beautypg.com

Multicasting, Security – Ericsson SOLUTION DESCRIPTION EDA 1200 4.0 User Manual

Page 12

background image

12

Multicasting

EDA supports the increasing demand for streaming and
high quality broadcast video services by offering
multicast for video streams both in the IP DSLAM (using
IGMP Snooping) and in the aggregation layer.

With Internet Group Management Protocol (IGMP)
multicast, parallel transmission of the same video
stream is avoided. Snooping the streaming requests
from one user and connecting them to an already active
stream towards another user saves Ethernet bandwidth.

Advanced IGMP White List functionality inside the IP
DSLAM allows the operator to specify content-
differentiated services to be filtered in the IP DSLAM.
The whitelist is end-user specific and is used to validate
end-user IGMP reports (join requests). It can be
updated with definitions of allowed multicast group
addresses and address ranges, and with information
about the VLAN, in which the multicast group is
available.

IGMPv3 (EDN612)

EDA 1200 support IGMPv3 signaling without source
specific routing.

Security

EDA bases security on four basic principles:
• Filtering of Ethernet frames in the IP DSLAM
• Forced Forwarding
• Virtual MAC address to prevent MAC spoofing
• Layer 2 separation of Ethernet services in virtual sub-

networks or tunnels, using Virtual LAN (VLAN)

Filtering

By use of specific filtering, the IP DSLAM is able to
control the traffic to and from the EDA end-user in order
to restrict the types of frames/packets forwarded by the
IP DSLAM. The filtering policy is based on a wide set of
rules controlled by the access provider that can be
updated on the fly if a security risk is discovered. The
rules can also be configured individually per PVC. The
filtering can be a mix of rules that cover broadcast,
Source MAC/IP, Destination MAC/IP, Ethernet frame
type, and IP port.

Forced Forwarding (RFC 4562)

Forced Forwarding is an EDA technique that prevents
direct connections between end-users. This function
separates the users on layer 2 and forces the end-user
to use a router for all upstream traffic. The Layer 2
separation is achieved by an ARP proxy function in the
IP DSLAM. Hence, End-user (1), who is trying to

communicate with End-user (2) within the same VLAN,
will issue an ARP request to get the destination MAC
address. However, the ARP proxy will respond to the
ARP request with the MAC address of the default
gateway instead of the MAC address of End-user (2). In
this way, the requesting End-user (1) will now send
traffic via the default gateway, assuming that it is in fact
End-user (2).

Virtual MAC address

To prevent MAC spoofing, and to provide access to
multiple end-users with identical MAC addresses, the
EDA solution offers the use of Virtual MAC address.
Using virtual MAC for an end-user ensures that MAC
addresses are unique within the EDA 1200 network,
independent of the MAC address used on the end-user
line. All traffic from the end-user line will have a specific
MAC address, based upon the topology of the EDA
1200 network.

1:1 MAC address translation

EDA 1200 supports 1:1 MAC address translation. This
feature translates each individual end-user MAC
address to a unique VMAC address used within the
network.

N:1 MAC address translation (EDN612)

EDA 1200 supports N:1 MAC address translation. This
feature translates multiple end-user MAC addresses to
be represented by a single MAC address within the
network. It can be used to save space in the MAC-
tables of the switches in the access aggregation
network.

VLANs

The Ethernet Access Domain traffic may be separated
by use of different VLANs for different traffic types
(VLAN per service). It is also possible to configure
VLANs per node or even VLAN per end-user for e.g.
business access. VLAN per end-user is commonly
referred to as the 1:1 VLAN model while VLAN per
service or per node is designated the N:1 VLAN model.