Guest

Cisco uBR7200 Series Universal Broadband Routers

Transparent LAN Service over Cable Networks

Document ID: 60027

Updated: Oct 04, 2005

   Print

Introduction

Traditionally, the Cisco cable modem termination system (CMTS) has been used to provide High Speed Data Services for home users and for IP-based Layer 3 Virtual Private Networks (VPNs).

There are, however, some customers that need Layer 2 connections to run their businesses.

Some of the reasons to justify the deployment of a Layer 2 Virtual Private Network (L2VPN) include:

  • Support for non-IPv4 protocols

  • End-to-end encryption

  • More network control

  • Use of a private IP address space

Typically, Layer 2 services are provided by the Telephone Company (Telco) and employ different technologies, such as Leased Lines, Frame-Relay, ISDN, ATM, and others.

With the introduction of the 802.1Q Transparent LAN Service (TLS) feature, the multiple service operator (MSO) can leverage its DOCSIS deployments to provide L2VPN services and thereby enhance its commercial offerings.

Prerequisites

Requirements

Readers of this document should have knowledge of these topics:

  • Cisco IOS® Software Release 12.2(15)BC2

  • uBR7200VXR Platform

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco uBR7246 VXR Universal Broadband Router

  • Cisco Catalyst 2924-XL (End of Life)

  • Cisco 7206VXR Router

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

What is 802.1Q TLS over Cable?

The 802.1Q TLS feature provides the means to create L2VPNs between multiple sites, similar to the Private Leased Lines, Frame Relay, ISDN, ATM, SMDS, and the like that are offered by the Telcos.

In many cases, TLS can be viewed as a “Frame-Relay-like” service. It can accommodate many traffic patterns, such as point-to-point, point-to-multipoint, or fully meshed.

Figure 1 shows how an 802.1Q TLS deployment looks conceptually like a VLAN.

Figure 1

tls_over_cable_01.gif

Market Drivers

The main driver for the adoption of this feature is the potential to increase the revenue streams.

The 802.1Q TLS feature allows an MSO to compete with Telcos by providing a L2VPN service that can be more economical to the end customer.

The MSO footprint already touches many commercial areas throughout their deployment. Many of those businesses already subscribe to Cable TV services and existing Layer 2 services from a Telco.

These L2 Telco services tend to have recurring expenses, such as local loop access, switch port access, and so forth.

In most cases, the deployment of an 802.1Q TLS service can be as easy as this:

  1. Drop a cable modem at the customer site.

  2. Properly provision the MSO’s networking gear.

To make the offering more appealing and marketable, the MSO may choose to bundle Cable TV and TLS together.

How Does 802.1Q TLS Operation Work?

In an 802.1Q TLS setup, the cable modem of a specific customer is provisioned with the standard provisioning methods that are outlined by DOCSIS.

In addition to the provisioning, the CMTS is configured with definitions that are known as the dot1q maps. The dot1q maps contain the cable modem MAC address, the VLAN ID, and the outbound interface. These definitions (or bindings) are propagated into the Service ID (SID) database.

Traffic that is coming from a specific cable modem is tagged with a VLAN ID and is then sent out on the network, where it can be bridged with other VLANs from the same customer. There are several way to accomplish the VLAN bridging.

Figure 2 depicts a L2VPN point-to-point topology, to illustrate how TLS works.

Figure 2

tls_over_cable_02.gif

On each CMTS there is a dot1q map definition that binds the cable modem MAC address with a VLAN ID and an outbound interface.

Suppose that you trace a packet from Site A to Site B; the following events explain how CMTS A processes the traffic from Site A:

  1. The cable modem takes the Ethernet frame and adds a DOCSIS header, which includes the cable modem SID (or SFID).

  2. When the traffic is received, the CMTS performs an SID lookup.

  3. The CMTS determines whether the traffic is TLS, based on the SID.

  4. If the traffic is TLS, the CMTS looks into the packet and checks for the source MAC address.

    1. If the MAC address matches the cable modem’s MAC address, then the traffic is sent to the Layer 3 switching code.

    2. If the MAC address does not match the cable modem’s MAC address, then the traffic is tagged with the proper VLAN tag and is sent out on the proper outbound interface.

