3) Full compliance between the name of the subscriber-service and the name of the service in the message from the AAA server
13.1 Policy-filter-list
14.1.2 Flags in GRE
In EcoRouterOS incapsulation for external header specifies the DF bit to 1 (do not fragmentize). If incoming frame's header contains MF bit set to 1 (fragmentized) or fragment offset bit set to 1 (the last fragment of original frame) the frame will be rejected. In GRE all incoming frames where any of GRE header flags checksum, routing, key, seq number, strict source route or recursion is not 0 will be rejected.
Configuring commands Table 76
Command Description
interface tunnel.<number> Create tunnel interface where the number is arbitrary ip mtu <value> Specify mtu value for interface
ip tunnel <source IP> <destination IP> mode <gre
| ipip>
Specify tunnel's start and finish IP addresses and tunnel's type
EcoRouter User Guide
168 14.1.3 Example of GRE tunnel basic configuring
Figure 21
The tunnel between the ECO-1 and ECO-2 devices will be configured. See the configuration of ECO-1 device below.
Step 1. Interfaces and ports configuring ecorouter>en
ecorouter#conf t
ecorouter(config)#interface e1
ecorouter(config-if)ip add 11.0.0.1/16 ecorouter(config)#interface e2
ecorouter(config-if)ip add 192.168.0.1/24 ecorouter(config)#port te0
ecorouter(config-port)#service-instance te0
ecorouter(config-service-instance)#encapsulation untagged ecorouter(config-service-instance)#connect ip interface e1 ecorouter(config)#port te1
ecorouter(config-port)#service-instance te1
ecorouter(config-service-instance)#encapsulation untagged ecorouter(config-service-instance)#connect ip interface e2
Step 2. Creating tunnel interface named tunnel.0
EcoRouter User Guide
169
ecorouter(config)#interface tunnel.0 Step 3. Spepcifying IP address
ecorouter(config-if)#ip add 172.16.0.1/16 Step 4. Specifying MTU value
ecorouter(config-if)#ip mtu 1400
Step 5. Specifying GRE tunnel mode and tunnel's start and finish IP addresses ecorouter(config-if)#ip tunnel 11.0.0.1 12.0.0.2 mode gre
Step 6. Configuring traffic routeing into tunnel
ecorouter(config)#ip route 12.0.0.0/8 11.0.0.2
ecorouter(config)#ip route 192.168.200.0/24 172.16.0.2 The second device must be configured analogically.
14.1.4 Show commands
Use the show interface tunnel.<TUNNEL_NUMBER> command to show the tunnel's state.
For the configuration above the following result will be shown:
ecorouter#sh int tunnel.0
Interface tunnel.0 is up, line protocol is up Ethernet address: 0000.ab27.8404
MTU: 1400
Tunnel source: 11.0.0.1 Tunnel destination: 12.0.0.2 Tunnel mode: GRE
ICMP redirection is on
<UP,BROADCAST,RUNNING,NOARP,MULTICAST>
inet 172.16.0.1/16 broadcast 172.16.255.255/16 total input packets 0, bytes 0
total output packets 0, bytes 0
14.2 IP in IP
IP in IP is a tunnelling mechanism which allows to put one IP packet into another.
The tunneling process is to add another one IP header to a standard IP packet. In the upper header will contain tunnel's start and finish IP addresses. After the packet has come into the tunnel finish router the upper header will be removed, the packet will be transmitted further with an ordinary inner IP header.
Figure 22
EcoRouter User Guide
170 14.2.1 MTU in IP in IP
The typical dimension of MTU for L3 interface is 1500 bytes. When the service header is added new requirements for MTU value when transmitting packet appear. The IP in IP header has a size of 20 bytes, IP packet's header is 20 bytes, thus it is necessary to specify the maximum size of MTU on tunnel interfaces less than the standard Ethternet value.
14.2.2 Flags in IP in IP
In EcoRouterOS incapsulation for external header specifies the DF bit to 1 (do not fragmentize).
If incoming frame's header contains MF bit set to 1 (fragmentized) or fragment offset bit set to 1 (the last fragment of original frame) the frame will be rejected.
