Capture SAP

The following trigger types are supported on a capture SAP:

Multiple trigger types can be enabled on a single capture SAP. The data and arp trigger types are mutually exclusive.

A capture SAP is created in a VPLS service by specifying the capture-sap parameter. A capture SAP does not forward traffic but captures received trigger packets for authentication. Similar to a default SAP, at least one of the qtags of a capture SAP must be a wildcard *, meaning any tag value. See the following example configuration.

vpls 10 customer 1 create
    sap 1/1/1:*.* capture-sap create
        description "capture sap"
        trigger-packet arp dhcp dhcp6 pppoe
        authentication-policy "auth-policy-1"
    exit
    no shutdown
exit

A capture SAP and default SAP cannot be configured simultaneously on a dot1q- encapsulated port. A capture SAP and default SAP cannot be configured simultaneously on a qinq-encapsulated port when the outer tag is the same.

A SAP lookup based on the outer and inner tags is performed when a packet is received on a port. When no corresponding SAP or MSAP is found, the packet is handled by the capture SAP, meaning that the trigger packets are sent to the CPM and all other packets are dropped.

An ingress VLAN ID (VID) type mac filter can be configured on a capture SAP to have additional control on the VLANs that are allowed to initiate a host setup. Other filter types are not supported on a capture SAP.

For a capture SAP on a dot1q encapsulated port:

<port-id>:* Matches any valid single tagged trigger packet on a <port-id> for which no more specific SAP or MSAP is found. A single q-tag (<port-id>:tag) is available for authentication. The corresponding MSAP is created as: <port-id>:tag

For a capture SAP on a qinq-encapsulated port:

To enable the creation of single-tagged and double-tagged MSAPs by a qinq encapsulated capture SAP, enable the allow-dot1q-msap command in the capture SAP context:

config service
    vpls 10 customer 1 create
        sap 1/1/1:*.* capture-sap create
            allow-dot1q-msaps

In addition, the new-qinq-untagged-sap command should be configured for scenarios as described previously:

config system
    ethernet
        new-qinq-untagged-sap

Be aware that enabling the new-qinq-untagged-sap command affects the behavior of existing <port-id>:tag1.0 SAPs.

Valid single-tagged trigger packets result in the creation of a <port-id>:tag.0 MSAP. With the encap-tag-range matching in a local user database, it is possible to specify different MSAP defaults for single or double tagged MSAPs. For example:

config subscriber-mgmt
    local-user-db "ludb-1" create
        ipoe
            host "single-tagged" create
                host-identification
                    encap-tag-range start-tag *.0 end-tag *.0
                exit
                msap-defaults # defaults for dot1q MSAPs
                    group-interface "group-int-2"
                    policy "msap-policy-2"
                    service 2000
                exit
                no shutdown
            exit
        exit
config service
    vpls 10 customer 1 create
        sap 1/1/1:*.* capture-sap create
            trigger-packet dhcp dhcp6
            allow-dot1q-msaps
            ipoe-session
                ipoe-session-policy "ipoe-policy-1"
                user-db "ludb-1"
                no shutdown
            exit
            msap-defaults # defaults for qinq MSAPs
                group-interface "group-int-1"
                policy "msap-policy-1"
                service 1000
            exit
        exit