Transparent LAN Service over Cable

This document describes the Transparent LAN Service (TLS) over Cable feature, which enhances existing Wide Area Network (WAN) support to provide more flexible Managed Access for multiple Internet service provider (ISP) support over a hybrid fiber-coaxial (HFC) cable network. This feature allows service providers to create a Layer 2 tunnel by mapping an upstream service identifier (SID) to an IEEE 802.1Q Virtual Local Area Network (VLAN).

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http:/​/​tools.cisco.com/​ITDIT/​CFN/​. An account on http:/​/​www.cisco.com/​ is not required.

Contents

Hardware Compatibility Matrix for Cisco cBR Series Routers


Note

The hardware components introduced in a given Cisco IOS-XE Release are supported in all subsequent releases unless otherwise specified.

Table 1 Hardware Compatibility Matrix for the Cisco cBR Series Routers

Cisco CMTS Platform

Processor Engine

Interface Cards

Cisco cBR-8 Converged Broadband Router

Cisco IOS-XE Release 3.15.0S and Later Releases

Cisco cBR-8 Supervisor:

  • PID—CBR-CCAP-SUP-160G

  • PID—CBR-CCAP-SUP-60G1

  • PID—CBR-SUP-8X10G-PIC

Cisco IOS-XE Release 3.15.0S and Later Releases

Cisco cBR-8 CCAP Line Cards:

  • PID—CBR-LC-8D30-16U30

  • PID—CBR-LC-8D31-16U30

  • PID—CBR-RF-PIC

  • PID—CBR-RF-PROT-PIC

Cisco cBR-8 Downstream PHY Modules:

  • PID—CBR-D30-DS-MOD

  • PID—CBR-D31-DS-MOD

Cisco cBR-8 Upstream PHY Modules:

  • PID—CBR-D30-US-MOD

1 Effective with Cisco IOS-XE Release 3.17.0S, CBR-CCAP-SUP-60G supports 8 cable line cards. The total traffic rate is limited to 60Gbps, the total number of downstream service flow is limited to 72268, and downstream unicast low-latency flow does not count against the limits.

Prerequisites for Transparent LAN Service over Cable

  • You must know the hardware (MAC) addresses of the cable modems that are to be mapped to IEEE 802.1Q VLANs.

  • You must create a bridge group for each separate customer on the Layer 2 bridge aggregator, so that traffic from all of the Customer Premises Equipment (CPE) devices for the customer is grouped together into the same 802.1Q tunnel.

Restrictions for Transparent LAN Service over Cable

  • Configuring 802.1Q for a particular cable modem removes any previous cable modem configuration on the router.

  • We strongly recommend that TLS over Cable only be used when Baseline Privacy Interface (BPI) is enabled in the environment. If BPI is not enabled when using the TLS feature, traffic can flow between multiple virtual private networks (VPNs), and become vulnerable to denial-of-service attacks or snooping. We also recommend that remote networks be isolated with a gateway or firewall router when BPI is not enabled.

When the TLS feature is used with Layer 2 VPNs, the participating cable modems must have the Baseline Privacy Interface security feature (BPI) enabled. Otherwise, the Cisco CMTS drops such Layer 2 traffic in the upstream or downstream.

  • Packets are mapped to their Layer 2 tunnel only on the basis of Layer 2 information (the cable modem’s MAC address and primary SID). Layer 3 services, such as access lists, IP address source-verify, and IP QoS, are not supported as packets are sent through the tunnel.
  • All traffic from a cable modem is mapped to the same Layer 2 tunnel. It is not possible to differentiate traffic from different customer premises equipment (CPE) devices behind the cable modem.
  • CPE learning is not available when using the Transparent LAN Service over Cable feature. When a cable modem is mapped to a Layer 2 tunnel, the show interface cable modem command shows that the IP addresses for its CPE devices are “unavailable.”
  • DOCSIS QoS is supported across the Layer 2 tunnel only on the primary SID. Traffic using secondary services uses the same Layer 2 tunnel as the primary SID.
  • The Spanning Tree Protocol (STP) cannot be used with devices (cable modems, their CPE devices, and the endpoint CPE devices) that are using this feature. In particular, Spanning Tree Protocol cannot be used between the VLAN bridge aggregator and the endpoint customer devices.
  • The following restrictions apply to Layer 2 tunnels over an Ethernet IEEE 802.1Q VLAN interface:
    • IEEE 802.1Q tunnels are supported only on Ten Gigabit Ethernet interfaces.
    • The Cisco CMTS router supports a maximum of 4095 VLAN IDs, but the switches acting as the bridge aggregator might support a lower number of VLAN IDs. If this is the case, the Cisco CMTS should be configured only for the maximum number of VLANs that are supported by the bridge aggregator switches.

