BRAS/BNG L2 functions for VLAN/Q-in-Q networks
BNG L2 function of Stingray SG implements:
- DHCP RELAY AGENT – monitoring of DHCP requests from clients, immediate client authorization via the Radius protocol after a successful response from the DHCP server.
- ARP PROXY – monitoring of local network ARP-requests, blocking ARP-requests from the WAN.
- IP SOURCE GUARD (anti-spoofing) – checking that the LAN packet belongs to the same VLAN from which the DHCP registration was. If it does not, then the packet is dropped.
- INTERCONNECTION of local traffic (exchange of local traffic between subscribers).
- LAN TO WAN TRAFFIC TERMINATION.
Since BNG L2 operates at the data link layer, it operates not only with the users IP-addresses, but also with their MAC-addresses and VLAN/Q-in-Q networks numbers in order to identify subscribers. This allows you to filter out inappropriate requests and increase the security of the local network. Identification in the Q-in-Q network is more preferable, since it allows you to identify a specific user regardless of his hardware (as in the case of a MAC-address) and not a group (as in the case of a VLAN-header).
BNG/BRAS L2 is used with “in-line” mode only. If a packet from the local network is dropped or must be transferred back to the network, then the packet content (payload) is not recognized and identified.
BNG L2 Activation
To enable BNG/BRAS function you need to change the configuration file fastdpi.conf:
- bras_enable=1 – enables BNG/BRAS.
- bras_arp_ip – sets an arbitrary IPv4 address for BNG/BRAS. It should not be associated with interfaces or with any of the users.
- bras_arp_mac – sets MAC-address for BNG/BRAS (XX:XX:XX:XX:XX:XX). This address should be unique. It can be fake, but a real MAC of a dna-card is recommended.
- udr=1 – activates UDR (User Data Repository – internal database of users properties).
udr=1 bras_enable=1 bras_arp_ip=192.168.1.255 bras_arp_mac=a0:00:b1:01:4e:cc
The session begins after the client’s request (DHCPREQUEST/DHCPINFORM) gets a response from DHCP-server (DHCPACK). The fastDPI BNG module receives and records to the UDR the following user information:
- VLAN/Q-in-Q identificators.
The following authentication of any user packet and traffic termination/origination are performed using this data.
The user session has 3 possible states:
- Active – a positive DHCPACK response was received for a DHCPREQUEST IP-address request.
- Ended – DHCPRELEASE/DHCPDECLINE request received of an IP-address release.
- Unknown – IP address lease request failed through fastDPI. Sessions are in this state when fastDPI is restarted.
The end of the session is considered to be the receipt of DHCPRELEASE or DHCPDECLINE requests, after which all user packets are dropped.
DHCP RELAY AGENT and DHCP RADIUS PROXY
To monitor the start/end of user sessions, fastDPI BNG monitors DHCP requests from user equipment. There are two mutually exclusive monitoring modes, which are set by the bras_dhcp_mode configuration parameter of the fastdpi.conf file:
- bras_dhcp_mode=1 – in this mode fastDPI acts as DHCP Relay Agent
- bras_dhcp_mode=2 – in this mode fastDPI acts as a DHCP-server, which requests IP-address and other parameters from the Radius-server via fastPCRF.
When working with a DHCP-server located in a separate network segment, FastDPI BNG acts as an agent (DHCP RELAY AGENT) for transferring DHCP-requests from user equipment to DHCP-servers and reverse – responses from DHCP servers to user equipment. This allows you to monitor the start and end of user sessions.
DHCP-server addresses are specified in fastdpi.conf by the bras_dhcp_server parameter, and each DHCP-server (up to 16) is described by a separate parameter:
- host – IP-address of DHCP-server;
- dev – name of the network interface which is connected to the server;
- port – port, 68 by default;
- name=val – additional parameters:
- reply_port – port that receives responses from DHCP-server (68 by default);
- arp_proxy – flag for responding to ARP-requests from the DHCP-server IP.