On the CMTS B, the packet that is coming from Site A is processed in this way:

  1. When the CMTS receives a VLAN-tagged frame, it performs a database lookup to determine whether the VLAN is mapped to a cable modem.

  2. If a match is found, then the CMTS removes the VLAN tag and adds a DOCSIS header.

  3. The CMTS process the new DOCSIS packet, to conform to the appropriate CoS or QoS parameters.

  4. The packet is then sent out on the cable interface.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only) .

Network Diagram

Figure 3 illustrates the network topology used in the Configurations and Verify sections.

Figure 3

tls_over_cable_03.gif

Configurations

This document uses these configurations:

  1. CMTS A

  2. CMTS B

  3. Switch

  4. Aggregation Router

CMTS A
UBR-1:
!
cable l2-vpn-service dot1q
cable dot1q-vc-map 0000.3973.be53 FastEthernet0/1 12 
!

CMTS B
UBR-2:
!
cable l2-vpn-service dot1q
cable dot1q-vc-map 0000.39a7.8a67FastEthernet0/0 21 
!

Switch
!
interface FastEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!         
interface FastEthernet0/2
 switchport trunk encapsulation dot1q
 switchport mode trunk
!         
interface FastEthernet0/3
 switchport trunk encapsulation dot1q
 switchport mode trunk
!         

SW# show vlan id 12

00:44:03: %SYS-5-CONFIG_I: Configured from console by console
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
12   VLAN0012                         active    

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
12   enet  100012     1500  -      -      -        -    -        0      0   

SW# show vlan id 21

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
21   VLAN0021                         active    

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
21   enet  100021     1500  -      -      -        -    -        0      0

Aggregation Router
!         
bridge irb
!         
!         
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!         
interface FastEthernet0/1.12
 encapsulation dot1Q 12
 bridge-group 1
!         
interface FastEthernet0/1.21
 encapsulation dot1Q 21
 bridge-group 1
!         
bridge 1 protocol ieee
!

Verify

This section provides information that you can use to confirm that your configuration is working properly.

Certain show commands are supported by the Output Interpreter Tool (registered customers only) , which allows you to view an analysis of show command output.

Cable Modem Initialization

When the modem that has been provisioned for 802.1Q TLS comes online, a map is created that binds the modem to a VLAN ID and an output interface.

Issue these debug commands to verify the mapping:

This output shows how the CMTS maps the VLAN and the outbound interface, when the cable modem comes online. It also shows the Downstream and Upstream Service Flow IDs that are associated with the VLAN.


!--- Logs from CMTS A (UBR-1):

UBR-1# show debug

CMTS:
  CMTS L2 VPN debugging is on
CMTS specific:
  Debugging is on for Address 0000.3973.be53, Mask ffff.ffff.ffff

UBR-1#

cmts_l2vpn_init_cm: cm 0000.3973.be53 on Cable3/0, sid 0xA
map to FastEthernet0/1 VLAN id 12
 Mapped DS srv flow 22 on Cable3/0 to FastEthernet0/1 VLAN 12
 Mapped US srv flow 21 sid 10 on Cable3/0 to FastEthernet0/1 VLAN 12

Passage of Traffic

To see if that traffic is either coming from the cable modem or destined to the cable modem, you can debug it or look at the counters.

To debug it, turn on these debugs:

Note: These debugs are only available on the uBR7200 platform.

The next example output shows the debug of a packet from Site A to Site B, when you activate debug cable mac-address mac-address verbose and debug cable l2-vpn conditional.

The first debug line is the packet sourced from Site A. Because the packet is a ping packet, the next debug line is the ping response. It shows how a packet is sent to the cable modem.

