C4/C4c CMTS Rel. 7.

16 BSoD L2VPN

16

BSoD L2VPN

Topics
Background Information Overview Additional Information Enabling BSoD CLI Commands

Page
1 2 4 5 8

This chapter is meant for customers using Business Services over DOCSIS for Layer 2 Virtual Private Networks. (BSoD L2VPN).

Background Information
The following paragraph from the DOCSIS BSoD specification is a description of the background and business application of this feature:

Data networking between the multiple sites of commercial businesses represents a significant business opportunity for cable operators. Commercial data networks are usually implemented with private pointto-point data connections such as Frame Relay, ISDN, or ATM virtual circuits, often with equipment that provides transparent delivery of layer 2 Ethernet LAN packets. A service that interconnects subscriber enterprise LANs with Layer 2 forwarding is called Transparent LAN Service (TLS).
(Data-Over-Cable Service Interface Specifications Business Services over DOCSIS, Layer 2 Virtual Private Networks, CM-SP-L2VPN-I08-080522, May 22, 2008.)

Issue 2.2

ARRIS PROPRIETARY All Rights Reserved

16-1

16 BSoD L2VPN

C4/C4c CMTS Rel. 7.4

This same specification goes on to explain that a TLS can be created using BSoD. From the point of view of the business enterprise using BSoD, the TLS may include CPE from more than one CMTS in the cable operators network, other LANs attached to CMs, and any other LANs bridged to the customers VLAN in the IEEE 802.1Q-compliant bridge in the cable operators backbone. The CPE in the TLS can be managed or operated just as if they were on a private Ethernet LAN, with IP addresses assigned by the TLS enterprise and taken from its subnet. The IP subnet of the TLS does not need to be coordinated with the enterprise clients or customers on the cable side of the TLS. Finally, the LAN subscribers in the TLS are isolated from the other customers in the cable operators HFC network(s) and from other L2VPNs.

Overview
The BSoD L2VPN feature provides point-to-point transparent Layer-2 forwarding between a CM and a network-side Layer-2 device using one or two provider-imposed Q-tags to multiplex the packets belonging to each L2VPN instance on the designated L2VPN network interface between the C4 CMTS and the network-side device. These provider Q-tags are imposed/deposed by the CMTS and are not transmitted to or received from CPE devices on the cable interfaces. Any customer Q-tags imposed by CPE devices are considered to be part of the L2VPN payload and are not considered to be service delimiting to the CMTS. BSoD does not require the CMTS to learn MAC addresses. MAC address learning is not required in the downstream direction because of the one-to-one mapping between the Q-tags and the downstream CM. It is not required in the upstream direction because all traffic for all L2VPN instances arrives on known L2VPN upstream service flows and is vectored to a single active egress L2VPN network interface. Since CPE imposed Q-tags are not trusted as L2VPN membership tokens, all L2VPN traffic from CPE must arrive on one or more upstream Service Flows (SFs) designated during CM registration as belonging to the L2VPN instance. This is done with an L2VPN TLV encoding in the CM configuration file that provides the upstream Q-tags and Priority values to be used when transmitting these packets on the active L2VPN egress network interface. An L2VPN instance may be configured with either one or two 12-bit Q-tags. Single Q-tag encapsulated L2VPN instances provide a numbering space of up to 4,000 values; dual Q-tag encapsulated L2VPN instances provide up to 16 million values.1 However, the CMTS supports a maximum of 16,000 L2VPN instances identified by either single or dual Q-tags that may be taken from anywhere 1. Dual Q-tags are also known as Q-in-Q or QinQ.

