Of course, the most obvious is the price of the device.It's no secret that the situation with prices for end subscribers in the Internet market in Russia is far from ideal: channels have to be increased every year, operators' costs are growing, but the subscriber base does not aspire to this at all, everything has already been built before us.The only place left to grow is the private sector.What is the problem with the private sector?The fact that there is nowhere to put the node and the classic, familiar ethernet to deploy is simply trite.We need heating cabinets, we need electricity, we need a place for it all.Having built a couple of villages with "subscriber nodes" and realizing that it is absolutely impossible to exploit it, almost everyone comes to use xPON technology.And, of course, the agony of choice begins.In fact, there are not so many vendors presented at Sviaz-Expocom or found on the open spaces of shop.nag.ru.Eltex Imaqliq Dasan BDCOMAnd here the most interesting begins.Now the most popular access technology is IPoE, the issuance of IP addresses using DHCP.Historically, our company implemented this whole trendy theme before the community came to the most adequate "vlan per user" scheme, so we have the so-called "s-vlan", aka "vlan home", "vlan to switch" and, in the case of PON, "vlan to olt".This imposes some kind of restrictions on the equipment in terms of its intelligence.In switches, this is the so-called L2 + functionality.Most importantly - dhcp relay opt82, acl or dhcp snooping, to issue an address to a specific port and fix it against possible substitution.Eltex - Ok, guys, we will give you a programmer now, you will decide everything with him.Two weeks and we have a firmware in which dhcp opt 82 is added. In addition, the Eltex LTE-8ST device at that time has dhcp \ arp snooping.Dasan- 상형 문자?I'm sorry, what?Oh, shall we communicate through an interpreter?So let's see... Our RND check your requirement.But, the feedback is negative.Well, thanks for the help.BDCOMTranslator again?Here I want to stop and say "thank you" to the guys from shop.nag.ru.Still, at least some support, but there is.I am very pleased with the decision not to take the device on the side, but to turn to people I already know.Solved a couple of problems.Now they will throw stones at me: they say, our Ukrainian colleagues have sucked all the problems ten times and all the crutches are known.You may be right, take your pick.I read local.com.ua, found little really useful information, except that "epon dba hardware cycletime 25000 discovery-frequence 60 discovery-length 1024" was useful (reduces response time and allows some third-party onu to work).Well, I digress.dhcp opt82 functionality is supported, dhcp snooping is, static acl is.Wonderful.The lyrics end, the real work begins.P3310B device on the table, two ONUs P1501C1 and P1004C1 included, gigabit with one port, and 100-Mbit with four.As I already noted, we have “s-vlan”.The scheme is elementary.There is a router where there are a bunch of vlans with L3 interfaces, they come to the OLT and are forwarded directly to the port where the subscriber is connected.Then he is given an IP and all this goes to the L3-connected BRAS.The issued ip is fixed on the ONU.Everyone is happy.#copy tftp: flash: xxxx Source file name[]?bdcom/3314_en_21324.bin Destination file name[bdcom/3314_en_21324.bin]?Switch.bin #reboot!### Required basic services service timestamps log date service timestamps debug date service password-encryption !!### Set syslog server address logging 172.16.0.2 logging buffered 131072 logging buffered informational !hostname BDTEST !ip default-gateway 172.16.12.1 !no spanning-tree !!### Fuck netbios and dhcp servers from client side ip access-list extended subs.filter deny tcp any any eq 135 deny tcp any any eq 136 deny tcp any any eq 137 deny tcp any any eq 138 deny tcp any any eq 445 deny udp any any eq 68 permit ip any any !!### By default let people get addresses via DHCP ip access-list extended sub-DUMMY permit udp any eq 68 any eq 67 deny ip any any !!