Configuration/Bridge Packet Rule

To create or delete bridge packet rules:

To refresh the data displayed in the Packet Rule table, click the Refresh button.

To add a new packet rule, click the Create button.

To change a bridge packet rule value, click the Modify button.

To remove a packet rule, click the Delete button.

Each bridge configuration record contains settings for type and value.

Type specifies the variety of filter to be applied to the interface. Type options are

ACL (Access Control List)

The ACL filters allow you to block packets or allow packets based on the source MAC address, Destination MAC address or Ethernet type. The ACL filters are configured with a packet rule record.

The ACL filtering options include:allow/deny based on Ethernet types, allow/deny based on destination MAC address, and allow/deny based on source MAC address.

ACL filtering is supported only on systems with FE/GE or GE uplink/controller cards, on the Ingress port of line cards only and does not block any traffic on egress port (toward the subscriber), and on downlink and TLS bridge types.

Color Aware Rate Limit Discard and Rate Limit Discard

Rate limiting is typically used when a service provider needs to provide customer services with limited bandwidth and needs to create a priority for which type of packets — date, voice, or video — have priority when there is bandwidth contention. In other words, a service provider may need to ensure that video traffic gets to the user at the expense of data or voice traffic.

Rate limiting to control the rate of traffic sent or received on the ingress or the egress of both the logical port or the physical port on the device. Traffic that is less than or equal to the specified rate is sent and traffic that exceeds the rate is dropped or delayed.

Rate limiting is not supported on the ingress of the GPON line card. That is, from the subscriber to the device. You can apply the filter, but the filter will not work.

After configuring an interface with rate limiting, the traffic rate is monitored and metered to verify conformity with an established contract. Non-conforming traffic is discarded, while conforming traffic passes through the interface without any changes. The two modes of rate limiting are:

Color blind

Rate limiting is performed on the interface without using the frame's Class of Service (CoS) by assuming that all packets of a flow are “uncolored” and are treated equally.

Color blind mode is most commonly used for a single service per VLAN.

Color aware

Rate limiting observes that the incoming packet flow is colored and each packet is marked green, yellow, or red to signify if a packet has high, medium, or low priority. The color field maps to the priority CoS value in tagged packets and the IP precedence ToS value in untagged packets.

Color aware bandwidth limiting is usually used when multiple services with different priorities are offered on a single VLAN. The colors green, yellow, and red are used for metering traffic and the colors correspond to COS values that range from 0-7. You can set which colors correspond to which COS value.

Color Aware Policing is based on the idea that upstream devices are policing and marking frames based on a set of rules. A green packet is well behaved. A yellow packet has misbehaved at some point so if there is a bandwidth congestion it should be dropped before a green frame. A red packet has violated a rule and should be dropped. This means that green packets are serviced first, then if there is enough room, the yellow packets are serviced. Red packets are always dropped.

Note: Color values are not supported on egress ports.

Insert PPPoE Vendor Tag

The device is capable of being an intermediate agent in a PPPoE (point-to-point protocol over Ethernet) scenario. In a PPPoE scenario, PPPoE clients initiate the connection process and need to learn the Ethernet address of the remote peer and establish a unique session ID to establish a connection.

In the discovery process the PPPoE client (host) broadcasts a request by transmitting PPPoE Active Discovery Initiation (PADI) packet. When one or more responses are received by the host (the responses include the address of the Broadband Remote Access Server (BRAS)), the host then sends a unicast PPPoE Active Discovery Request (PADR) packet.

The device supports inserting port information into PPPoE packets that transmit a bridge interface. When the device receives a PPPoE Active Discovery Initiation (PADI) packet or a PPPoE Active Discovery Request (PADR) packet, the device can be configured to insert a customized string along with default port/slot identification into the vendor-specific portion of the PPPoE packet. The vendor-specific tag containing the customized identification string can be used to identify a circuit and send this value to a RADIUS (remote access dial-in service) server or network server. The customized string could also be used for record keeping.

The customized identification string can be 0 to 48 characters.

DHCP on bridge packet rules (DHCP relay, Option 82, and Forbid OUI)

DHCP relay

DHCP relay contains the DHCP subnet group ID. If only the DHCP relay option is used, option82 information is displayed in hex format as slot port shelf vlan.

Option 82

Option 82 can define textual values for two items of textual information: circuit ID and remote ID.

