The following trigger types are supported on a capture SAP:
dhcp
DHCPv4 client messages
ppoe
PPPoE PADI messages from PPPoE clients
The MSAP is created after the IP address is provided. A short temporary state handles packets between the PADO and ACK.
arp
ARP-Request from an ARP host with static configured IPv4 address
dhcp6
DHCPv6 client messages
rtr-solicit
Router Solicitation messages from a SLAAC hosts
data
An ARP-Request, IPv4 or IPv6 packet received from a data-triggered host
Multiple trigger types can be enabled on a single capture SAP. The data and arp trigger types are mutually exclusive.
A capture SAP is created in a VPLS service by specifying the capture-sap parameter. A capture SAP does not forward traffic but captures received trigger packets for authentication. Similar to a default SAP, at least one of the qtags of a capture SAP must be a wildcard *, meaning any tag value. See the following example configuration.
vpls 10 customer 1 create
sap 1/1/1:*.* capture-sap create
description "capture sap"
trigger-packet arp dhcp dhcp6 pppoe
authentication-policy "auth-policy-1"
exit
no shutdown
exit
A capture SAP and default SAP cannot be configured simultaneously on a dot1q- encapsulated port. A capture SAP and default SAP cannot be configured simultaneously on a qinq-encapsulated port when the outer tag is the same.
A SAP lookup based on the outer and inner tags is performed when a packet is received on a port. When no corresponding SAP or MSAP is found, the packet is handled by the capture SAP, meaning that the trigger packets are sent to the CPM and all other packets are dropped.
An ingress VLAN ID (VID) type mac filter can be configured on a capture SAP to have additional control on the VLANs that are allowed to initiate a host setup. Other filter types are not supported on a capture SAP.
For a capture SAP on a dot1q encapsulated port:
<port-id>:* Matches any valid single tagged trigger packet on a <port-id> for which no more specific SAP or MSAP is found. A single q-tag (<port-id>:tag) is available for authentication. The corresponding MSAP is created as: <port-id>:tag
For a capture SAP on a qinq-encapsulated port:
<port-id>:*.*
Matches any valid double tagged trigger packet on a <port-id> for which no more specific SAP or MSAP is found.
Both q-tags (<port-id>:tag1.tag2) are available for authentication.
The corresponding MSAP is created as: <port-id>:tag1.tag2.
The optional allow-dot1q-msaps command configured at the capture SAP enables additional support for single-tagged trigger packets:
Valid single-tagged trigger packets for which no more specific SAP or MSAP is found are matched on <port-id>
A single q-tag is available for authentication, the second tag is set to zero (<port-id>:tag.0)
The corresponding MSAP is created as: <port-id>:tag.0
The config>system>ethernet>new-qinq-untagged-sap command should be configured where a combination of <port-id>:tag1.0 and <port-id>:tag1.tag2 MSAPs coexist. When not configured, <port-id>:tag1.0 MSAPs attract double-tagged <port-id>:tag1.tag2 encapsulated traffic which is either dropped (IPoE traffic) or handled as single tagged traffic causing PPPoE sessions to fail.
<port-id>:tag1.*
Matches any valid double-tagged trigger packet with and outer tag equaling tag1 on <port-id> and for which no more specific SAP or MSAP is found.
Both q-tags (<port-id>:tag1.tag2) are available for authentication.
The corresponding MSAP is created as: <port-id>:tag1.tag2.
The optional allow-dot1q-msaps command configured at the capture SAP enables additional support for single-tagged trigger packets:
Valid single-tagged trigger packets with tag equaling tag1 and for which no more specific SAP or MSAP is found are matched on <port-id>
A single q-tag is available for authentication, the second tag is set to zero (<port-id>:tag1.0)
The corresponding MSAP is created as: <port-id>:tag1.0
It is a prerequisite to have the config>system>ethernet>new-qinq-untagged-sap command configured to enable both <port-id>:tag1.* capture-sap and <port-id>:tag1.0 MSAP to coexist. The <port-id>:tag1.0 capture-sap cannot be created when not configured.
<port-id>:*.tag2
Matches any valid double-tagged trigger packet with inner tag tag2 on <port-id> for which no more specific SAP or MSAP is found.
Both q-tags (<port-id>:tag1.tag2) are available for authentication.
The corresponding MSAP is created as: <port-id>:tag1.tag2.
This is an inverse capture SAP that matches on a fixed inner tag with the outer tag identifying the user. The following restrictions apply when an inverse capture SAP is configured on a port:
Ethernet ports only
It is not possible to create y.* SAPs when there is a *.x capture SAP present on the port (y=0,1..4094,* and x=1..4094).
It is not possible to create a y.* network interface when there is a *.x capture SAP present on the port (y=0,1..4094,* and x=1..4094).
There is no support for single-tagged MSAP creation.
To enable the creation of single-tagged and double-tagged MSAPs by a qinq encapsulated capture SAP, enable the allow-dot1q-msap command in the capture SAP context:
config service
vpls 10 customer 1 create
sap 1/1/1:*.* capture-sap create
allow-dot1q-msaps
In addition, the new-qinq-untagged-sap command should be configured for scenarios as described previously:
config system
ethernet
new-qinq-untagged-sap
Be aware that enabling the new-qinq-untagged-sap command affects the behavior of existing <port-id>:tag1.0 SAPs.
Valid single-tagged trigger packets result in the creation of a <port-id>:tag.0 MSAP. With the encap-tag-range matching in a local user database, it is possible to specify different MSAP defaults for single or double tagged MSAPs. For example:
config subscriber-mgmt
local-user-db "ludb-1" create
ipoe
host "single-tagged" create
host-identification
encap-tag-range start-tag *.0 end-tag *.0
exit
msap-defaults # defaults for dot1q MSAPs
group-interface "group-int-2"
policy "msap-policy-2"
service 2000
exit
no shutdown
exit
exit
config service
vpls 10 customer 1 create
sap 1/1/1:*.* capture-sap create
trigger-packet dhcp dhcp6
allow-dot1q-msaps
ipoe-session
ipoe-session-policy "ipoe-policy-1"
user-db "ludb-1"
no shutdown
exit
msap-defaults # defaults for qinq MSAPs
group-interface "group-int-1"
policy "msap-policy-1"
service 1000
exit
exit