16-2

ARRIS PROPRIETARY All Rights Reserved

June 23, 2011

C4/C4c CMTS Rel. 7.4

16 BSoD L2VPN

within the Q-tag number space. An outer Q-tag may have a Q-tag only in the range of 2-4094 because Q-tags 0, 1, and 4095 are reserved by IEEE 802.1Q while inner Q-tags may be numbered from 1-4095. Within a given CM one or more SFs may share the same Q-tags, so the CM configuration file may contain either a single L2VPN TLV encoding that applies to all SFs or it may contain individual L2VPN TLV encodings that apply only to a single SF. Either way, individual SFs are configured for L2VPN treatment in the CMTS during CM registration. The CMTS does not support L2VPNs that are defined in dynamic SFs. When a downstream Q-tagged packet arrives on the active L2VPN ingress network interface in the RCM, the Q-tags uniquely identify the CM belonging to the L2VPN instance and hence the downstream cable port. Only individual values of the Q-tags identify L2VPN instances because there is no service type encoding in the Q-tags. This means that the Q-tag number space for single (or outer) Q-tags on a given physical network interface is shared between the existing L3VPN VRF Q-tag subinterface feature and this L2VPN Q-tag feature. Since the L3VPN VRF Q-tag feature only uses a single Q-tag, only the outer Q-tag of a Q-tag pair must be inspected to determine if the packet is to receive L2VPN or L3VPN forwarding treatment. Also note that the L2VPN Q-tags are assigned by L2VPN TLV encodings embedded in CM configuration files while L3VPN Q-tags are assigned in subinterface encapsulation commands by the CLI. Use the following command to designate the range of Q-tags that are reserved to L2VPNs. This will prevent Q-tag collisions between the L2VPN and the L3VPN features. configure l2vpn [no] vlanid-range <2..4094> [- <2..4094>] {single-qtag | dual-qtag} When a downstream L2VPN packet arrives at the CAM, the packet is transmitted only on the downstream channel used by the CM. It is BPI+ encrypted to ensure that it is received only by the target CM hosting the L2VPN instance. This BPI+ encryption is applied to individually-addressed (unicast MAC) and as well as to group-addressed (multicast/broadcast MAC) packets that belong to the L2VPN instance. This ensures that L2VPN group-addressed packets transmitted on the downstream channel are rejected by other CMs that do not have the correct BPI+ SAID to decrypt the L2VPN packet. Furthermore, when the target CM is L2VPN-compliant under the BSoD L2VPN specification, then this CM forwards the L2VPN packet only to the Cable Modem Customer Interface (CMCI) preventing its own eCM IP host stack or other embedded eSAFE devices from receiving the packet. On the other hand a non-compliant CM forwards all unencrypted downstream IP and ARP broadcast packets to the CMCI as well as to all internal eSAFE devices and the eCM IP host stack. Not all cable modems are L2VPN capable. An L2VPN-compliant CM reports its L2VPN capabilities during registration. The preferred mode of operation

Issue 2.2

ARRIS PROPRIETARY All Rights Reserved

16-3

16 BSoD L2VPN

C4/C4c CMTS Rel. 7.4

is to provide subscribers with L2VPN-compliant CMs when carrying native IP/ARP traffic in the L2VPN tunnels. This ensures the maximum privacy for the L2VPN subscriber and the maximum performance for the CM and CMTS. The CMTS only supports non-compliant CMs when explicitly enabled by CLI command. CMs that signal L2VPN capabilities are always permitted to register with correct L2VPN TLV encodings, but noncompliant CMs are allowed to register with L2VPN TLV encodings only when this policy is explicitly allowed. L2VPN-compliant CMs must register with L2VPN capabilities that include Downstream Unencrypted Traffic (DUT) filtering mode and eSAFE host identification. In particular, the CMTS does not perform DHCP snooping for eSAFE host MAC addresses, nor does it support Downstream IP Multicast Encryption (DIME) for non-compliant CMs. Thus, these CMs form L2VPN tunnels that are leaky. It is the cable operators responsibility (via explicit CLI commands) to allow these non-compliant CMs to register with L2VPN TLV encodings.

Additional Information
Customers using the ARRIS implementation of BSoD L2VPN should be aware of the following: The ARRIS CMTS provides the point-to-point L2VPN service model but not the point-to-multipoint model described in the DOCSIS spec. The chassis must be equipped with the following modules: RCM, 16D CAMs, and 12U CAMs. The 2Dx12U CAM does not support BSoD L2VPN. Single and Dual Q-tags are supported, other types of Network System Interface (NSI) encapsulation are not supported. The CMTS supports a maximum of 16,000 dual-tag L2VPNs. The CMTS supports a maximum of 4,094 single-tag L2VPNs. FlexPath bonded modems do not support this feature. The use of L2VPN non-compliant modems is permitted in this implementation per the DOCSIS BSoD spec, but results in leaky L2VPN tunnels which fail to exclude unencrypted ARP and IP broadcasts. If you wish to configure BSoD using non-compliant modems, and if these non-compliant modems are PPPoE clients, then the leakage is benign because such clients ignore non-PPPoE traffic. BSoD tunnels are not considered to be a part of general ISP traffic; therefore, they are not included in Legal Intercept captures.

