User guide
Security
1/1551-HSC 901 35/3 Uen C 2005-12-02
83
validating takes place. If the authentication request from the subscriber is
acknowledged, the RADIUS server may provide subscriber profile
information such as IP address, subnet mask, compression parameters,
MTU, and more.
9.2.2 VLAN Technique
The VLAN technology can be used to create separate logical networks
within a LAN like the Access Domain Ethernet. The VLAN principle is useful
for separating the traffic through the Access Domain Ethernet. The
separation can be based on different criteria depending on the reason to
separate the traffic.
VLAN can be used for layer-2 separation. Assigning an individual VLAN
to each subscriber, will force all communication through a router. The
maximum of VLANs is defined by the IEEE802.1Q as 4096, which may be
exceeded in larger access scenarios. Alternatively, VLANs may be defined
for a group of users, to create for instance a virtual corporate network, or a
group of on-line gamers.
A basic use of VLAN for separation of traffic types has been devised, in
order to enhance the security of the EDA system. With this scheme the
following VLANs are defined:
• The Management VLAN. This VLAN is used for all operation and
maintenance purposes, for example SNMP messages, routing
information, and DHCP messages regarding the IP DSLAM.
• The Subscriber Data VLAN. This VLAN is used to convey the traffic
that gives subscribers access to the data backbone.
• The Subscriber Voice VLAN. This VLAN conveys all traffic pertaining
to the IP Telephony function.
• The Subscriber Video VLAN. This VLAN conveys all multimedia traffic
such as video over IP.
Figure 55 on page 84 illustrates the use of the VLANs mentioned above.