If the first value is set it is taken as a literal text string to be used as the suboption 1 field in the DHCP packet. If it is not set a text string identifying the box and interface which received the packet is used. If the second value is set is it taken as a literal text string to be used as the suboption 2 field in the DHCP packet. If it is not set no suboption2 is provided.

Use of this feature will usually require a distinct rule group for each interface since the circuit and remote Id values associated with suboptions 1 and 2 are distinct for each interface.

When acting as a DHCP relay agent, the device includes option 82 to identify the requesting client to the DHCP server. There are two sub-options for DHCP option 82 insert — Circuit ID and Remote ID. Both of these fields are text fields, though they were designed to carry specific information. It is up to your implementation plans to define how to use the option 82 inserts.

Circuit ID is meant to provide information about the circuit which the request came in on. It is normally the port and interface information.

RFC 3046 describes possible uses of the Circuit ID field:

Router interface number

Remote Access Server port number

Frame Relay DLCI

ATM virtual circuit number

Cable Data virtual circuit number

Remote ID is meant to provide information about the remote host end of the circuit, however in practice the sub-option usually contains information about the relay agent.

RFC 3046 describes possible uses of the Remote ID field:

a "caller ID" telephone number for dial-up connection

a "user name" prompted for by a Remote Access Server

a remote caller ATM address

a "modem ID" of a cable data modem

the remote IP address of a point-to-point link

a remote X.25 address for X.25 connections

Forbid OUI

When using the Forbid OUI option for a packet rule, you provide the first three bytes of the MAC address which are used to identify vendors. These three bytes are known as the Organizational Unique Identifier (OUI).

Packets from a device with a MAC address which begins with “AA:BB:CC” the hexadecimal vendor code (OUI — Organizational Unique Identifier) will be blocked.

Destination MAC Swapping

The destination MAC swapping feature provides a security enhancement which prevents port-to-port communications between users sharing a VLAN for Internet access when the user-to-user traffic spans multiple chassis shelves.

When enabled, this feature modifies the destination MAC address portion of unicast frames (Ethernet frames not using a multicast or broadcast destination MAC) that traverse the system so that the destination MAC is changed to the MAC address of the next-hop router in the access network. This address modification ensures that all frames in the access network are forwarded to the access router regardless of how the frame originated. Broadcast, multicast, and Ethernet frames with a destination MAC address of the next hop router are forwarded without MAC swapping.

Dynamic

The device snoops DHCP ACK messages received on the bridge interface that is configured as the default (VLAN or default bridge). The source MAC address from this frame is swapped into for frames received on interfaces configured for destination MAC swapping. This address is stored in the database and persists across reboots. When a new DHCP ACK message is received in the same VLAN, its source is checked, and if different, the newer MAC address is used.

This option requires that DHCP server services are used in the network and that the next hop router is the default router between the device and the DHCP server.

Static

The device inserts the user-specified valid 6-byte hexadecimal MAC address into unicast frames not matching the static entry.

DSCP to COS

Although rich Quality of Service (QoS) mechanisms exist in Layer 2 transport technologies, true end-to-end QoS is not achievable unless a Layer 3 solution is overlaid. In order to maintain QoS between Layer 2 Ethernet and Layer 3 IP protocols, the device now supports mapping Differentiated Services Code Points (DSCP) to Classes of Services (CoS) as defined by IEEE 802.1p. CoS is Layer 2 QoS marking mechanism and involves manipulating the Ethernet 802.1p tag. CoS uses 3 bits and therefore values can be anything from 0 to 7. DSCP involves manipulating the IP header info (specifically the ToS field). DSCP uses 6 bits and value range from 0 to 63. Therefore, the following standard mapping table can be used as a reference when provisioning DSCP to COS (802.1p).

Promote and Filter VLANs

VLAN encapsulation allows the device to add additional VLANs beyond double tagging on TLS bridge interfaces. Without VLAN encapsulation the device can configure two tags per Ethernet frame. VLAN encapsulation provides the mechanism to add third and fourth tags to Ethernet frames.s

VLAN encapsulation allows service providers to work with client networks which have two tags and promote their own tags for these customer networks.

Unlike a single tag (the first tag, 1Q) and slan (the second tag, 2Q) which are defined directly when you add a bridge, VLAN encapsulation uses packet rules to define the first encapsulation (the third tag, 3Q) and second encapsulation (the fourth tag, 4Q). Not only can the third and fourth tags be promoted, but also be filtered, so that the frame with the specific third tag, or fourth tag would be the only tags accepted on that interface.