Information About Transparent LAN Service over Cable

This section contains the following:

Feature Overview

The Transparent LAN Service over Cable feature enables service providers to provide Layer 2 tunnels for traffic to and from cable modems. This allows customers to create their own virtual local area network (VLAN) using any number of cable modems in multiple sites.

On the Cisco CMTS, you map each cable modem (on the basis of its MAC address) to the appropriate VLAN. The CMTS then creates an internal database of this one-to-one mapping of cable modems to VLANs, and uses it to encapsulate packets for the appropriate VLAN.

The CMTS encapsulates the CPE traffic from mapped cable modems using the following method:

  • IEEE 802.1Q Mapping—The cable modem’s MAC address is mapped to an IEEE 802.1Q VLAN on a specific Ten Gigabit Ethernet interface, so that all traffic from the cable modem is tagged with the specified VLAN ID.

Traffic to and from this group of cable modems is bridged into a single logical network (the VLAN) by the bridge aggregator, creating a secure Virtual Private Network (VPN) for that particular group of cable modems. Traffic in one VLAN cannot be sent into another VLAN, unless specifically done so by an external router.

The switch acting as the Layer 2 Bridge Aggregator uses the VLAN tagging to forward the traffic to the appropriate destination. This frees up service providers from needing to know the addressing, routing, and topological details of the customer’s network.

Transparent LAN Service and Layer 2 Virtual Private Networks

In addition, service providers can provide a Layer 2 VPN with only minimal configuration changes on the provider’s routers. The service subscriber does not need to make any changes to their private network or cable modems, nor does the service provider have to provide any special DOCSIS configuration files to enable this feature.

For the TLS feature with Layer 2 VPNs:

  • When the TLS feature is used with Layer 2 VPNs, the participating cable modems must have the Baseline Privacy Interface security feature (BPI) enabled. Otherwise, the Cisco CMTS drops such Layer 2 traffic in the upstream or downstream.
  • Information about Customer Premises Equipment (CPE) does not display in the output of the show cable modem command.

IEEE 802.1Q Mapping

This section describes the mapping of cable modems to an IEEE 802.1Q VLAN, as it is available in the Transparent LAN Service over Cable feature:

Overview

The Transparent LAN Service over Cable feature enables service providers to provide Layer 2 tunnels over an Ethernet network, using IEEE 802.1Q standard tags. This allows customers to create their own virtual network using any number of cable modems in different sites.

On the Cisco CMTS, you map each cable modem (on the basis of its MAC address) to the appropriate VLAN. The CMTS then creates an internal database of this one-to-one mapping of cable modems to VLANs, and uses it to encapsulate packets for the appropriate VLAN.

The CMTS encapsulates the CPE traffic from mapped cable modems using VLAN tags, as defined in IEEE 802.1Q-1993, IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks . The switch acting as the Layer 2 Bridge Aggregator uses the VLAN tagging to forward the packets to the appropriate destination.

Traffic to and from this group of cable modems is bridged into a single logical network by the bridge aggregator, creating a secure Virtual Private Network (VPN) for that particular group of cable modems. Traffic in one VLAN cannot be sent into another VLAN, unless specifically done so by an external router.

Details of IEEE 802.1Q Mapping

To implement the Transparent LAN Service over Cable feature using IEEE 802.1Q VLANs, a service provider must perform the following configuration steps:

  1. Identify the cable modems and their MAC addresses that should be mapped to the IEEE 802.1Q VLANs.
  2. Create the required VLANs on the router that is acting as the bridge aggregator.
  3. Enable Layer 2 mapping on the Cisco CMTS, and then map each cable modem on that Cisco CMTS to the appropriate VLAN.

After the Transparent LAN Service over Cable feature has been enabled and configured to use IEEE 802.1Q mappings, the Cisco CMTS immediately begins mapping traffic between the associated cable modems and VLANs. For efficient mapping, the Cisco CMTS maintains an internal database that links each cable modem’s primary service flow ID (SFID) and service ID (SID) to the appropriate VLAN and Ethernet interface. This ensures that all service flows from the cable modem are routed properly.

When the Cisco CMTS receives a packet on an upstream, it looks up its SID to see if it is mapped to a VLAN. If so, and if the packet’s source MAC address is not the cable modem’s MAC address, the Cisco CMTS inserts the appropriate IEEE 802.1Q VLAN tag into the packet’s header and forwards the packet to the appropriate Ethernet interface. If the packet is not being mapped, or if the packet originated from the cable modem, the Cisco CMTS routes the packet using the normal Layer 3 processes.

