To create or delete bridge packet rules:
To refresh the data displayed in the Packet Rule table, click the Refresh button.
To add a new packet rule, click the Create button.
To change a bridge packet rule value, click the Modify button.
To remove a packet rule, click the Delete button.
Each bridge configuration record contains settings for type and value.
Type specifies the variety of filter to be applied to the interface. Type options are
ACL Allow
ACL Deny
Bridge Forbid OUI
Bridge Insert Option 82
Bridge Insert PPPoE Vendor Tag
Color Aware Rate Limit Discard
Destination MAC Swap Dynamic
Destination MAC Swap Static
DHCP Relay
DSCP To COS
Filter First Encapsulation VLAN
Promote First Encapsulation VLAN
Filter Second Encapsulation VLAN
Promote Second Encapsulation VLAN
The ACL filters allow you to block packets or allow packets based on the source MAC address, Destination MAC address or Ethernet type. The ACL filters are configured with a packet rule record.
The ACL filtering options include:allow/deny based on Ethernet types, allow/deny based on destination MAC address, and allow/deny based on source MAC address.
ACL filtering is supported only on systems with FE/GE or GE uplink/controller cards, on the Ingress port of line cards only and does not block any traffic on egress port (toward the subscriber), and on downlink and TLS bridge types.
Rate limiting is typically used when a service provider needs to provide customer services with limited bandwidth and needs to create a priority for which type of packets — date, voice, or video — have priority when there is bandwidth contention. In other words, a service provider may need to ensure that video traffic gets to the user at the expense of data or voice traffic.
Rate limiting to control the rate of traffic sent or received on the ingress or the egress of both the logical port or the physical port on the device. Traffic that is less than or equal to the specified rate is sent and traffic that exceeds the rate is dropped or delayed.
Rate limiting is not supported on the ingress of the GPON line card. That is, from the subscriber to the device. You can apply the filter, but the filter will not work.
After configuring an interface with rate limiting, the traffic rate is monitored and metered to verify conformity with an established contract. Non-conforming traffic is discarded, while conforming traffic passes through the interface without any changes. The two modes of rate limiting are:
Rate limiting is performed on the interface without using the frame's Class of Service (CoS) by assuming that all packets of a flow are “uncolored” and are treated equally.
Color blind mode is most commonly used for a single service per VLAN.
Rate limiting observes that the incoming packet flow is colored and each packet is marked green, yellow, or red to signify if a packet has high, medium, or low priority. The color field maps to the priority CoS value in tagged packets and the IP precedence ToS value in untagged packets.
Color aware bandwidth limiting is usually used when multiple services with different priorities are offered on a single VLAN. The colors green, yellow, and red are used for metering traffic and the colors correspond to COS values that range from 0-7. You can set which colors correspond to which COS value.
Color Aware Policing is based on the idea that upstream devices are policing and marking frames based on a set of rules. A green packet is well behaved. A yellow packet has misbehaved at some point so if there is a bandwidth congestion it should be dropped before a green frame. A red packet has violated a rule and should be dropped. This means that green packets are serviced first, then if there is enough room, the yellow packets are serviced. Red packets are always dropped.
Note: Color values are not supported on egress ports.
The device is capable of being an intermediate agent in a PPPoE (point-to-point protocol over Ethernet) scenario. In a PPPoE scenario, PPPoE clients initiate the connection process and need to learn the Ethernet address of the remote peer and establish a unique session ID to establish a connection.
In the discovery process the PPPoE client (host) broadcasts a request by transmitting PPPoE Active Discovery Initiation (PADI) packet. When one or more responses are received by the host (the responses include the address of the Broadband Remote Access Server (BRAS)), the host then sends a unicast PPPoE Active Discovery Request (PADR) packet.
The device supports inserting port information into PPPoE packets that transmit a bridge interface. When the device receives a PPPoE Active Discovery Initiation (PADI) packet or a PPPoE Active Discovery Request (PADR) packet, the device can be configured to insert a customized string along with default port/slot identification into the vendor-specific portion of the PPPoE packet. The vendor-specific tag containing the customized identification string can be used to identify a circuit and send this value to a RADIUS (remote access dial-in service) server or network server. The customized string could also be used for record keeping.
The customized identification string can be 0 to 48 characters.
DHCP relay contains the DHCP subnet group ID. If only the DHCP relay option is used, option82 information is displayed in hex format as slot port shelf vlan.
Option 82 can define textual values for two items of textual information: circuit ID and remote ID.
If the first value is set it is taken as a literal text string to be used as the suboption 1 field in the DHCP packet. If it is not set a text string identifying the box and interface which received the packet is used. If the second value is set is it taken as a literal text string to be used as the suboption 2 field in the DHCP packet. If it is not set no suboption2 is provided.
Use of this feature will usually require a distinct rule group for each interface since the circuit and remote Id values associated with suboptions 1 and 2 are distinct for each interface.
When acting as a DHCP relay agent, the device includes option 82 to identify the requesting client to the DHCP server. There are two sub-options for DHCP option 82 insert — Circuit ID and Remote ID. Both of these fields are text fields, though they were designed to carry specific information. It is up to your implementation plans to define how to use the option 82 inserts.
Circuit ID is meant to provide information about the circuit which the request came in on. It is normally the port and interface information.
RFC 3046 describes possible uses of the Circuit ID field:
Router interface number
Remote Access Server port number
Frame Relay DLCI
ATM virtual circuit number
Cable Data virtual circuit number
Remote ID is meant to provide information about the remote host end of the circuit, however in practice the sub-option usually contains information about the relay agent.
