Mike Hammett duly noted,

Fred, I don't think most of the people here understand what YOU'RE talking about. They think a switch is just a switch and they're all the same, but that's far from the truth.


Probably true, which is why I'd like to clarify it. Vendors who sell primarily to ISPs or one-company IP networks don't realize how big the "enterprise network" market is, now largely moving to Carrier Ethernet as a cheaper substitute for leased lines, which are grotesquely overpriced in much of the US (if you're not in a major data center). And there is opportunity for wireless here too, though nowadays it's mostly done via dedicated point-to-point radios, not shared networks.

At 10/12/2012 10:10 PM, Dennis Burgess wrote:
What is being described is the default behavior of any standard managed switch. There is no "virtual circuit" being built and it still "broadcasts" across said VLAN. They are simply only allowing the VLAN to go from point A to point B. This though can be done at wire speed in the hardware of any switch and MT.

I'm not sure we're talking about the same thing. It is allowing only the VLAN to go from A to B, while nothing else goes to A or B, and the VLAN is invisible to everyone else. Which is really virtual circuit behavior; VLAN is the legacy name of the VC ID.

In CE switching, then, the VLAN receives no broadcasts from anyone else on the switch or network, and sends no broadcasts outside. What goes onto that mapped port, or onto a VLAN pre-tagged to go to that port, is totally and completely invisible to all other users. So it's secure enough for public safety use on a shared PMD. This is different from a bridge, where broadcasts go everywhere. One type of MEF service (EP-LAN) does actually emulate a LAN with >2 ports and broadcasts among them, but the more common EPL and EVPL would not know a broadcast frame from anything else, since they just pass the MAC addresses transparently.

This is not an intelligent method (the switching system not the people talking about this), as there can only be STP or other non-standard protocols to handle fail over. The example is that if you have 5 switches in-line, you are simply ONLY allowing say vlan999 to tag ingress on port 22 on switch 1, then only flow though tagged on the trunk ports between switches, then finally only having one egress non-tagged port at switch 5 port 22.. Hence a sort of "circuit"..

Almost everything, including the RB951-2n, supports RSTP as well as STP, but yes beyond that the intelligence is non-standard. Cisco, for instance, has a fairly elaborate routing (in the literal sense, not IP) protocol for optimizing every path. Of course you don't see many multi-vendor CE networks... the edges can be different though.

This works great on large bandwidth wired applications, but going over anything wireless for the most part poses an issue. The "trunks" are still seeing all broadcast traffic from all devices, maybe its not going as far and yes you can control it a bit more, but in the end, a packet storm on one VLAN will take down the wireless connection and all trunks on a backhaul radio.

The idea is that there are no broadcast packets. You configure devices that use the network to think of it as point-to-point circuits. Broadcasts only go to the opposite end of that EPL (2-point) or EVPL (point-to-multipoint). I'm ignoring the EP-LAN case since that's not relevant here.

Also, traffic levels on each EPL (VLAN) are limited by the three-color traffic classifier (CIR+EIR). So you cap each user at the ingress, and optionally assign a CIR to a smaller amount, for applications like VoIP. However, typical unlicensed radio links aren't as predictable as fiber so the commitment isn't the same.

Simply because the UBNT or whatever radio you are using can't handle 100,000 pps. The switches, in hardware, can handle millions, making this situation not a major issue as we have plenty of hardware to handle those instances and with several mitigation systems built into these switches, you can further handle said traffic. Not saying this method does not work, simply has its own "gotchas" just like anything else.

I wonder if that hardware handles the VLANs with the QoS (CIR/CBS, EIR/EBS) features. Otherwise it could still be done in software, but not at the same speed. I'd still expect, for example, an LTI box to be able to do it fast enough to keep up with a Ubiquiti 5GHz radio. (AirFiber might be a bit trickier.)

