Configuration (VLAN)
The Tellabs 1100 system Virtual Local Area Network (VLAN) implementation is based on industry standards specified in IEEE 802.1Q (VLAN Tagging), 802.1p (Priority Tagging), and 802.1ad (Q-in-Q/VLAN Stacking). These protocols allow User and User Group segmentation (for network segmentation and security) and service level priority indication for quality of service. An example of a VLAN Group is a pool of users (or devices, e.g. printers) with the same service level agreement (SLA).
IEEE802.1ad (Q-in-Q/Stacked VLANs) Support
The Tellabs 1100 system allows each VLAN (or group) to be provisioned with independent security features including strong authentication (compliant with IEEE 802.1x), Access Control Lists (ACLs), and ingress datagram rate limiting. The Tellabs 1100 Series system also offers communication efficiency by providing optionally configured distributed Ethernet Bridging capability (compliant with IEEE 802.1Q) throughout the platform.
For some applications, Layer 2 bridging is desired to ensure that end users can share information through the shortest path, thus reducing bandwidth use throughout the network.
Provisioning VLAN and VLAN Groups
In the Panorama PON management system, VLANs and VLAN Groups are defined in the provisioning process as part of Service and Connection Profiles. These are global profiles that ultimately define an SLA for a specific user (VLAN) or group of users (VLAN Group). As part of the service Connection Profile, Ethernet Bridging can be either ENABLED or DISABLED, depending upon the service delivery mechanism desired. If Ethernet Bridging is enabled, all users within this group are able to communicate using standard bridging functions. If Ethernet Bridging is disabled, all user traffic is forwarded to the network uplink, providing complete datagram isolation between end user traffic.
Up to 4,081 end user VLANs (and VLAN Groups) can be provisioned on the platform. Each VLAN Group can support a near unlimited number of end user ports (and services) only limited to the Ethernet bridge capacity of the system (16,384 entries). The combination of the cross-connections and the Connection Profiles are used to define these constructs. Use of the Connection Profile allows ease in definition of allowed services. The subscriber side of the connection defines the port and VLAN. A VLAN value of -1 indicates untagged, 0 indicates priority tagged, and any other value is taken as the subscriber side VLAN. With untagged traffic, the priority is preserved when the Network VLAN is applied. Untagged traffic gets the specified Network VLAN. For tagged traffic, the VLAN is translated into the proper Network VLAN.
At the end user port, VLANs are delivered into the client environment using a combination of VLAN Tagged, VLAN Priority Tagged, or Untagged. A maximum of five independent VLANs can be provisioned on each end user Ethernet port, allowing a combination of tagged/untagged scenarios. The function of extending VLAN Tags to the client device is referred to as VLAN Trunking. If VLAN Trunking is used in any Service profile, then all subsequent Service profiles must have VLAN Trunking as their Service Type. In this configuration, each provisioned VLAN is based on a particular service (e.g. data, VoIP). The figure below depicts an end-user environment with multiple VLANs for one subscriber interface.
Defining Attributes
The VLAN Property Table defines the VLANs that are used by the system. This table allows the user to define and set up the attributes associated with each VLAN, which include ID (VLAN), ACL Mode, Bridge Type, MST ID, DAI Enabled, Enable Dynamic ARP, Add VLANS and Edit Functions.
The Dynamic Address Resolution Protocol Inspection (DAI) feature, available in the VLAN Configuration Menu Bar prevents DHCP snooping or unauthorized attacks from occurring on ports and devices. When the Dynamic ARP Inspection protocol is used, the IP address on a port can be verified. However, whenever DAI is not used, then the IP address is not available and then the data is essentially a Layer 2 MAC table. The relationship between the DAI protocol that prevents snooping; the DHCP snooping table where Acknowledgment messages are sent from the DHCP server to the learned IP address binding; and the Forwarding Database table that records the IP / MAC bindings all contribute to maintaining a secure network environment.
For more information about using the Dynamic ARP Inspection feature, refer to Dynamic ARP Inspection for more details. When configuring VLANs, the user can enable DAI in the VLAN Property table for a specific VLAN to enable DHCP snooping.
Configuration
Access to VLAN Configuration is only located on this Menu Bar.
Selecting Configuration on the Menu Bar displays the following VLAN display options:
- Group by VLAN - Displays VLAN Properties
- Group by NNI - Displays the Network to Network Interface (NNI) Properties
- Add VLANs - Add VLANS to the group
- Remove VLANs - Remove VLANS from the group