When the Cisco CMTS receives a packet from a WAN interface that is encapsulated with an IEEE 802.1Q VLAN tag, it looks up the packet’s SID to see if it belongs to a cable modem being mapped. If so, the Cisco CMTS strips off the VLAN tag, adds the proper DOCSIS header, and transmits the packet on the appropriate downstream interface. If the packet is not being mapped, the Cisco CMTS continues with the normal Layer 3 processing.

Benefits

The Transparent LAN Service over Cable feature provides the following benefits to cable service providers and their partners and customers:

  • Provides Layer 2 level mapping, which is transparent to Layer 3 protocols and services. This means that service providers do not need to know the details of their customers’ network topologies, routing protocols, or IP addressing.
  • Allows service providers to maximize the use of their existing Ethernet WAN networks. Multiple customers can be combined on the same outgoing interface, while still ensuring that each customer’s network is kept private while it is transmitted over the tunnel.
  • Provides a highly flexible and scalable solution for multiple customers. The service provider needs to create only one bridge group for each VPN, and then only one VLAN mapping for each cable modem should participate in that VPN tunnel.
  • Customers retain full control over their private networks, while service providers retain full control over cable modems and the rest of the cable and WAN networks. Only the CPE traffic from the cable modems is mapped into the L2VPN tunnel, while traffic originating at the cable modem continues to be processed as normal by the service provider's network.
  • Allows service providers to mix tunneled and non-tunneled cable modems on the same DOCSIS cable network.
  • Allows customers to create a single, secure virtual network with Ethernet Layer 2 connectivity for multiple sites.
  • Allows multiple tunnels from different customers and endpoints to be aggregated into a single bridge, so as to maximize the use of bandwidth and other network resources.
  • Supports the tunneling of multiple Layer 3, non-IP protocols, and not just IP Layer 3 services, as is the case with Layer 3 solutions, such as Multiprotocol Label Switching (MPLS) VPNs.
  • All DOCSIS services, including BPI+ encryption and authentication, continue to be supported for all cable modems.

How to Configure the Transparent LAN Service over Cable

This section contains the following:

Configuring IEEE 802.1Q VLAN Mapping

This section describes how to enable Layer 2 mapping on the Cisco CMTS, and then to map particular cable modems to an IEEE 802.1Q VLAN.

Enabling and Configuring Layer 2 Tunneling for IEEE 802.1Q Mapping

This section describes how to enable Layer 2 mapping on the Cisco CMTS, and then to map particular cable modems to IEEE 802.1Q VLANs on a Ten Gigabit Ethernet interface.

Procedure
     Command or ActionPurpose
    Step 1enable


    Example: 
    Router> enable
     

    Enables privileged EXEC mode. Enter your password if prompted.

     
    Step 2configure terminal


    Example: 
    Router# configure terminal
     

    Enters global configuration mode.

     
    Step 3cable l2-vpn-service xconnect nsi dot1q


    Example: 
    Router(config)# cable l2-vpn-service xconnect nsi dot1q
     

    Enables Layer 2 tunneling for IEEE 802.1Q VLAN mapping.

    Note    It is not required to configure VLAN trunking on the Cisco CMTS. Though VLAN trunking is supported, be aware of additional impact of VLAN trunking on the Cisco CMTS.
     
    Step 4cable dot1q-vc-map mac-address ethernet-interface vlan-id [cust-name ]


    Example: 
    Router(config)# cable dot1q-vc-map 0000.0C04.0506 TenGigabitEthernet4/1/0 10
     

    Maps the specified MAC address of a cable modem to the indicated VLAN and Ten Gigabit Ethernet interface.

    Note    Repeat this command for each cable modem that is to be mapped to an IEEE 802.1Q VLAN.
     
    Step 5end


    Example: 
    Router(config)# end
     

    Exits global configuration mode and returns to privileged EXEC mode.

     

    Creating the IEEE 802.1Q VLAN Bridge Group

    This section describes the minimum configuration needed to configure a Cisco router, which is acting as an IEEE 802.1Q VLAN bridge aggregator, so that it can terminate the VLANs being used with the Transparent LAN Service over Cable feature.

    Procedure
       Command or ActionPurpose
      Step 1enable


      Example: 
      Router> enable
       

      Enables privileged EXEC mode. Enter your password if prompted.

       
      Step 2configure terminal


      Example: 
      Router# configure terminal


      Example:  

      Enters global configuration mode.