Configuring commands Table 77
Command Description
interface tunnel.<number> Create tunnel interface where the number is arbitrary ip mtu <value> Specify mtu value for interface
ip tunnel <source IP> <destination IP> mode <gre
| ipip>
Specify tunnel's start and finish IP addresses and tunnel's type
EcoRouter User Guide
171 14.2.3 Example of GRE tunnel basic configuring
Figure 23
The tunnel between the ECO-1 and ECO-2 devices will be configured. See the configuration of ECO-1 device below.
Step 1. Interfaces and ports configuring ecorouter>en
ecorouter#conf t
ecorouter(config)#interface e1
ecorouter(config-if)ip add 11.0.0.1/16 ecorouter(config)#interface e2
ecorouter(config-if)ip add 192.168.0.1/24 ecorouter(config)#port te0
ecorouter(config-port)#service-instance te0
ecorouter(config-service-instance)#encapsulation untagged ecorouter(config-service-instance)#connect ip interface e1 ecorouter(config)#port te1
ecorouter(config-port)#service-instance te1
ecorouter(config-service-instance)#encapsulation untagged ecorouter(config-service-instance)#connect ip interface e2
Step 2. Creating tunnel interface named tunnel.0
EcoRouter User Guide
172
ecorouter(config)#interface tunnel.0 Step 3. Spepcifying IP address
ecorouter(config-if)#ip add 172.16.0.1/16 Step 4. Specifying MTU value
ecorouter(config-if)#ip mtu 1400
Step 5. Specifying GRE tunnel mode and tunnel's start and finish IP addresses ecorouter(config-if)#ip tunnel 11.0.0.1 12.0.0.2 mode ipip
Step 6. Configuring traffic routeing into tunnel
ecorouter(config)#ip route 12.0.0.0/8 11.0.0.2
ecorouter(config)#ip route 192.168.200.0/24 172.16.0.2 The second device must be configured analogically.
EcoRouter User Guide
173 15 Bridging with L3 support
A network bridge (bridge) is a physical or logical device which separates Ethernet collision domains which operates on the two lower levels of OSI network stacks and TCP/IP. The combination of two or more network segments is called a bridging. In simple bridges, broadcast packets are sent to all bridge interfaces; bridges with VLAN support can limit broadcast domains by separate interfaces. The VLAN ID in these bridges must be unique within the device. A broadcast domain limited by VLAN has received a VLAN bridge domain name in the IEEE 802.1Q/802.1ad standards.
With the development of provider technologies, a need to limit the uniqueness of VLAN ID by a separate port has appeared. This feature was provided by the concept of EVC (Ethernet Virtual Connection), in which the broadcast L2 domain is no longer tied to VLAN. The EVC bridge domain combines virtual L2 interfaces, which are called service instances (SI). The L3 interface for linking L2 and L3 domains in traditional bridges is called SVI or BVI, in EVC bridge domains it is called BDI (Bridge Domain Interface).
The diagrams of the processes occuring when frames are transferred between L2 and L3 domains involving BDI in both directions are shown in the figure below.
Figure 24
15.1 Configuration
A bridge creation command:
ecorouter(config)#bridge <NAME>
where <NAME> is an arbitrary name allowed in EcoRouterOS.
Bridge domain is created in service instance configuration context:
ecorouter(config-service-instance)#
EcoRouter User Guide
174
The relevant commands are shown in the table below.
Table 78
Command Description
encapsulation {default|dot1q|untagged} Configure incapsulation (tagging) for external traffic rewrite {pop|push|translate} Translation of encapsulation when sent to the bridge connect bridge <NAME> Connect to the previously created bridge
Tagging (encapsulation) can be arbitrary (see the "Tag operations for the service instances"
section), and, as mentioned above, the VLAN ID of the service interface on one port can be the same as the VLAN ID of the service interface on the other port, and it will be different VLANs, as long as these SIs are in different bridge domains. Bridge-domain on the bridge is formed by the service interfaces connected to it with the same encapsulation value on the bridge. This value is set by the commands encapsulation and rewrite. Only in this case, a bridging is possible between them. For example, if Q-in-Q tagging is specified on one service interface:
ecorouter(config-service-instance)#encapsulation dot1q 30 second-dot1q 40
and on another (from the same bridge domain) is set the following:
ecorouter(config-service-instance)#encapsulation dot1q 20
then for bridging between them, for example, on the first the following command can be used:
ecorouter(config-service-instance)#rewrite translate 2-to-1 20