16-4

ARRIS PROPRIETARY All Rights Reserved

June 23, 2011

C4/C4c CMTS Rel. 7.4

16 BSoD L2VPN

Enabling BSoD
The following is a listing of basic tasks for enabling the BSoD feature. Steps 1 and 2 are beyond the scope of this document. 1 Determine which Business customer will be using the L2VPN service. Assign the appropriate VPNID and Q-tags to the customer by creating a unique CM config file for each customers modem. 2 Update the provisioning server so that the modems get the proper configuration files. 3 Configure the CMTS L2VPN feature. a Enable L2VPN on the CMTS: configure l2vpn forwarding enable b Enable L2VPN forwarding for each cable-mac which will be servicing a L2VPN modem:

configure l2vpn cable-mac 1 configure l2vpn cable-mac 2 configure l2vpn cable-mac 3 c Configure the primary and secondary Network interfaces:

configure l2vpn network-interface gigabitEthernet 17/9 primary configure l2vpn network-interface gigabitEthernet 18/9 secondary d If you want to support non-compliant L2VPN modems, you must set the L2VPN cm capability to optional:

configure l2vpn cm capability optional e Configure the assigned Q-tag ranges to be used for VPN service:

Issue 2.2

ARRIS PROPRIETARY All Rights Reserved

16-5

16 BSoD L2VPN

C4/C4c CMTS Rel. 7.4

(Note: Q-tags may also be used for layer 3 sub-interfaces and need to be specifically assigned to be used for L2VPN.) configure l2vpn vlanid-range 201-240 single-qtag configure l2vpn vlanid-range 300 dual-qtag configure l2vpn vlanid-range 1200-1224 single-qtag configure l2vpn vlanid-range 1300-1400 dual-qtag

16-6

ARRIS PROPRIETARY All Rights Reserved

June 23, 2011

C4/C4c CMTS Rel. 7.4

16 BSoD L2VPN

The following screenshot is an example of the modem configuration file displaying tags and VPN identifiers:

Figure 16-1: Example of Modem Configuration File Screenshot

Issue 2.2

ARRIS PROPRIETARY All Rights Reserved

16-7

16 BSoD L2VPN

C4/C4c CMTS Rel. 7.4

The following modems have been verified as able to support BSoD in Release 7.x: Table 16-1: Modems Supporting BSoD BSoD L2 VPN Compliant:
Cisco DOCSIS Cable Modem (VPN compliant modem) <<HW_REV: 2.1; VENDOR: Cisco; BOOTR: 2.1.6d; SW_REV: v2.0.2r1256-090824-mac14; MODEL: DPC2100R2>>

PPPoE Applications: For PPPoE applications any DOCSIS 1.1 or later modem, such as the two ARRIS devices listed below, can be used.
ARRIS DOCSIS 2.0 Touchstone Cable Modem ARRIS DOCSIS 3.0 Touchstone WideBand Cable Modem

CLI Commands

Table 16-2: List of L2VPN CLI Commands Configure the primary and secondary network interfaces. The optional secondary interface is used only if the primary is down.
configure l2vpn [no] network-interface <slot>/<port> { primary | secondary }

Configures cable MAC interfaces participating in the L2VPN service. CMs that attempt to register as L2VPN in non-participating cable-mac interfaces are rejected.
configure l2vpn [no] cable-mac { <0..415> | *} The asterisk * is used to select all cable-macs.

Permit non-compliant CMs to register with L2VPN TLV encodings. L2VPN-compliant modems are allowed to register by default; non-compliant CMs must be explicitly enabled to use L2VPN settings.
configure l2vpn cm capability { esafe-ident | dut-filter } { required | optional }

Declares the VLAN ID ranges that are reserved for L2VPN use and allocated to single or dual Q-tag L2VPN instances.
configure l2vpn [no] vlanid-range <2..4094> [ to <2..4094> ] { single-qtag | dual-qtag }

Globally enables or disables the L2VPN forwarding. The L2VPN forwarding is disabled by default.
configure l2vpn forwarding { enable | disable }

Enables or disables L2VPN forwarding for a single VPN ID.

configure l2vpn forwarding l2vpnid <l2vpnid> { enable | disable }

Enables or disables L2VPN forwarding for a single cable modem.