UBR-1#

Pkt (size 114) from CM 0000.3973.be53 sid 10 src 0008.a3b6.d371
dst 0008.a3b6.d74b fwd to FastEthernet0/1 vlan 12

Send pkt size 118 from 0008.a3b6.d74b on FastEthernet0/1:vlan 12
to 0008.a3b6.d371 on Cable3/0:0xA CM 0000.3973.be53

To view the bytes or packets counters, issue the show cable l2-vpn dot1q-vc-map mac-address verbose command:

UBR-1# show cable l2-vpn dot1q-vc-map 0000.3973.be53 verbose

MAC Address                         : 0000.3973.be53
Customer Name                       :
Prim Sid                            : 5
Cable Interface                     : Cable3/0
Ethernet Interface                  : FastEthernet0/1
DOT1Q VLAN ID                       : 12
Total US pkts                       : 0
Total US bytes                      : 0
Total DS pkts                       : 12
Total DS bytes                      : 816

Troubleshoot

There is currently no specific information available to troubleshoot this configuration.

Design Considerations

There are several design factors to consider when you deploy services over a DOCSIS network. Some are specific to the cable side and the others are more general issues.

Cable Side (DOCSIS)

Pipe Size or Throughput

Typically, the main limitation is on the Upstream bandwidth. Table 1 shows approximate figures for the different throughput values.

Table 1

DOCSIS Version Channel Width (MHz) Modulation Approximate Throughput (Mbps)
1.x 1.6 QPSK 2.2
1.x 1.6 16-QAM 4.4
1.x 3.2 16-QAM 8.9
2.0 3.2 64-QAM 13
2.0 6.4 64-QAM 26

DOCSIS Version 1.1 has incorporated many features that provide Upstream channel optimization. Some of those features include:

  • Concatenation

  • Fragmentation

  • Payload Header Suppression

DOCSIS QoS

Committed versus Best Effort—DOCSIS Version 1.0 allows for a guaranteed rate on the Upstream only. Version 1.1 and 2.0 allow for a guaranteed rate in both directions. In order to guarantee a committed information rate (CIR), the CMTS scheduler performs admission control on the Upstream, to prevent over-subscription.

Controlled Latency and Jitter—DOCSIS Version 1.1’s Unsolicited Grants (UGS) provides a constant bit rate (CBR)-like service. Latency and jitter can be effectively controlled, to provide a guaranteed minimum data rate for traffic that requires grants at fixed intervals.

Security

Traffic that is traversing the cable plant can be secured with the DOCSIS baseline privacy interface (BPI), in DOCSIS Version 1.0, or BPI+, in newer versions of DOCSIS. Then, someone can not snoop or eavesdrop on the data on the cable side.

For customers that require more security—for example, financial institutions and the like—an end-to-end IPSec strategy is recommended. Refer to Security at Cisco.

General Issues

QoS

In an 802.1Q environment, there are three major QoS areas:

  • CPE side—How the CPE polices and marks the traffic. This is controlled by the customer and it is relevant to their internal QoS policies.

  • Cable side—This conforms to the DOCSIS protocol and to the cable modem provisioning.

  • Backbone—The MSO can apply the QoS policies based on Service Level Agreements.

Performance and Scalability

On the CMTS, there is only a slight increase of memory to hold the data structures and dot1q maps (database). Switching for TLS packets is the same as for any other packet.

The number of supported VLANs varies based on the platform.

Bridging groups vary based on the platform.

How to Extend 802.1Q TLS Beyond the Ethernet Boundaries

There will be times when the customers need connectivity to sites that are beyond the Ethernet physical limits; for example, sites in different towns, cities, or states.

In those cases, the MSOs can use one of the several Metro Ethernet Relay Service solutions.

Two of those solutions that have been lab tested are:

  • TLS over an IP Core Network via Layer 2 Tunnel Protocol (L2TP) version 3

  • TLS over an Multiprotocol Label Switching (MPLS) Core via Ethernet over MPLS (EoMPLS)

Appendix A - Packet Trace Between the L2 Switch and the Aggregation Router

This section shows a packet trace of a ping packet between the Switch and the Aggregation Router. Notice that there are two ping request packets: one from Site A to the Aggregation Router, and one from the Aggregation Router to Site B. The same applies to the ping reply.