### Reduces ping, allows some third-party ONUs epon dba hardware cycletime 25000 discovery-frequence 60 discovery-length 1024 !aaa authentication login default local aaa authentication enable default none aaa authorization exec default local !username admin password password !!### Base ONU config to be applied to freshly connected ONUs epon onu-config-template ots !### Allow a maximum of 10 poppies on a subscriber port cmd-sequence 1 switchport port-security mode dynamic cmd-sequence 2 switchport port-security dynamic maximum 10 !### Guest-blocking vlan by default, here you can specify s-vlan as a matter of fact.!### This is specific to our network.cmd-sequence 3 epon onu all-port ctc vlan mode tag 1261 !### Vlan malticast, max 5 groups per port cmd-sequence 4 epon onu all-port ctc mcst mc-vlan add 1251 cmd-sequence 5 epon onu all-port ctc mcst tag-stripe enable cmd-sequence 6 epon onu all- port ctc mcst max-group-number 5 !### Catching loops cmd-sequence 7 epon onu all-port loopback detect !### Block everything except DHCP by default cmd-sequence 8 epon onu all-port ip access-group sub-DUMMY !!interface GigaEthernet0/1 description Uplink Copper switchport trunk vlan-allowed 1201,1251,1261,2201,3201 switchport trunk vlan-untagged none switchport mode trunk !### This is a very important point, you must specify vlan malticast here!switchport pvid 1251 dhcp snooping trust no shutdown !interface GigaEthernet0/2 !interface GigaEthernet0/3 description Uplink Fiber switchport trunk vlan-allowed 1201,1251,1261,2201,3201 switchport trunk vlan-untagged none switchport mode trunk switchport pvid 1251 dhcp snooping trust no shutdown !interface GigaEthernet0/4 interface GigaEthernet0/5 interface GigaEthernet0/6 !interface EPON0/1 !### By default, we will use a profile named ots for all newly connected onu epon pre-config-template ots binded-onu-llid 1-64 !### Throw all vlans there except for the managing switchport trunk vlan-allowed 1251,1261,2201,3201 switchport mode trunk !### Filter all left ip access-group subs.filter no shutdown !!### Same as interface EPON0/2 interface EPON0/3 interface EPON0/4 !### Similarly !interface VLAN1201 description Management Interface ip address 172.16.12.10 255.255.255.0 !vlan 1201 name vlan1201 !vlan 1251 name vlan1251 !vlan 1261 name vlan1261 !vlan 2201 name vlan2201 !vlan 3201 name vlan3201 !vlan 1,1201,1251,1261,2201,3201 !ip mcst enable ip mcst timer router-age 600 ip mcst timer response-time 120 ip mcst series-connection !!### List the multicast groups we use in iptv ip mcst mc-vlan 1251 range 237.5.1.7 - 237.5.1.9 , 237.5.1.11 - 237.5.1.17 , 237.5.1.19 - 237.5.1.22 , 237.5.1.25 - 237.5 mcst mc-vlan 1251 range 237.5.1.29 - 237.5.1.30 , 237.5.1.50 , 237.5.1.60 , 237.5.1.70 !!### Enable snooping for history.In fact, it will not work ip dhcp-relay snooping ip dhcp-relay snooping vlan 1261,2201,3201 ip dhcp-relay snooping database-agent 172.16.0.2 ip dhcp-relay snooping db-file bdcom/fc:fa:f7:c9 :fc:1c-leases !!### /srv/tftp/bdcom/fc:fa:f7:c9:fc:1c-leases ;chmod 666 /srv/tftp/bdcom/fc:fa:f7:c9:fc:1c-leases !ip dhcp-relay snooping write-immediately !### We will intercept subscribers' requests to the DHCP server and redirect them to our local relay, where the smart system itself will give the correct address.See option format below ip dhcp-relay snooping information option format hn-type host ip dhcp-relay agent ip dhcp-relay helper-address 172.16.0.3 vlan 1261,2201,3201 !!### Above, we specify subscriber vlans everywhere.If the classic s-vlan, then it will be one.We have three because of the specifics !!