VLAN Demux

Dynamic QinQ VLAN interface creation from subscriber packets.

Overview

The VLAN demux daemon (abng-demux) dynamically creates QinQ VLAN sub-interfaces on-demand when subscriber packets arrive, eliminating the need to pre-provision interfaces.

How It Works

Packet Capture

abng-demux uses AF_PACKET socket with BPF filter to capture:

• PPPoE Discovery (PADI) frames
• DHCP Discover frames

Only frames matching the configured outer VLAN IDs are processed.

VLAN Detection

For each captured packet, abng-demux:

1. Parses Ethernet header
2. Extracts VLAN tags (supports arbitrary nesting depth)
3. Matches against configured outer VLANs
4. Extracts S-Tag and C-Tag from QinQ frame

Interface Creation

When a new VLAN combination is detected:

1. Check if interface already exists
2. Create VLAN interface with naming convention: {trunk}.{outer}.{stag}.{ctag}
3. Bring interface up
4. Notify abngd of new interface
5. abngd tells accel-ppp/abng-dhcpd to bind to interface

Cleanup

Background task runs every 60 seconds:

1. Check each dynamic interface for active sessions
2. Check traffic counters
3. If no sessions and no traffic for idle_timeout, remove interface
4. Tear down in reverse order (C-Tag first, then S-Tag, then outer VLAN)

Configuration

demux:
  enabled: true
  profiles:
    - name: "residential"
      trunk_interface: "eth1"
      outer_vlans: [111]
      stag_range: "100-999"
      ctag_range: "1-4094"
      stag_protocol: "802.1ad"
      services: ["pppoe", "dhcp"]
      idle_timeout: 3600
      max_interfaces: 50000
      creation_rate_limit: 100
      require_packets: 2
      require_window: 5

Safety Features

Rate Limiting

Maximum creation_rate_limit interfaces created per second (default 100).

Prevents DoS attacks from malicious or misconfigured devices.

Packet Validation

Requires require_packets matching packets within require_window seconds before creating interface.

Prevents spurious interface creation from single corrupt frames.

Hard Limits

Maximum max_interfaces dynamic VLAN interfaces (default 50000).

Prevents resource exhaustion from unlimited interface creation.

Idle Cleanup

Interfaces with no sessions and no traffic for idle_timeout seconds are automatically removed.

Prevents stale interface accumulation.

Interface Naming

Interfaces are named using the convention:

{trunk_interface}.{outer_vlan}.{stag}.{ctag}

Example:

eth1.111.500.100  (trunk=eth1, outer=111, stag=500, ctag=100)
eth1.111.501.200  (trunk=eth1, outer=111, stag=501, ctag=200)

VLAN Protocol

802.1Q (C-Tag)

Standard VLAN tag (Customer Tag):

• TPID: 0x8100
• VID: 12 bits (0-4095)
• Used for customer VLAN

802.1ad (S-Tag)

Service VLAN tag (Service Tag):

• TPID: 0x88A8
• VID: 12 bits (0-4095)
• Used for service provider VLAN

Monitoring

View Dynamic VLAN Interfaces

abng> show vlans
┌──────────────────────┬──────────┬──────────────┬──────────┐
│ Interface            │ State    │ Sessions     │ Idle     │
├──────────────────────┼──────────┼──────────────┼──────────┤
│ eth1.111.500.100     │ UP       │ 1            │ 0s       │
│ eth1.111.500.101     │ UP       │ 1            │ 0s       │
│ eth1.111.500.102     │ UP       │ 0            │ 245s     │
└──────────────────────┴──────────┴──────────────┴──────────┘

Check Interface Creation Rate

sudo journalctl -u abng-demux -f | grep "created"

Monitor VLAN Count

ip link show | grep -c "eth1\."

Troubleshooting

No VLAN Interfaces Created

1. Check demux is enabled: show configuration | match demux
2. Check trunk interface is up: ip link show eth1
3. Check for matching packets: tcpdump -i eth1 -e 'ether[12:2] == 0x8100'
4. Check demux logs: journalctl -u abng-demux -f

VLAN Interfaces Not Cleaned Up

1. Check idle timeout: show configuration | match idle_timeout
2. Check for active sessions: show subscribers
3. Check interface traffic: ethtool -S eth1.111.500.100

Too Many VLAN Interfaces

1. Check max_interfaces limit: show configuration | match max_interfaces
2. Increase limit if needed
3. Check for stale sessions: show subscribers

Best Practices

1. Outer VLANs — Use different outer VLANs for different subscriber types
2. VLAN Ranges — Allocate sufficient ranges for expected subscriber count
3. Idle Timeout — Balance between resource cleanup and session stability
4. Rate Limiting — Adjust based on expected subscriber growth rate
5. Monitoring — Monitor VLAN interface count and cleanup frequency

Next Steps

• PPPoE Termination — PPPoE details
• DHCP/IPoE — DHCP details
• QoS/CAKE — Traffic shaping details