptVLANonly and IngressFiltering disabled, also
       VLAN state disabled
                                                             All 600 series

P-bit classification concept

> Step 0 : decide whether to use IP prec or p-bits as
     inbound classification criterium
       IP precendence (or DSCP) :

       P-bits :

VLAN routing basics

> Remember
      routing is needed to communicate between two VLANs
      the router must be member of all VLANs

The OBC as port to the upper layer

> Routing between VLANs in SpeedTouch devices?
      create multiple IP interfaces (which are connected to the router)
      associate the IP interfaces with the VLANs you want to route between
      add IP addresses, set the necessary routes, …

> Which steps are needed to set this up?
      Add OBC as tagged (!) member to the VLANs
      Create logical Ethernet interfaces, associated with the VID of the correct
       VLAN and bridge as destination
      Create IP interfaces with the corresponding logical Ethernet interfaces as

The OBC as port to the upper layer

> Defaults on e.g. ST620 (type ‘interface list’)

       lan1          guest1         dmz1            wan1       Internet


                      eth_          eth_            eth_       Ethoa      Ethoa
                     guest1         dmz1            wan1       0_35       8_35
                         5             4               3
                                   OBC                                              L2a

     eth1     eth2   eth3   eth4            wlan      wds_x

     ethif1 ethif2 ethif3 ethif4
                                            wlif1     wlif_x   atm0_35    atm8_35   L1

Routed VLAN on CLI
 > Add OBC as tagged (!) member to VLAN
       {pol}=>eth bridge vlan ifadd intf OBC name dmz untagged disabled

 > Create a logical Ethernet interface, associated with the VID of the correct
     VLAN and bridge as destination
       {pol}=>eth ifadd intf eth_dmz1
       {pol}=>eth ifconfig intf eth_dmz1 dest bridge vlan dmz
       {pol}=>eth ifattach intf eth_dmz1

 > Create IP interface with the corresponding logical Ethernet interface as
       {pol}=>ip ifadd intf dmz1 dest eth_dmz1
       {pol}=>ip ifattach intf dmz1

Routed VLAN on Web GUI

> Adding the OBC to VLAN
      Expert > Connections > Bridged Ethernet > VLAN
> Creating Logical ETH and IP interfaces:
      Cannot be created/modified/deleted separately
      Only Routed Ethernet page to configure them together

Layer 2 IPQOS
Layer 2 IPQOS

> To enable IPQOS on PVC
      Ipqos config intf <PVC> state enabled
> System reboot required !
      Or bring down all interfaces from top to bottom and
       enable all again


> Labels cannot be used : only for routed scenarios
> Eth bridge port can be configured for traffic
     classification :

       Prioconfig = overwrite
       IPprec :
          > disabled: user 802.1p
          > Precedence : use IP precedence
          > DSCP : use DSCP

 SpeedTouch 6xx priority mapping table


     Use QosFlow Generator
> Select interface
> Fix remote MAC address (do
    ipconfig /all on other PC)
>   Select ‘Virtual LAN’
       802.1q ID = VLAN ID
       802.1p Priority
>   Fill local and remote IP@
       E.g. and
>   Send traffic with PCR=100,
    #packets=0 (send traffic forever)
>   Push ‘start’ button

Use QosFlow Monitor

> Select interface
> Tick the ‘filter’ box
> Optionally the filter
     arguments can be

Reference : http://users.skynet.be/dvdp/
Thank you!

To top