docs: update TS README

0199fad7 · Jakob Olsson · fbcaee71 · 0199fad7
Commit 0199fad7 authored 2 years ago by Jakob Olsson
--- a/docs/README-Traffic_Separation.md
+++ b/docs/README-Traffic_Separation.md
@@ -2,28 +2,38 @@
 ## Overview
-This README documents important aspects regarding application of the Traffic Separation feature in Multi-AP system.
+This README documents important aspects regarding the Traffic Separation feature
-When Traffic Separation is in effect, traffic from different VLANs are isolated from each other.
+in a Multi-AP system. When Traffic Separation is in effect, traffic from
-Multiple SSIDs may belong to the same VLAN. The functionality for this is specified in Multi-AP Spec 2.0 chapter 19, which this
+different VLANs are isolated from each other. Multiple SSIDs may belong to the
-implementation is based on.
+same VLAN. The functionality for this is specified in Multi-AP Spec 2.0 chapter
-To achieve separation at layer 2 network, bridge vlan filtering feature is used and must be compiled into the kernel.
+19, which this implementation is based on. To achieve separation at layer 2
+network, bridge VLAN filtering feature is used and must be compiled into the
+kernel.
 ## Configuration
-The configuration governing the Traffic Separation (vlan tag numbering) comes from the map-controller.
+The configuration governing the Traffic Separation (per AP VLAN tag numbering)
+comes from the map-controller.
-Primary Vlan ID and Default PCP value is set via the controller global section, primary_vid '0' means
+### Enabling Traffic Separation
-Traffic Separation feature is disabled.
+To enable traffic separation there are two requirements for map-controller to
+pass the necessary Traffic Separation and Default 802.1Q Settings TLVs:
+* Traffic separation must be enabled via configuration (option enable_ts)
+* Primary VID must be set to a non-zero value (Today only '1' is supported)
 ```
 config controller 'controller'
 	option enabled '1'
 	option registrar '5 2'
 	option primary_vid '1'
-	option primary_pcp '2'
+	option primary_pcp '0'
+        option enable_ts '1'
 ```
-Each *ap* section specifies which Vlan ID it belongs to by the *vid* option:
+### Per AP VLAN Tagging
+Each *ap* section specifies which VLAN ID it belongs to by the *vid* option:
 ```
 config ap
@@ -51,7 +61,7 @@ config ap
        option key 'FPaY-7teN-hTHa-pgdT'
 config ap
-        option band '5'
+        option band '2'
        option ssid 'Another-Guest-Network'
        option encryption 'sae-mixed'
        option vid '20'         # Example guest VID 20
@@ -59,77 +69,94 @@ config ap
        option key 'FPaY-7teN-hTHa-pgdT'
 ```
+These VIDs will be passed in the Policy Config Request CMDU and during
+AP-Autoconfiguration along with AP-Autoconfiguration WSC (M2) CMDU and
+configured by map-agent.
 ## Implementation
-In order for map-agent to apply vlan tagging on the *Primary Network*, it must receive a **Default 802.1Q Settings TLV** containing the Primary Vlan ID.
+In order for map-agent to apply VLAN tagging on the *Primary Network*, it must
-This can be received in any of three ways:
+receive a **Default 802.1Q Settings TLV** containing the Primary VLAN ID. This
+can be received in any of three ways:
 - in a **AP-Autoconfiguration WSC** message from the map-controller
 - in a **Multi-AP Policy Config Request** message from the map-controller
 - as a Multi-AP IE subelement in **(Re-)Association Response** frames
-To apply tagging on *Secondary Networks*, it must receive a **Traffic Separation Policy TLV** containing at least one SSID to Vlan ID mapping.
+To apply tagging on *Secondary Networks*, it must receive a
-This can be received in either of the following CMDUs from map-controller:
+**Traffic Separation Policy TLV** containing at least one SSID to VLAN ID
+mapping. This can be received in either of the following CMDUs from
+map-controller:
 - a **AP-Autoconfiguration WSC** message
 - a **Multi-AP Policy Config Request** message
-When Map Agent receive proper Traffic Separation policy config it will reconfigure */etc/config/network* to enable
+When Map Agent receive proper Traffic Separation policy config it will
-vlan filtering on *al_bridge* (default br-lan) and configure vlan for Ethernet ports that were already bridged
+reconfigure */etc/config/network* to enable VLAN filtering on *al_bridge*
-to *al_bridge* and create *sink* veth interfaces that allow network layer 3 (IP, IPv6, DHCP etc.) access to the vlan networks.
