On 2014-02-06 15:08, Mark Tinka wrote:
You need a bunch of stuff, proxy ND, proxy DAD, DHCPv6 inspection....
If you have a reasonably intelligent AN (like some of today's Active-E devices), you can create so-called split horizons on the same bridge domain (VLAN, really) where customers will only communicate via the upstream BNG at Layer 3.
At Layer 2, even though they are all sitting on the same VLAN, there is no inter-communication between them.
Ok, then you have not understood the problem with IPv6 in shared VLANs. You need to allow some communication between the user ports on L2, to get the IPv6 control procotol to work. You do this on IPv4 today, with proxy arp etc. Its much more complex in IPv6.
I've also know Huawei OLT's support these split horizons too.
Many devices support what Cisco calls Private VLAN or MACFF as specificed in RFC4562. There are IPv4 only implementations today - but not all these protocols are standardized, and are not interoperable between vendors. I have still not heard of any vendor shipping the same functionality to share VLANs with IPv6, in a secure way.
Or do something bold, run L3 at the edge :)
Cheap switches that have decent IP/MPLS support are mostly geared toward Metro-E deployments, i.e., business-grade services. So they are quite poor with regard to susbcriber management features and capabilities.
You need a basic L3 access switch, with some tweaks. I've been working at and designing such devices for seven years at my former employeer PacketFront Networks. Whole bunch of standard protocols. OSPF, PIM-SM, IGMPv2/v3 in the edge, and now with OSPFv3, PIM-SMv6 and MLD/MLDv2. DHCPv4/v6 is relayed to the correct service provider, unless its management traffic and should be handled by the network. Very easy, very few security issues since no L2 is allowed between customers, no strange protocols (ARP inspection, proxy ARP, IP source guard, DHCP Snooping/option82 or their IPv6 counterparts). Open-access is done on the L3 layer, no VLANs. There are free seating in the CPE so all equipment in the home can talk to each other. Important with todays DLNA/TV sets and mobile phones. It is very scalable, since that is how Internet is built :) Of course, it needs a proper management system, so we built one as well. We also pushed Python into the access device, so DHCPv4/DHCPv6, radius, 802.1x functionality and how those are used can easily be adjusted in a script instead of trying to express programming in a CLI. On top of that some simple templates describing the services. The radius server just returns the service name with needed parameters (bandwidth, priority etc) and the python script installs/removes instances of the service as needed. I promise this access device has NO problems with spoofed packets, see the BCP38 discussion :) So, it's a small BNG in the access device. And no, it's not that expensive. We did look at sourcing a L2 switch from Taiwan, we could get the switch with L2 or L3 forwarding in a Broadcom switch ASIC, all the other features was equal. Cost difference was five dollars. (PacketFronts access device uses a NPU, much more flexible) Vendors charging both an arm and a leg for routers are doing that because they can, doing L3 is not more expensive than L2 with todays technology. PacketFront has sold over 1 miljon ports, and the largest installation is
50000 ports, both in Sweden, Holland and Dubai. This can easily scale to much bigger networks.
The biggest issue with selling L3 to the edge is not technical or economical, its religious - people are just so used to build their networks in a specific way and they don't want to change.... /Anders