The limitations is really in the fail over it don't care what kind of packets or even if the packets are "needed" to traverse the network, hence more traffic than needed, but its better than one large bridge. Building rings that have "disabled" ports can help, but still don't "intelligently" route around issues, as routing would do. But to the topic, yes, MT can ingress non-vlan tagged traffic and send it out as tagged traffic, and yes bridging is how that is done (mt is more switching than bridging in those aspects) and it also can be done with some of there hardware switch chips.

As for the topic at hand, never let your customer access your layer2 network, it will end up coming back to bite you. Hence, route your CPE, if the client wants a public, you route though the CPE as a router, if the client is a home user and don't want/need inbound access, give them a public on the CPE, and NAT a private. As far as their router inside, it should be setup to be a swtich with a AP, makes it simple, else, double-nat will not affect web/email applications

In the application I'm thinking of, the CPE can't route IP, as it's not a public IP network (ISP) application. It's the (more lucrative) enterprise network case, where the IP networks are private payload, so you're literally only providing a pipe for their networks. Now opening a bridge to customers would be a disaster, as the model of a bridge is to pass everything unless blocked. But a switch is the opposite, only pass what's explicitly allowed, nothing else. I used to avoid "Ethernet" stuff like the plague because it was all bridging until a few years ago, when MEF took off.

Dennis



On Fri, Oct 12, 2012 at 8:18 PM, Scott Reed <<mailto:sr...@nwwnet.net>sr...@nwwnet.net> wrote: MT has several devices with hardware switches on board and fully accessible through the GUI. They also have a switch sort of based on ROS.

On 10/11/2012 8:35 PM, Fred Goldstein wrote:
At 10/11/2012 06:52 PM, SamT wrote:
Not sure I under stand the no-NAT, so every device on the other side of the CPE has it's own public IP?

There could be one NAT, at the access point.

My taste, which to be sure I haven't tested at scale in a wireless network (but plan to), is to follow what is becoming standard wireline practice and do switching, not bridging, at "layer 2". Routing would then be lumped into one place, making it easier to manage.

The problem with small Linux-based systems (this includes both UBNT and MT) is that they don't tend to have switching documented or set up in the UI, even if it's possible. Bridging is bad -- it was designed for orange hose Ethernet, and it passes broadcast traffic to everyone. We invented this at DEC in the 1980s and discovered how it doesn't scale too well -- we had a couple of thousand DECnet and IP nodes on a bridged LAN, and the background broadcast traffic level was 400 kbps. This was a lot for systems to handle in 1991. I was testing ISDN bridges and "discovered" how you can't just bridge that type of network across a 56k connection. (I discovered the traffic when I first turned up the bridge. I ended up isolating it behind a router, built from an old VAX. At DEC, we built everything ouf of VAXen.)

Switching, though, is what Frame Relay and ATM do, and now Carrier Ethernet is the big thing for fiber. It uses the VLAN tag to identify the virtual circuit; the MAC addresses are just passed along. Since it's connection-oriented (via the tag), it can have QoS assigned. I think it's theoretically possible to tag user ports, route on tags and set QoS on RouterOS, but it's not obvious how to do it all. Switching doesn't pass broadcast traffic; it provides more isolation and privacy than plain routing. Mesh routing then works at that layer, transparent to IP. It'll be "interesting" to set up.


On 10/11/2012 4:53 PM, Scott Reed wrote:
We run MT, not UBNT, CPE, but it doesn't matter what brand it is. We run them in as routers, but do not NAT. Same benefits others mentioned for routing, just one fewer NAT. Never have a problem with it this way and can't see any good reason to NAT there.

On 10/11/2012 3:46 PM, Arthur Stephens wrote:
We currently use Ubiquiti radios in bridge mode and assign a ip address to the customers router.
He have heard other wisp are using the Ubiquiti radio as a router.
Would like feed back why one would do this when it appears customers would be double natted when they hook up their routers?
Or does it not matter from the customer experience?

 --
 Fred Goldstein    k1io   fgoldstein "at" ionary.com
 ionary Consulting              http://www.ionary.com/
 +1 617 795 2701 
_______________________________________________
Wireless mailing list
Wireless@wispa.org
http://lists.wispa.org/mailman/listinfo/wireless

Reply via email to