       
      Step 3interface TenGigabitEthernet slot/subslot/port


      Example: 
      Router(config)# interface TenGigabitEthernet4/1/0
       

      Enters interface configuration mode for the Ten Gigabit Ethernet interface.

       
      Step 4ip address ip-address mask


      Example: 
      Router(config-if)# ip address 10.10.10.85 255.255.255.0
       

      Configures the interface with the specified IP address and subnet mask.

       
      Step 5exit


      Example: 
      Router(config-if)# exit
       

      Exits interface configuration and returns to global configuration mode.

       
      Step 6interface TenGigabitEthernet slot/subslot/port.y


      Example: 
      Router(config)# interface TenGigabitEthernet4/1/0.10
       

      Creates a subinterface on the Ten Gigabit Ethernet interface.

      Note    To simplify network management, set the subinterface number to the same value as the VLAN ID that will use this subinterface (which in this case is 10).
      Note    The steps to create a subinterface is not essential for dot1q tagging of frames, but it is recommended.
       
      Step 7bridge group number


      Example: 
      Router(config-if)# bridge group 20
       

      Configures this subinterface to belong to the specified bridge group.

      Note    Repeat steps Step 5 through Step 7 for each subinterface to be created and bridged.
       
      Step 8end


      Example: 
      Router(config-if)# end
       

      Exits interface configuration mode and returns to privileged EXEC mode.

       

      Configuration Examples for Transparent LAN Service over Cable

      This section lists sample configurations for the Transparent LAN Service over Cable feature on a CMTS router and on a Cisco router acting as a bridge aggregator:

      Example: Configuring IEEE 802.1Q VLAN Mapping

      The following partial configuration shows a typical configuration that shows a number of cable modems being mapped to two different IEEE 802.1Q VLANs. 

      cable l2-vpn-service xconnect nsi dot1q 
! Customer 1 
cable dot1q-vc-map 000C.0e03.69f9 TenGigabitEthernet 4/1/0 10 Customer1
cable dot1q-vc-map 0010.7bea.9c95 TenGigabitEthernet 4/1/0 11 Customer1
cable dot1q-vc-map 0010.7bed.81c2 TenGigabitEthernet 4/1/0 12 Customer1
cable dot1q-vc-map 0010.7bed.9b1a TenGigabitEthernet 4/1/0 13 Customer1
! Customer 2 
cable dot1q-vc-map 0002.fdfa.137d TenGigabitEthernet 4/1/0 20 Customer2
cable dot1q-vc-map 0006.28f9.9d19 TenGigabitEthernet 4/1/0 21 Customer2
cable dot1q-vc-map 000C.7b6b.58c1 TenGigabitEthernet 4/1/0 22 Customer2
cable dot1q-vc-map 000C.7bed.9dbb TenGigabitEthernet 4/1/0 23 Customer2
cable dot1q-vc-map 000C.7b43.aa7f TenGigabitEthernet 4/1/0 24 Customer2
cable dot1q-vc-map 0050.7302.3d83 TenGigabitEthernet 4/1/0 25 Customer2
...

      Example: Configuring IEEE 802.1Q Bridge Aggregator

      The following example shows a router being used as a bridge aggregator to transmit VLANs across the same Ten Gigabit Ethernet interface, using IEEE 802.1Q tagging. 

      ! 
interface TenGigabitEthernet4/1/0
 ip address 10.10.10.31 255.255.255.0 
 duplex full 
 speed auto 
!
interface TenGigabitEthernet4/1/0.10
 description Customer1-site10 
 encapsulation dot1Q 10 
 bridge-group 200 
interface TenGigabitEthernet4/1/0.11
 description Customer1-site11
 encapsulation dot1Q 11
 bridge-group 200 
interface TenGigabitEthernet4/1/0.12 
 description Customer1-site12
 encapsulation dot1Q 12
 bridge-group 200 
interface TenGigabitEthernet4/1/0.13 
 description Customer1-site13
 encapsulation dot1Q 13 
 bridge-group 200 
!------------------------------------
interface TenGigabitEthernet4/1/0.20 
 description Customer2-site20
 encapsulation dot1Q 20
 bridge-group 201 
interface TenGigabitEthernet4/1/0.21 
 description Customer2-site21
 encapsulation dot1Q 21
 bridge-group 201 
interface TenGigabitEthernet4/1/0.22 
 description Customer2-site22
 encapsulation dot1Q 22
 bridge-group 201 
interface TenGigabitEthernet4/1/0.23 
 description Customer2-site23
 encapsulation dot1Q 23
 bridge-group 201 
interface TenGigabitEthernet4/1/0.24 
 description Customer2-site24
 encapsulation dot1Q 24
 bridge-group 201 
interface TenGigabitEthernet4/1/0.25 
 description Customer2-site25
 encapsulation dot1Q 25
 bridge-group 201 
!
bridge 200 protocol ieee
bridge 201 protocol ieee
...

      Verifying the Transparent LAN Service over Cable Configuration

      • show cable l2-vpn xconnect dot1q-vc-map —Displays the mapping information of the cable modems to IEEE 802.1Q VLANs.

        Following is a sample output of the command: 

        Router# show cable l2-vpn xconnect dot1q-vc-map 

MAC Address    Ethernet Interface      VLAN ID   Cable Intf  SID  Customer Name/VPNID
38c8.5cac.4a62 TenGigabitEthernet4/1/2     56    Cable3/0/0  4    Customer2
38c8.5cfe.f6fa TenGigabitEthernet4/1/2     34    Cable3/0/0  3    Customer1
602a.d083.2e1c TenGigabitEthernet4/1/4     43    Cable3/0/0  5    Customer3

      • show cable l2-vpn xconnect dot1q-vc-map customer name—Displays the mapping information of the cable modems to IEEE 802.1Q VLANs for the specified customer name.

        Following is a sample output of the command. 

        Router# show cable l2-vpn xconnect dot1q-vc-map customer Customer1

MAC Address    Ethernet Interface      VLAN ID   Cable Intf  SID  Customer Name/VPNID
38c8.5cfe.f6fa TenGigabitEthernet4/1/2     34    Cable3/0/0  3    Customer1

      • show cable l2-vpn xconnect dot1q-vc-map mac-address—Displays the mapping information of the cable modems to IEEE 802.1Q VLANs for the specified MAC address.

        Following is a sample output of the command: 

        Router# show cable l2-vpn xconnect dot1q-vc-map 38c8.5cac.4a62   
      
MAC Address    Ethernet Interface      VLAN ID   Cable Intf  SID  Customer Name/VPNID
38c8.5cac.4a62 TenGigabitEthernet4/1/2     56    Cable3/0/0  4    Customer2

      • show cable l2-vpn xconnect dot1q-vc-map mac-address verbose—Displays additional information about the Layer 2 mapping, including the number of packets and bytes received on the upstream and downstream.

        Following is a sample output of the command: 

        Router# show cable l2-vpn xconnect dot1q-vc-map 38c8.5cac.4a62 verbose 

MAC Address                         : 38c8.5cac.4a62
Customer Name                       : Customer2
Prim Sid                            : 4
Cable Interface                     : Cable3/0/0
Ethernet Interface                  : TenGigabitEthernet4/1/2
DOT1Q VLAN ID                       : 56
Total US pkts                       : 1
Total US bytes                      : 342
Total DS pkts                       : 4
Total DS bytes                      : 512

      Additional References

      Related Documents

      Related Topic

      Document Title

      Virtual LAN Configuration

      Virtual LANS in the Cisco IOS Switching Services Configuration Guide , Release 12.2, at the following URL: http:/​/​www.cisco.com/​en/​US/​docs/​ios/​12_2/​switch/​configuration/​guide/​fswtch_​c.html

      Virtual LAN Command Reference

      Cisco IOS Switching Services Command Reference , Release 12.2, at the following URL: http:/​/​www.cisco.com/​en/​US/​docs/​ios/​12_2/​switch/​command/​reference/​fswtch_​r.html

      Standards

      Standards

      Title

      SP-RFIv1.1-I08-020301

      Data-over-Cable Service Interface Specifications Radio Frequency Interface Specification

      IEEE 802.1Q, 1998 Edition

      IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks

      RFCs

      RFCs2

      Title

      RFC 1163

      A Border Gateway Protocol

      RFC 1164

      Application of the Border Gateway Protocol in the Internet

      RFC 2233

      DOCSIS OSSI Objects Support

      RFC 2283

      Multiprotocol Extensions for BGP-4

      RFC 2665

      DOCSIS Ethernet MIB Objects Support

      RFC 2669

      Cable Device MIB

      2 Not all supported RFCs are listed.

      Technical Assistance

      Description

      Link

      Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

      http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

      Feature Information for Transparent LAN Service over Cable

      Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http:/​/​tools.cisco.com/​ITDIT/​CFN/​. An account on http:/​/​www.cisco.com/​ is not required.


      Note

      The below table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

      Table 2 Feature Information for Transparent LAN Service over Cable

      Feature Name

      Releases

      Feature Information

      Transparent LAN Service over Cable

      Cisco IOS-XE Release 3.15.0S

      This feature was introduced on the Cisco cBR Series Converged Broadband Routers.