Date: Wed, 30 Aug 2006 13:11:35 +0200 From: Jon Otterholm <jon.otterholm@ide.resurscentrum.se> To: freebsd-isp@freebsd.org Subject: Router Tweaked Message-ID: <44F57267.2000202@ide.resurscentrum.se>
next in thread | raw e-mail | index | archive | help
Hi.
I have a problem, or maybe I should see it as a challenge.
We offer broadband services and we buy the connection to our customers
from another company with an infrastructure built on Cisco technology.
Our customers are delivered to us on a unique VLAN/customer. In their
core-net they use a technology called QinQ - a bunch of VLAN's with an
extra VID to be able to scale the network easier. For example all
customers from one DLSAM have a their unique VID but from that site and
through the rest of the network they all belong to the same QinQ-VID.
The downside to using this technology (QinQ) is that we loose some of
the virtual functions of the VLAN's. For example the MAC-tables are not
separated any longer - we have one table for each QinQ VLAN and not one
for each VLAN. This means that we as ISP cannot use if_bridge to bridge
a bunch of VLAN's together because this will mess upp FDB in the Cisco
switches - one MAC-address will belong to more than one port in a switch
in the same FDB. This wouldn't be a problem if they was'nt using QinQ -
because then each VLAN would have their own FDB in each switch.
My goal is to build a Router based on *BSD (preferably FreeBSD) with a
VLAN-IF for each customer linked to a bridge so that I could use one (1)
IP per customer and not waste 3 IP's on net-, Gateway- and
boradcast-addresses on each customer if I would route each customer in a
normal fashion.
_____________________
___________ | |
Customer1; VID 100---\ |
| |/em0.100--\ |
|> QinQ VID 1----P1|CiscoSwitch|P2---VID
100,200----em0| FreeBSD |>-bridge0|
Customer2; VID 200---/
|___________| |\em0.200--/ |
|_____________________|
The solution above are non-working out of the box because of the QinQ.
One solutions is to put a ARP-Proxy (net.link.ether.inet.proxyall ?)
that would spoof all the IP's connected to the client IF's. Or maybe
PF/IPFW have some magic I could use to redirect Client-To-Client traffic
via Loopback.
Of course Cisco has a solution to this (since they invented the
"problem" :-)) based on IP-less IF (for the customer), a local Loopback
IF acting as gateway and ARP-Proxy for communications between customers.
I have put this out there before with no good results. Is there anyone
out there with any good thoughts on this that may help me on the way?
Additionally I want to be able to trace my customers if back to their
VLAN if someone give me a time and a IP-address.
Any thoughts or hints are appreciated.
/Jon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44F57267.2000202>