Triple tags are implemented via the packet rule records, Promote First Encapsulation VLAN and Filter First Encapsulation VLAN. Fourth tags are implemented by Promote Second Encapsulation VLAN and Filter Second Encapsulation VLAN.

To add third and fourth tags the first and second tags must already exist.

Packet Rule

Config Group Index

Index used to group packet-rule-records.

Group Member Index

Member index adds a packet-rule-record type to the group index.

Rule Type

Select the rule you wish to apply to the bridge from the drop-down list. The correct variable-length field whose meaning depends on the packet rule type will appear in the next table.

Packet Rules:

ACL Allow

ACL Deny

Bridge Forbid OUI

Bridge Insert Option82

Bridge Insert PPPoE Vendor Tag

Color Aware Rate Limit Discard

Destination MAC Swap Dynamic

Destination MAC Swap Static

DHCP Relay

DSCP To COS

Filter First Encapsulation VLAN

Filter Second Encapsulation VLAN

Promote First Encapsulation VLAN

Promote Second Encapsulation VLAN

Rate Limit Discard

Rule Value

 

A variable-length field whose meaning depends on the packet rule type.

ACL Allow

  • Rule Value: Rule to allow packets based on source MAC address, destination MAC address, or Ethernet type.

ACL Deny

  • Rule Value: Rule to deny packets based on source MAC address, destination MAC address, or Ethernet type.

Bridge Forbid OUI

  • MAC Address Prefix: specify a bit pattern to be matched in a packet, stored as a string, but specified in the pattern 'nn:nn:nn...nn:nn', where 'nn' is a hex number specifying a byte of the pattern. E.g. a bridgeConfigValue of '00:02:02' specifies the OUI to be dropped.

Bridge Insert Option82

  • Local ID

  • Remote ID

Bridge Insert PPPoE Vendor Tag

  • Optional Tag: Specifies an ASCII string of up to 48 bytes to be inserted into PPPoE discovery packets (PADI/PADR) which transit this node. String will be inserted as a Vendor-Specific tag.

Color Aware Rate Limit Discard

  • Rate (KB/s): The rate limit, CIR, is set in kilobytes per second. For any rate above the set CIR, packets will drop

  • Committed Burst Size (byte):The maximum data rate which can be carried under normal conditions. This rate is greater than the Rate, but less than the EBS.

  • Extended Burst Size (byte): The maximum data rate that the circuit will attempt to carry.

  • COS Green (1-7): CoS values 7-4 are green.

  • COS Yellow (1-7):CoS values 3-0 are yellow.

Destination MAC Swap Dynamic

  • Rule Value: MAC address

Destination MAC Swap Static

  • Rule Value: MAC address

Static user-specified entry. The device inserts the user-specified valid  6-byte hexadecimal MAC address into unicast frames not matching the static entry.

DHCP Relay

  • DHCP subnet: Specify an ASCII integer which specifies the dhcp subnet group.

Filter First Encapsulation VLAN

  • VLAN: VLAN ID (1 to 4094)

  • TPID: Identifies the type of VLAN used. Typically set to 8100.

Filter Second Encapsulation VLAN

  • VLAN: VLAN ID (1 to 4094)

  • TPID: Identifies the type of VLAN used. Typically set to 8100.

  • CoS Value

Promote First Encapsulation VLAN

  • VLAN: VLAN ID (1 to 4094)

  • TPID: Identifies the type of VLAN used. Typically set to 8100.

  • CoS Value

Promote Second Encapsulation VLAN

  • VLAN: VLAN ID (1 to 4094)

  • TPID: Identifies the type of VLAN used. Typically set to 8100.

Rate Limit Discard

  • Rate (KB/s): Color blind rate limiting is usually set when one service is supplied per VLAN. The rate limit, CIR, is set in kilobytes per second. For any rate above the set CIR, packets will drop

  • Committed Burst Size (byte):The maximum data rate which can be carried under normal conditions. This rate is greater than the rate, but less than the EBS.

  • Extended Burst Size (byte): The maximum data rate that the circuit will attempt to carry.

Rule Value 2

A variable-length field whose meaning depends on the packet rule type.

Rule Value 3

A variable-length field whose meaning depends on the packet rule type.

Rule Value 4

A variable-length field whose meaning depends on the packet rule type.

Rule Value 5

A variable-length field whose meaning depends on the packet rule type.

April 7, 2012