### The first step is to disable this on all devices.Didn't even go.ip http language english no ip http server !!snmp-server community 0 community RW !!time-zone Moscow 3 0 sntp master 3 sntp server 172.16.0.2 no sntp master !What to do after subscriber registration!interface EPON0/1:1 onu-configuration switchport port-security dynamic maximum 10 switchport port-security mode dynamic epon onu port 1 ctc vlan mode tag 1261 epon onu port 1 loopback detect epon onu port 1 ip access-group sub-DUMMY epon onu port 1 ctc mcst tag-stripe enable epon onu port 1 ctc mcst mc-vlan add 1251 epon onu port 1 ctc mcst max-group-number 5 !!onu-configuration-end !!ip access-list extended sub-FCFAF7D8BC92 permit ip 10.228.17.5 255.255.255.255 any permit ip 10.143.0.0 255.255.0.0 any permit udp any eq 68 any eq 67 !interface EPON0/1:1 epon onu port 1 ctc vlan mode tag 2201 epon onu port 1 ip access-group sub-FCFAF7D8BC92 ![52] - Option 82 [27] - Option 82 data length [01] - Sub-option number 1 (agent circuit id) of option 82 [05] - Sub-option 1 length [0001000702] - Port number data on OLT, don't know exactly how to parse [02] - Sub-option number 2 (agent remote id) of option 82 [06] - Sub-option length 2 [fcfaf7d854b7] - MAC ONU [09] - Sub-option number 9 of option 82[15] - Length of all suboption data [00000cf8] - Vendor code (3320) [10] - Length of host data [01] - Code 1 [00] - Length of data in code 1 [02] - Code 2 [06] - Length data in code 2 [424454455354] - device hostname (BDTEST) [03] - code 3 [04] - length of data in code 3 [ac100c0a] - host IP address (172.16.12.10) How to run around ARP\DCHP SnoopingIn theory, it's a good idea.A DHCPACK request passes through the internal DHCP relay and the OLT knows that a particular address has been assigned to a particular subscriber.Nothing prevents you from starting to block other packages in which either ip or mac is different.Very comfortably.In theory.In practice it gives rise to a number of problems: Static addresses cannot be used.DHCP only.All sorts of cunning (crooked) routers go through the forest, users with windows 98 go there too.This is rarely a problem, but if you like to hook yuriks into a regular subscriber network, then it can become one.After rebooting the OLT, you need to remember which addresses were given to whom, otherwise everything will break down for clients, traffic will stop going, the number of calls in the support will increase, and so on.We gave up a long time ago even trying to use this beautiful dynamic on regular switches, and no doubts were left with the integration of BDCOM - only static ACLs.Reliable, dull, but, of course, there are nuances (a small note: Eltex still cannot make static acl and, it seems, is not going to do it).How to feel our love That moment when I really did not regret that I turned to shop.nag.ru after all.An ACL was written that opens access only for the addresses I need, which should be hung on the end port of the ONU: ip access-list extended sub-FCFAF7D8BC92 !### kill the subscriber's ip from which he can access the Internet permit ip 10.228.17.5 255.255.255.255 any !### allow the subnet in which stb hangs, there can be many of them and all authorizations go through the portal.permit ip 10.143.0.0 255.255.0.0 any !### allow dhcp requests from clients permit udp any eq 68 any eq 67 !And of course it didn't work.Not on one of the ONUs, not on a gigabyte, not on a hundred.More precisely earned, but partially.Anything other than /32 doesn't work, i.e.in the example above, rules 1 and 3 worked. But I definitely need a subnet!What to do?Write to support@nag.ru.I really do not like to write there, because.I have a negative experience of many hours of transfusion from empty to empty, but there is no choice, it's better than nothing at all.Several sessions of therapy, requests to the Chinese, checks passed, and the problem was solved.In order for rule 2, 'le /32' subnets to work, the ONUs need to be flashed.P1004C1 - up to version 10.0.16A 1030 P1501C1 - up to version 10.0.17A 1017 Unfortunately, BDCOM does not have automatic ONU firmware updates.In this regard, Eltex is ahead again.Therefore, we sit down and write code that will do this automatically.Well, or update by hand: epon update onu image 1004C1.zblob interface EPON0/1:1 # We wait 1.5 minutes and confirm the flashing: epon commit-onu-image-update interface EPON0/1:1 Firmware files need to be put on the OLT flash drive.For some reason, the Chinese stopped putting a penny flash drive on a “larger one”, so the files we need fit only with the olt 21324 firmware. 1 olt.blob