RFC 3046 describes possible uses of the Remote ID field:
a "caller ID" telephone number for dial-up connection
a "user name" prompted for by a Remote Access Server
a remote caller ATM address
a "modem ID" of a cable data modem
the remote IP address of a point-to-point link
a remote X.25 address for X.25 connections
When using the Forbid OUI option for a packet rule, you provide the first three bytes of the MAC address which are used to identify vendors. These three bytes are known as the Organizational Unique Identifier (OUI).
Packets from a device with a MAC address which begins with “AA:BB:CC” the hexadecimal vendor code (OUI — Organizational Unique Identifier) will be blocked.
The destination MAC swapping feature provides a security enhancement which prevents port-to-port communications between users sharing a VLAN for Internet access when the user-to-user traffic spans multiple chassis shelves.
When enabled, this feature modifies the destination MAC address portion of unicast frames (Ethernet frames not using a multicast or broadcast destination MAC) that traverse the system so that the destination MAC is changed to the MAC address of the next-hop router in the access network. This address modification ensures that all frames in the access network are forwarded to the access router regardless of how the frame originated. Broadcast, multicast, and Ethernet frames with a destination MAC address of the next hop router are forwarded without MAC swapping.
The device snoops DHCP ACK messages received on the bridge interface that is configured as the default (VLAN or default bridge). The source MAC address from this frame is swapped into for frames received on interfaces configured for destination MAC swapping. This address is stored in the database and persists across reboots. When a new DHCP ACK message is received in the same VLAN, its source is checked, and if different, the newer MAC address is used.
This option requires that DHCP server services are used in the network and that the next hop router is the default router between the device and the DHCP server.
The device inserts the user-specified valid 6-byte hexadecimal MAC address into unicast frames not matching the static entry.
Although rich Quality of Service (QoS) mechanisms exist in Layer 2 transport technologies, true end-to-end QoS is not achievable unless a Layer 3 solution is overlaid. In order to maintain QoS between Layer 2 Ethernet and Layer 3 IP protocols, the device now supports mapping Differentiated Services Code Points (DSCP) to Classes of Services (CoS) as defined by IEEE 802.1p. CoS is Layer 2 QoS marking mechanism and involves manipulating the Ethernet 802.1p tag. CoS uses 3 bits and therefore values can be anything from 0 to 7. DSCP involves manipulating the IP header info (specifically the ToS field). DSCP uses 6 bits and value range from 0 to 63. Therefore, the following standard mapping table can be used as a reference when provisioning DSCP to COS (802.1p).
VLAN encapsulation allows the device to add additional VLANs beyond double tagging on TLS bridge interfaces. Without VLAN encapsulation the device can configure two tags per Ethernet frame. VLAN encapsulation provides the mechanism to add third and fourth tags to Ethernet frames.s
VLAN encapsulation allows service providers to work with client networks which have two tags and promote their own tags for these customer networks.
Unlike a single tag (the first tag, 1Q) and slan (the second tag, 2Q) which are defined directly when you add a bridge, VLAN encapsulation uses packet rules to define the first encapsulation (the third tag, 3Q) and second encapsulation (the fourth tag, 4Q). Not only can the third and fourth tags be promoted, but also be filtered, so that the frame with the specific third tag, or fourth tag would be the only tags accepted on that interface.
Triple tags are implemented via the packet rule records, Promote First Encapsulation VLAN and Filter First Encapsulation VLAN. Fourth tags are implemented by Promote Second Encapsulation VLAN and Filter Second Encapsulation VLAN.
To add third and fourth tags the first and second tags must already exist.
Config Group Index |
Index used to group packet-rule-records. |
Group Member Index |
Member index adds a packet-rule-record type to the group index. |
Rule Type |
Select the rule you wish to apply to the bridge from the drop-down list. The correct variable-length field whose meaning depends on the packet rule type will appear in the next table. Packet Rules: ACL Allow ACL Deny Bridge Forbid OUI Bridge Insert Option82 Bridge Insert PPPoE Vendor Tag Color Aware Rate Limit Discard Destination MAC Swap Dynamic Destination MAC Swap Static DHCP Relay DSCP To COS Filter First Encapsulation VLAN Filter Second Encapsulation VLAN Promote First Encapsulation VLAN Promote Second Encapsulation VLAN Rate Limit Discard |
Rule Value
|
A variable-length field whose meaning depends on the packet rule type. ACL Allow
ACL Deny
Bridge Forbid OUI
Bridge Insert Option82
Bridge Insert PPPoE Vendor Tag
Color Aware Rate Limit Discard
Destination MAC Swap Dynamic
Destination MAC Swap Static
Static user-specified entry. The device inserts the user-specified valid 6-byte hexadecimal MAC address into unicast frames not matching the static entry. DHCP Relay
Filter First Encapsulation VLAN
Filter Second Encapsulation VLAN
Promote First Encapsulation VLAN
Promote Second Encapsulation VLAN
Rate Limit Discard
|
Rule Value 2 |
A variable-length field whose meaning depends on the packet rule type. |
Rule Value 3 |
A variable-length field whose meaning depends on the packet rule type. |
Rule Value 4 |
A variable-length field whose meaning depends on the packet rule type. |
Rule Value 5 |
A variable-length field whose meaning depends on the packet rule type. |
April 7, 2012