Home page logo
/

nanog logo nanog mailing list archives

Re: Anyone deployed FlexCAP2 ADSL?
From: Dean Anderson <dean () av8 com>
Date: Wed, 28 Jan 1998 14:09:58 -0500

Has anyone on this list deplyed an ADSL network using Westell's FlexCAP2
product? I have some network engineers telling me that they need to use an
entire /29 of 8 IP addresses for each single subscriber connection. This
doesn't seem right to me and I'd love to talk with someone who has
actually deployed this stuff..

I've been looking into ADSL, and this doesn't seem right to me.
Historically, I  have assigned employees a /29 so that they can have
multiple machines at home with global network addresses if they indicate
they have multiple machines, but thats not a requirement. They can easily
get along with a single address and a NAT.

The ADSL component basically provides an Ethernet bridge between the
subscriber and the CO. The network engineers that I am dealing with tell
me that these bridged Ethernet connections have to go into a Catalyst 5500
switch in which each Ethernet port is on a separate VLAN in order to
prevent neighbors from sniFfing each other's traffic. And because of the
VLANs in the 5500 with 2 RSMs, they need to allocate a block of 8 globally
routable IP addresses in order to supply a subscriber with one globvally
routable host connection.

Ah. Thats a slightly different requirement. The advantage of the VLANs is
that they prevent distribution of all traffic including broadcast traffic
to other VLAN's as in the picture below.  Are you committed to this type of
network design?

     Cat Etherswitch -- ADSL bridge -- Customer1 Ethernet
       ^- x.1 -------------- VLAN ------------ x.* -^
                     \-- ADSL bridge -- CustomerN Ethernet
       ^- y.1 -------------- VLAN ------------ y.* -^

I actually have some customers within our Boston building who are connected
this way, but I had spare ethernet ports on the router, rather than a VLAN.

The early Xylan VLAN's I think were limited in their size. Basically, they
have an internal table that could overflow.  As I recall, when it
overflows, performance is degraded, but traffic isn't sent to everyone. I'm
not sure on the catalyst.  I used the Xylans back in '94 or so to connect
multiple ethernet and token ring networks over a single fiber pair between
offices on different floors in a large office building,turning 2 Xylan
boxes into big IP multiplexors to handle a very large number of fairly
small IP networks for testing purposes.  But the equipment has changed a
lot since then, and is quite a bit better, now.

In the above case though, the customer will probably still need a router or
NAT,or will have to be very small. On the other hand, this has the
advantage that it is probably easier to sell to the small customer without
a firewall or NAT, since they don't actually need another router, initially.

This is what I am planning:

   Some Etherswitch -- ADSL bridge -- CPE router -- Customer1 Ethernet
       ^- a.1 ---- internal net ----- a.2 -^ ^---- Cust glbl addr space
                   \-- ADSL bridge -- CPE router -- CustomerN Ethernet
       ^- a.1 ---- internal net ----- a.n -^ ^---- Cust glbl addr space

In this case, the customer may or may not need/want another router or a
NAT.  It's up to them. Address space allocation is flexible, and operations
are identical to current leased line operations, from the point of view of
the customer.

A possibility available with this design is to use RFC 1918 nets for the
internal bridged ethernets, thus reducing your own needs for address space.
This can't really be done with VLAN's unless your customer doesn't need any
global address space.

There are some issues to consider.  The customer could remove the router,
and deviously send multiple mac addresses, in order to snoop the switch.
This is a detectable situation on good snmp manageble switches.

An etherswitch normally prevents sniffing of all non-broadcast traffic.
Assuming you have a only a router at the client site, you shouldn't be
getting any broadcast traffic on the switch, except for arps.  The router
should be the only device seen by the switch.

The etherswitch usually has limited number of entries in its internal per
port mac address table, (8 or 16 mac addresses per port on most older
equipment). When the number is exceeded, the port changes from switching to
normal ethernet, distributing all traffic, and allowing the customer to
snoop the hub. Once this is detected, the port can be turned off via SNMP.
(out of band, of course  If its done in-band, the snooper can see the snmp
set, and get the community name, and possibly turn the port back on via
another connection).

However this depends on and requires that you monitor your switches, and
that your switch either reports the number of MAC's per port, or better,
limits the MAC to a specified MAC (turning off the port when a different
MAC is seen), and can shut off ports individually.  I think you'll find the
Synoptics/Bay switches fit nicely, and are sometimes cheaper than the
catalyst.

A disadvantage is that you have to exercise more control over the router on
the customer premises, and be able to handle the case where it is
compromised, or removed by the customer.  But this is a surmountable
problem.

                --Dean

P.S.  An SNMP RMON device would be a pen register, and thus excluded from
18 USC 2511 monitoring.  :-)


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
           Plain Aviation, Inc                  dean () av8 com
           LAN/WAN/UNIX/NT/TCPIP          http://www.av8.com
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault