Manualshelf

User guide

ManualsBrandsEricsson ManualsComputer equipmentECN330
919293949596979899100
Security
1/1551-HSC 901 35/3 Uen C 2005-12-02
85
example of assigning the voice VLAN ID to all voice PVCs, and the data
VLAN ID to all data access PVCs.
Separating the traffic in this way is a security mechanism that prevents
EDA subscribers from attacking the local Management System, or
performing hacking attacks on the access equipment (IP DSLAMs,
aggregation switches, routers, voice gateway).
Other schemes than the one illustrated in Figure 55 can be used for
enhancing the security. For example, it is possible to dedicate a VLAN to a
single subscriber, to provide for corporate access. The subscriber’s traffic is
guaranteed logical isolation from the traffic pertaining to other subscribers.
VLANs may also be associated with different services or Service Providers.
In this way traffic belonging to different service providers can be separated,
and it constitutes a way of service selection. This is described more
detailed in section 10.3.3 on page 99.
9.2.3 Forced Forwarding
Forced forwarding is an EDA-specific technique in which the subscriber
is forced to use the router as default gateway for all upstream traffic. This is
easily obtained by defining individual IP subnet for all subscribers. In that
case a subscriber will automatically use the router for communicating with
other subscribers, and the IP DSLAMs need only verify that the upstream
traffic is indeed sent to the router’s MAC address, and not anywhere else.
Using a unique IP subnet per subscriber is considered problematic in a
network of public IPv4 addresses, because it wastes a lot of scarce
addresses. The minimum subnet takes up 4 addresses, but only one of
these addresses can be assigned to a subscriber because the remaining 3
addresses are reserved
2
. A way of obtaining better address utilization is to
have more subscribers in the same subnet, because there are still only 3
reserved addresses.
The apparent conflict between layer-2 separation and subnet sharing is
solved by an ARP proxy function in the IP DSLAM. An EDA subscriber,
who wishes to communicate with another subscriber in the same subnet,
will issue an ARP request to get the destination MAC address. However,
the ARP proxy will respond to the ARP request with the MAC address of
the default gateway for the subnet. In this way the requesting subscriber
will now forward its traffic via the default gateway, believing that it is in fact
the other subscriber. For this mechanism to work properly the default
gateway must be configured to accept and forward (or actually return)
traffic between hosts within the same subnet, which is a procedure that is
not the default behavior of a router. It is still necessary for the IP DSLAM to
2
One address for the other peer of the network, one for the network itself, and one for broadcast.