16-8

ARRIS PROPRIETARY All Rights Reserved

June 23, 2011

C4/C4c CMTS Rel. 7.4

16 BSoD L2VPN

Table 16-2: List of L2VPN CLI Commands

configure l2vpn forwarding cm-mac <aaaa.bbbb.cccc> { enable | disable }

Enables or disables L2VPN forwarding for a single L2VPN instance.

configure l2vpn forwarding instance <outer-vlanid> [ : < inner-vlanid> ] { enable | disable }

Displays the configuration and state of the L2VPN settings.

show l2vpn

Displays the configuration and state of a specific L2VPNID.

show l2vpn l2vpnid <L2VPNID>

Displays the configuration and state of the specific Q-tag or Q-tag pair within an L2VPN.
show l2vpn l2vpnid <L2VPNID> [ <outer VLANid> [ : <inner VLANid> ]] The colon : is used to separate the inner Q-tag from the outer in a Q-tag pair, for example, 20:20. If you entered 2020, the CMTS would look for single Q-tag number two thousand and twenty.

Displays the specific cable-modem by MAC address.

show l2vpn cm-mac <aaaa.bbbb.cccc>

Issue 2.2

ARRIS PROPRIETARY All Rights Reserved

16-9

16 BSoD L2VPN

C4/C4c CMTS Rel. 7.4

Routed Network

PPPoE Aggregator

Routed Network

Interface FastEthernet0/0.300 encapulation dot1Q 298 no snmp trap link-status pppoe enable

Dot1Q traffic GigabitEthernet 17/0 L2vpn primary forward

Trunk Trunk

PPPoE Conf vpdn enable username arris password 0 cadant ! bba-group pppoe global virtual template 1 ! interface virtual-template1 ip unnumbered loopback9 peer default ip adddress pool bsod1 ! ip local pool bsod1 10.20.20.1 10.20.20.15 !

RF
Dual Tag CM 300:242 Single Tag CM 298 Trunk Trunk

t1Q do

ffic tra

RF
Dual Tag CM 300:242 Single Tag CM 298

Sample topology showing QinQ from BSoD modem into Providers switching network via C4 l2forward port.
Provider Edge Switch 3 is acting as a PPPoE Aggregator. PPoE will authenticate and give out IP addresses. Show commands(s) to use inside the switching net: #show vlans dot1q 300 second-dot1QQ 242 The blue circle are optional items showing how the setup can scale. For testing only; two switches are needed. C4 CMTS L2 Configuration: configure l2vpn forwarding enable configure l2vpn cm capability optional configure l2vpn network-interface gigabitEthernet 17/0 primary configure l2vpn cable-mac 1 configure l2vpn vlanid-range 201-299 single-qtag configure l2vpn vlanid-range 300 dual-qtag

CPE
CPE IP 192.168.10.2/24

CPE
CPE IP 192.168.20.2/24

Figure 16-2: Diagram of a BSod L2VPN Network

16-10

ARRIS PROPRIETARY All Rights Reserved

June 23, 2011

C4/C4c CMTS Rel. 7.4

17 Multiple VRFs

17

Multiple VRFs

Topics
Overview Feature Guidelines Abbreviations

Page
1 1 1

Overview
The Five Virtual Routing and Forwarding (VRF) Support for Open Shortest Path First (OSPFv2) feature expands the multi-VRF support to five for CMTS OSPFv2 networks. The CMTS supports enabling OSPFv2 in the five different VRFs simultaneously. Feature Guidelines Users of this feature should note the following: OSPFv2 may be assigned to the default VRF and up to four non-default VRFs, or assigned up to five non-default VRFs. The five VRFs run both OSPFv2 and Routing Information Protocol (RIP) and redistribute routes between the two protocols. Packets on the northbound interface use Q-tags to identify packets using non-default VRFs for routing.