Configuration example for two DHCP-servers:
After the session is successfully established, the subscriber receives an IP-address and fastDPI BNG immediately sends a request for authorization and subscriber’s profile including his tariff plan, connected services and other information.
DHCP RADIUS PROXY mode is intended for building networks without dedicated DHCP-servers. Instead, Radius-server is used. fastDPI together with fastPCRF acts as a DHCP-server. Requests processing sequence is as follows:
- FastDPI receives DHCP-request from user equipment and redirects it to fastPCRF.
- FastPCRF converts DHCP-request to Radius Access-Request and redirects it to the Radius-server.
- fastPCRF converts the Access-Accept/Access-Reject response to internal format and sends it to fastDPI.
- FastDPI forms DHCP-response and sends it to the user. It also stores the user’s profile and the connected services.
This operation mode may be of interest to some Internet providers, since it does not require a dedicated DHCP server.
To enable ARP-requests processing, you need to change the configuration file fastdpi.conf:
After that, fastDPI BNG responds with its MAC-address to the following ARP-requests, from whatever IP-address they come from:
- request for its own IP-address, in case the target IP is equal to the IP-address specified in the bras_arp_ip parameter.
- request for DHCP-server IP, if the arp_proxy=1 flag is set for the DHCP server. In this case, the value of the bras_arp_mac parameter is returned as the MAC address.
- request for the local IP-address, if the session status for this IP address is not “Closed” (there was no DHCPRELEASE/DHCPDECLINE).
IP SOURCE GUARD
Control of correspondence between VLAN identifiers and subscribers’ IP addresses provides additional security in the network. After issuing an IP-address via DHCP, fastDPI BNG records the subscriber’s VLAN/Q-in-Q identifiers to the UDR and then uses this data to control the correspondence between the IP-address of the packet source and the VLAN tag.
To enable the IP source guard mode you need to change the fastdpi.conf file:
- 0 – IP source guard is disabled – default value.
- 1 – IP source guard is enabled and applied to the active sessions only.
- 2 – strict: IP source guard is enabled and applied to the sessions in Active and Unknown states.
IP source guard is applied only for the outbound traffic (LAN to WAN).
Local Traffic Interconnection
FastDPI BNG can interconnect local (intranet) traffic between users. Enabling this feature is controlled by the fastdpi.conf configuration file:
- 0 – interconnection is disabled – default value;
- 1 – interconnection is enabled.
Interconnection only works if ARP PROXY is enabled for local addresses.
BNG compares the destination MAC address of the packet with its own MAC address specified by the bras_arp_mac parameter. If these MAC addresses match, the packet is considered local.
LAN to WAN Traffic Termination
FastDPI BNG is able to terminate outbound traffic LAN -> WAN and originate inbound traffic WAN -> LAN. Termination is the removal of VLAN tags from an outgoing packet, origination is the addition of VLAN tags corresponding to the recipient’s IP-address.
Traffic termination is enabled in the fastdpi.conf configuration file:
- 0 – termination is disabled
- 1 – VLAN-tags are removed from the packets
- 2 – VLAN-tags replacement.
In the bras_vlan_terminate=1 mode, fastDPI BNG removes all VLAN-tags from outgoing packets (LAN -> WAN), and inserts VLAN-tags into ingoing packets (WAN -> LAN). When traffic is originated VLAN-tags are taken from the properties of the recipient’s IP-address (from the internal UDR database).
This mode might be a resource-consuming task for fastDPI, because this component is designed for packet filtering, but not changing. The necessary copying of the packet contents, which occurs when removing/adding VLAN-tags, can significantly degrade fastDPI performance.
That is why fastDPI BNG has one more traffic termination mode – VLAN-tags replacement (bras_vlan_terminate=2). In this mode, L2 VLAN-tags remain in the packet, and their value is replaced by a constant set by the bras_vlan_subst configuration parameter.
Contact us for more detailed information on the BNG L2 configuration and operation of the Stingray Service Gateway, who are ready to help understand this issue, as well as advise on other platform features.