Frame 1 (118 bytes on wire, 118 bytes captured)
Ethernet II, Src: 00:08:a3:b6:d3:71, Dst: 00:08:a3:b6:d7:4b
802.1q Virtual LAN
    000. .... .... .... = Priority: 0
    ...0 .... .... .... = CFI: 0
    .... 0000 0000 1100 = ID: 12
    Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.50.1 (192.168.50.1),
Dst Addr: 192.168.50.2 (192.168.50.2)
Internet Control Message Protocol
    Type: 8 (Echo (ping) request)
    Code: 0 
    Checksum: 0x3fb9 (correct)
    Identifier: 0x0008
    Sequence number: 0x0000
    Data (72 bytes)

0000  00 00 00 00 00 3d 3e 4c ab cd ab cd ab cd ab cd   .....=>L........
0010  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................
0020  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................
0030  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................
0040  ab cd ab cd ab cd ab cd                           ........

Frame 2 (118 bytes on wire, 118 bytes captured)
Ethernet II, Src: 00:08:a3:b6:d3:71, Dst: 00:08:a3:b6:d7:4b
802.1q Virtual LAN
    000. .... .... .... = Priority: 0
    ...0 .... .... .... = CFI: 0
    .... 0000 0001 0101 = ID: 21
    Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.50.1 (192.168.50.1),
Dst Addr: 192.168.50.2 (192.168.50.2)
Internet Control Message Protocol
    Type: 8 (Echo (ping) request)
    Code: 0 
    Checksum: 0x3fb9 (correct)
    Identifier: 0x0008
    Sequence number: 0x0000
    Data (72 bytes)

0000  00 00 00 00 00 3d 3e 4c ab cd ab cd ab cd ab cd   .....=>L........
0010  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................
0020  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................
0030  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................
0040  ab cd ab cd ab cd ab cd                           ........

Frame 3 (118 bytes on wire, 118 bytes captured)
Ethernet II, Src: 00:08:a3:b6:d7:4b, Dst: 00:08:a3:b6:d3:71
802.1q Virtual LAN
    000. .... .... .... = Priority: 0
    ...0 .... .... .... = CFI: 0
    .... 0000 0001 0101 = ID: 21
    Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.50.2 (192.168.50.2),
Dst Addr: 192.168.50.1 (192.168.50.1)
Internet Control Message Protocol
    Type: 0 (Echo (ping) reply)
    Code: 0 
    Checksum: 0x47b9 (correct)
    Identifier: 0x0008
    Sequence number: 0x0000
    Data (72 bytes)

0000  00 00 00 00 00 3d 3e 4c ab cd ab cd ab cd ab cd   .....=>L........
0010  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................
0020  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................
0030  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................
0040  ab cd ab cd ab cd ab cd                           ........

Frame 4 (118 bytes on wire, 118 bytes captured)
Ethernet II, Src: 00:08:a3:b6:d7:4b, Dst: 00:08:a3:b6:d3:71
802.1q Virtual LAN
    000. .... .... .... = Priority: 0
    ...0 .... .... .... = CFI: 0
    .... 0000 0000 1100 = ID: 12
    Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.50.2 (192.168.50.2),
Dst Addr: 192.168.50.1 (192.168.50.1)
Internet Control Message Protocol
    Type: 0 (Echo (ping) reply)
    Code: 0 
    Checksum: 0x47b9 (correct)
    Identifier: 0x0008
    Sequence number: 0x0000
    Data (72 bytes)

0000  00 00 00 00 00 3d 3e 4c ab cd ab cd ab cd ab cd   .....=>L........
0010  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................
0020  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................
0030  ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd   ................
0040  ab cd ab cd ab cd ab cd                           ........

Related Information

Updated: Oct 04, 2005
Document ID: 60027