Abbreviations
OSPFv2 Open Shortest Path First Version 2

Issue 2.2

ARRIS PROPRIETARY All Rights Reserved

17-1

17 Multiple VRFs

C4/C4c CMTS Rel. 7.4

Q-tag RIP VRF

802.1Q VLAN Tagging Routing Information Protocol Virtual Routing and Forwarding

Overview of the Sample Procedure

The configuration example that follows is for demonstration purposes. Such a configuration is not likely to be encountered in the field, but it serves to show what commands are available. In the example below we use the default VRF and create four additional ones. You may configure five non-default VRFs: just substitute a new vrf (vrf5) for the default. This sample procedure has RIP being redistributed into OSPFv2 and OSPFv2 being redistributed into RIP in every VRF. This is not a recommended configuration. MSOs might configure one VRF with RIP into OSPFv2 and another VRF with OSPFv2 into RIP, but in most cases you will see only RIP redistributed into OSPFv2. This procedure also has one RCM interface and one cable-mac in each VRF. You can have multiple interfaces (RCM or cable-macs) in a VRF. One VRF does not have to match the other VRFs in terms of the number of interfaces. The default VRF, for example, could have three RCM ports and four cable-macs. VRF1 could have only one RCM port and three cable-macs, and so on.

Procedure 17-1

Example of Setting Up Five VRFs In this procedure you will add four non-default VRFs to the existing default VRF. This procedure assumes that the following interfaces are using these IP addresses: Type GigE GigE GigE GigE GigE Cable-mac Cable-mac Cable-mac Cable-mac Cable-mac Interface 17/1.0 17/1.1 17/1.2 18/1.1 18/1.2 1 2 3 4 5 Address/subnet 10.0.0.1 /24 20.0.0.1 /24 30.0.0.1 /24 40.0.0.1 /24 50.0.0.1 /24 110.0.0.1 /24 120.0.0.1 /24 130.0.0.1 /24 140.0.0.1 /24 150.0.0.1 /24

17-2

ARRIS PROPRIETARY All Rights Reserved

June 23, 2011

C4/C4c CMTS Rel. 7.4

17 Multiple VRFs

These are the commands you would use to define the interfaces listed above: configure interface gigabitEthernet 17/1.0 ip address 10.0.0.1 255.255.255.0 configure interface gigabitEthernet 17/1.1 ip address 20.0.0.1 255.255.255.0 configure interface gigabitEthernet 17/1.2 ip address 30.0.0.1 255.255.255.0 configure interface gigabitEthernet 18/1.1 ip address 40.0.0.1 255.255.255.0 configure interface gigabitEthernet 18/1.2 ip address 50.0.0.1 255.255.255.0 configure interface cable-mac 1 ip address 110.0.0.1 255.255.255.0 configure interface cable-mac 2 ip address 120.0.0.1 255.255.255.0 configure interface cable-mac 3 ip address 130.0.0.1 255.255.255.0 configure interface cable-mac 4 ip address 140.0.0.1 255.255.255.0 configure interface cable-mac 5 ip address 150.0.0.1 255.255.255.0

1 Create the VRFs: configure ip vrf vrf1 configure ip vrf vrf2 configure ip vrf vrf3 configure ip vrf vrf4

Issue 2.2

ARRIS PROPRIETARY All Rights Reserved

17-3

17 Multiple VRFs

C4/C4c CMTS Rel. 7.4

2 The purpose of this step is to associate the interfaces with VRFs.

configure interface gigabitEthernet 17/1.0 ip vrf forwarding default configure interface gigabitEthernet 17/1.1 ip vrf forwarding vrf1 configure interface gigabitEthernet 17/1.2 ip vrf forwarding vrf2 configure interface gigabitEthernet 18/1.1 ip vrf forwarding vrf3 configure interface gigabitEthernet 18/1.2 ip vrf forwarding vrf4 configure interface cable-mac 1 ip vrf configure interface cable-mac 2 ip vrf configure interface cable-mac 3 ip vrf configure interface cable-mac 4 ip vrf configure interface cable-mac 5 ip vrf forwarding default forwarding vrf1 forwarding vrf2 forwarding vrf3 forwarding vrf4

3 The use of sub-interfaces requires q-tags. Assign Q-tags to the subinterfaces:

configure interface gigabitEthernet 17/1.1 encapsulation dot1q 100 configure interface gigabitEthernet 17/1.2 encapsulation dot1q 101 configure interface gigabitEthernet 18/1.1 encapsulation dot1q 102 configure interface gigabitEthernet 18/1.2 encapsulation dot1q 103

