I recently set up TLS on a uBR7225VXR (NPE-G2) running Version 12.2(33)SCD5 and an MC88V line card. I have everything almost working properly. I am going to break this up into two parts.
Here is the configuration I've applies to the CMTS:
cable l2-vpn-service xconnect nsi dot1q
cable dot1q-vc-map 0025.2eaf.6e58 GigabitEthernet0/2 80 TLS-TEST
While I have full IP connectivity it seems like its not a true L2 VLAN like I assumed. On my CPE device I do a packet capture and one would think I should only see L2 and L3 traffic from VID80 right? However my capture is show tons of ARP requests from my bundle interface applied to the cable plant interfaces(Cable 1/0 & Cable 1/1). I'm just curious if I missed something in the configuration or if anyone else has experienced this? I figured if the above configuration is applied then, that means whatever CPE device that is behind the modem with MAC 0025.2eaf.6e58 is now part of VID80 and should NOT see any other L2 traffic other than what is on VID80, not all L2 traffic on the CMTS?
My other question is on multicast support with TLS. I am using this to test our new MPEG4 video content that we are about to deploy. From looking at the counters on CMTS interface plugged into our core I can see ~8Mb/s of video hitting the CMTS(only a couple channels, don't want to saturate the DS). I know that the network piece is correct, i.e multicast traffic is tagged with the correct VID. But I cannot receive the video on the CPE device. The other thing I did to test if it was the CMTS blocking just multicast is turned on OPSF on that specific VID and from my CPE device, while doing a packet capture, cannot see the OSPF hellos. I'm thinking there is a command that needs enabled on the cmts but I cannot figure it out.
Any help would be appreciated!
To filter arp requests and other unencrypted multicast/broadcast, you need true 'l2vpn capable' modem. L2vpn capable modems have function called DUT Filtering (Downstream Unencrypted Traffic) which you must enable in CM config file by using special GenericTLV. It must be noted that even if you don't have DUT Filtering vlan users can't interfere with your regular network by responding ARP and any other. So ARP leaking it is usually minor issue.
Yes as stated above, to block all that ARP traffic you need to enable DUT filtering in the cm config file. And you need to use a DUT capable CM - examples include Motorola SB5101 or Arris D3. Older units like SB5100 and Arris D2 do not support DUT filtering. If you are unsure, you can do "show cable modem verbose" and look at the supported filtering modes for your favorite modems.
With TLS, you can configure the VPN in the CMTS CLI (as you have done), or you can configure it in the config file.
If you configure in the CLI it forces all traffic for that CM to go into the VPN. The CMTS does not look at the contents this VPN traffic. All it does is pickup the packets from the cable interface and then dot1q tag them and shoot them out the nominated gig port. Same in the reverse direction. The IGMP requests will never be seen by the CMTS and thus the STB cannot join any groups.
If you configure the VPN in the config file, you can setup the default service flow to go into the VPN, and then add exceptions. So as one of these exceptions you match IGMP and send that out of the VPN. The CMTS then sees these packets and will then transmit the multicast to the CM.
This VPN stuff is known as Business Services over DOCSIS.
CableLabs info:
http://www.cablelabs.org/cablemodem/specifications/business.html
And some Cisco info:
Cisco TLS (predates BSoD. Configure on CLI, no VPN exceptions)
http://www.cisco.com/en/US/docs/ios/cable/configuration/guide/cmts_l2vpn...
L2VPN over cable (BSoD method, can do VPN exceptions)
http://www.cisco.com/en/US/docs/ios/cable/configuration/guide/cmts_l2vpn...
And you can also do MPLS pseudowires rather than dot1q
http://www.cisco.com/en/US/docs/ios/cable/configuration/guide/ubr_mpls_p...
It is all pretty daunting when you first look at it, but once you get the hang of the config it is not too bad. It took me a lot of reading and experimenting to feel comfortable with this topic.
Oh and one other gotcha I just remembered, if you are doing VPN with exceptions, you may likely have to turn off DUT filtering, because the ARP is necessary for those L3 exceptions to work properly.
Hi, have you any example with TLS and dot1q (running config)?
I'm just configuring my ubr7225 and i receive the message
BPI not enabled on 54d4.6f2e.4355. Please enable BPI for L2VPN functionality
i've checked the docsis file and it seems to be enabled