North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Anyone deployed FlexCAP2 ADSL?
>Has anyone on this list deplyed an ADSL network using Westell's FlexCAP2 >product? I have some network engineers telling me that they need to use an >entire /29 of 8 IP addresses for each single subscriber connection. This >doesn't seem right to me and I'd love to talk with someone who has >actually deployed this stuff.. I've been looking into ADSL, and this doesn't seem right to me. Historically, I have assigned employees a /29 so that they can have multiple machines at home with global network addresses if they indicate they have multiple machines, but thats not a requirement. They can easily get along with a single address and a NAT. >The ADSL component basically provides an Ethernet bridge between the >subscriber and the CO. The network engineers that I am dealing with tell >me that these bridged Ethernet connections have to go into a Catalyst 5500 >switch in which each Ethernet port is on a separate VLAN in order to >prevent neighbors from sniFfing each other's traffic. And because of the >VLANs in the 5500 with 2 RSMs, they need to allocate a block of 8 globally >routable IP addresses in order to supply a subscriber with one globvally >routable host connection. Ah. Thats a slightly different requirement. The advantage of the VLANs is that they prevent distribution of all traffic including broadcast traffic to other VLAN's as in the picture below. Are you committed to this type of network design? Cat Etherswitch -- ADSL bridge -- Customer1 Ethernet ^- x.1 -------------- VLAN ------------ x.* -^ \-- ADSL bridge -- CustomerN Ethernet ^- y.1 -------------- VLAN ------------ y.* -^ I actually have some customers within our Boston building who are connected this way, but I had spare ethernet ports on the router, rather than a VLAN. The early Xylan VLAN's I think were limited in their size. Basically, they have an internal table that could overflow. As I recall, when it overflows, performance is degraded, but traffic isn't sent to everyone. I'm not sure on the catalyst. I used the Xylans back in '94 or so to connect multiple ethernet and token ring networks over a single fiber pair between offices on different floors in a large office building,turning 2 Xylan boxes into big IP multiplexors to handle a very large number of fairly small IP networks for testing purposes. But the equipment has changed a lot since then, and is quite a bit better, now. In the above case though, the customer will probably still need a router or NAT,or will have to be very small. On the other hand, this has the advantage that it is probably easier to sell to the small customer without a firewall or NAT, since they don't actually need another router, initially. This is what I am planning: Some Etherswitch -- ADSL bridge -- CPE router -- Customer1 Ethernet ^- a.1 ---- internal net ----- a.2 -^ ^---- Cust glbl addr space \-- ADSL bridge -- CPE router -- CustomerN Ethernet ^- a.1 ---- internal net ----- a.n -^ ^---- Cust glbl addr space In this case, the customer may or may not need/want another router or a NAT. It's up to them. Address space allocation is flexible, and operations are identical to current leased line operations, from the point of view of the customer. A possibility available with this design is to use RFC 1918 nets for the internal bridged ethernets, thus reducing your own needs for address space. This can't really be done with VLAN's unless your customer doesn't need any global address space. There are some issues to consider. The customer could remove the router, and deviously send multiple mac addresses, in order to snoop the switch. This is a detectable situation on good snmp manageble switches. An etherswitch normally prevents sniffing of all non-broadcast traffic. Assuming you have a only a router at the client site, you shouldn't be getting any broadcast traffic on the switch, except for arps. The router should be the only device seen by the switch. The etherswitch usually has limited number of entries in its internal per port mac address table, (8 or 16 mac addresses per port on most older equipment). When the number is exceeded, the port changes from switching to normal ethernet, distributing all traffic, and allowing the customer to snoop the hub. Once this is detected, the port can be turned off via SNMP. (out of band, of course If its done in-band, the snooper can see the snmp set, and get the community name, and possibly turn the port back on via another connection). However this depends on and requires that you monitor your switches, and that your switch either reports the number of MAC's per port, or better, limits the MAC to a specified MAC (turning off the port when a different MAC is seen), and can shut off ports individually. I think you'll find the Synoptics/Bay switches fit nicely, and are sometimes cheaper than the catalyst. A disadvantage is that you have to exercise more control over the router on the customer premises, and be able to handle the case where it is compromised, or removed by the customer. But this is a surmountable problem. --Dean P.S. An SNMP RMON device would be a pen register, and thus excluded from 18 USC 2511 monitoring. :-) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc [email protected] LAN/WAN/UNIX/NT/TCPIP http://www.av8.com ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++