4 (Optional) Enable RIP on one or more of the VRFs: configure router rip vrf default enable configure router rip vrf vrf1 enable configure router rip vrf vrf2 enable configure router rip vrf vrf3 enable configure router rip vrf vrf4 enable

17-4

ARRIS PROPRIETARY All Rights Reserved

June 23, 2011

C4/C4c CMTS Rel. 7.4

17 Multiple VRFs

5 (Optional) Configure the interfaces to which RIP runs: configure router rip vrf default network 10.0.0.0 configure router rip vrf vrf1 network 20.0.0.0 configure router rip vrf vrf2 network 30.0.0.0 configure router rip vrf vrf3 network 40.0.0.0 configure router rip vrf vrf4 network 50.0.0.0 configure router rip vrf default network 110.0.0.0 configure router rip vrf vrf1 network 120.0.0.0 configure router rip vrf vrf2 network 130.0.0.0 configure router rip vrf vrf3 network 140.0.0.0 configure router rip vrf vrf4 network 150.0.0.0

6 Configure the router ID for the OSPFv2 instances: configure router ospf vrf default router-id 10.0.0.1 configure router ospf vrf vrf1 router-id 20.0.0.1 configure router ospf vrf vrf2 router-id 30.0.0.1 configure router ospf vrf vrf3 router-id 40.0.0.1 configure router ospf vrf vrf4 router-id 50.0.0.1

Issue 2.2

ARRIS PROPRIETARY All Rights Reserved

17-5

17 Multiple VRFs

C4/C4c CMTS Rel. 7.4

7 Create the OSPFv2 areas:

configure router ospf vrf default network 10.0.0.0 0.0.0.255 area 0.0.0.0 configure router ospf vrf vrf1 network 20.0.0.0 0.0.0.255 area 0.0.0.0 configure router ospf vrf vrf2 network 30.0.0.0 0.0.0.255 area 0.0.0.0 configure router ospf vrf vrf3 network 40.0.0.0 0.0.0.255 area 0.0.0.0 configure router ospf vrf vrf4 network 50.0.0.0 0.0.0.255 area 0.0.0.0 configure router ospf vrf default network 110.0.0.0 0.0.0.255 area 0.0.0.0 configure router ospf vrf vrf1 network 120.0.0.0 0.0.0.255 area 0.0.0.0 configure router ospf vrf vrf2 network 130.0.0.0 0.0.0.255 area 0.0.0.0 configure router ospf vrf vrf3 network 140.0.0.0 0.0.0.255 area 0.0.0.0 configure router ospf vrf vrf4 network 150.0.0.0 0.0.0.255 area 0.0.0.0

8 (Optional) Enable OSPFv2 on all five VRFs: configure router ospf vrf default enable configure router ospf vrf vrf1 enable configure router ospf vrf vrf2 enable configure router ospf vrf vrf3 enable configure router ospf vrf vrf4 enable

17-6

ARRIS PROPRIETARY All Rights Reserved

June 23, 2011

C4/C4c CMTS Rel. 7.4

17 Multiple VRFs

9 (Optional) Redistribute RIP into OSPFv2: configure router ospf vrf default redistribute rip configure router ospf vrf vrf1 redistribute rip configure router ospf vrf vrf2 redistribute rip configure router ospf vrf vrf3 redistribute rip configure router ospf vrf vrf4 redistribute rip

End of procedure Additional Information The procedure above is for demonstration purposes. Adapt it to the requirements of your site and application. You may configure five non-default VRFs: just substitute a new vrf (vrf5) for the default. This sample procedure has RIP being redistributed into OSPFv2. MSOs might configure one VRF with RIP into OSPFv2 and another VRF with OSPFv2 into RIP, but in most cases you will only see RIP redistributed into OSPFv2. This procedure also has one RCM interface and one cable-mac in each VRF. You can have multiple interfaces (RCM or cable-mac) in a VRF. One VRF does not have to match the other VRFs in terms of the number of interfaces. The default VRF, for example, could have three RCM ports and four cable-macs. VRF1 could have only one RCM port and three cable-macs, and so on.

Issue 2.2

ARRIS PROPRIETARY All Rights Reserved

17-7

17 Multiple VRFs

C4/C4c CMTS Rel. 7.4

17-8

ARRIS PROPRIETARY All Rights Reserved

June 23, 2011