+(default br-lan) and configure VLAN for Ethernet ports that were already bridged
+to *al_bridge*.
-```
-config device 'br_lan'
+Individual VLAN IDs for ports are configured using *bridge-vlan* network config
-        option name 'br-lan'
+entries. A bridge-vlan section allows a configuration of how a VLAN ID should
-	config device 'br_lan'
+be appended or untagged at the bridge and each specified port.
-        option type 'bridge'
-        list ports 'eth2'
+| Option | type    | Description |
-        list ports 'eth3'
+|--------|---------|-------------|
-        list ports 'eth4'
+| name   | string  | Unique section identifier |
-        option macaddr '44:D4:37:71:BE:32'
+| device | string  | Map to a device section with the same name |
-        option vlan_filtering '1'
+| vlan   | integer | VLAN ID for which this section dictates tagging ruels |
-```
+| flags  | string  | List of egress and ingress rules for the bridge.<br /> 'untagged' = Packets egress untagged for specified VID<br /> 'pvid' = Add VID tag for ingressing untagged frames |
+| local  | boolean | Whether any tagging rules should be applied at bridge level for this VLAN ID |
-Individual vlan ids for ports are configured using *bridge-vlan* network config entries.
+| ports  | string  | List of ports and port desired VLAN ID handling at port level<br /> '*port*:t' = Keep VID tag intact for ingressing and egressing traffic<br /> '*port*:*' = Add VID tag for ingress and remove tag on egress<br /> '*port*' = Add VID tag for ingress and remove tag on egress |
-Ports having *:t* appended will keep the vlan id tag for ingress end egress traffic
-(802.1q frames will be sent out and received on the port). List port entries without
+Map-agent will create these sections for each passed VLAN ID within the Traffic
-*:t* will add a tag for ingress and remove on egress traffic, which is proper
+Separation TLV. At the Ethernet port level map-agent will add egress and ingress
-for *sink* interfaces and Ethernet interfaces for primary network.
+tagging rules for the primary VLAN ID and keep tags as-is for secondary VLAN
+IDs. At the bridge level all VLAN IDs will be handled and egress untagged,
+whereas ingressing packets will receive a Primary VLAN ID tag.
 ```
-config bridge-vlan
+config bridge-vlan 'vlan1'
-        option device 'br-lan'
+	option name 'vlan1'
-        option vlan '1'
+	option device 'br-lan'
-        list ports 'eth2'
+	option vlan '1'
-        list ports 'eth3'
+	option flags 'untagged pvid'
-        list ports 'eth4'
+	option local '1'
-        list ports 'sink_peer1'
+	list ports 'eth1:*'
+	list ports 'eth2:*'
-config bridge-vlan
+	list ports 'eth3:*'
-        option device 'br-lan'
+	list ports 'eth4:*'
-        option vlan '50'
-        list ports 'eth2:t'
+config bridge-vlan 'vlan50'
-        list ports 'eth3:t'
+	option name 'vlan50'
-        list ports 'eth4:t'
+	option device 'br-lan'
-        list ports 'sink_peer50'
+	option vlan '50'
+	option flags 'untagged'
+	option local '1'
+	list ports 'eth1:t'
+	list ports 'eth2:t'
+	list ports 'eth3:t'
+	list ports 'eth4:t'
+config bridge-vlan 'vlan20'
+	option name 'vlan20'
+	option device 'br-lan'
+	option vlan '20'
+	option flags 'untagged'
+	option local '1'
+	list ports 'eth1:t'
+	list ports 'eth2:t'
+	list ports 'eth3:t'
+	list ports 'eth4:t'
 ```
-By convention vlan *vid* network is configured to be 192.168.*vid*.0/24 ip network.
+Bridge VLAN filtering configuration can be seen by *bridge vlan* command and
+an example output can look like:
 ```
-config interface 'vlan50'
+root@iopsys-021000000001:~# bridge vlan
-        option device 'sink50'
-        option is_lan '1'
-        option proto 'static'
-        option ipaddr '192.168.50.1'
-        option netmask '255.255.255.0'
-```
-Specific vlan configuration can be seen by *bridge vlan* command and example
-output can look like this:
-```
-root@iopsys:~# bridge vlan
 port              vlan-id  
+eth1              1 PVID Egress Untagged
+                  20
+                  50
 eth2              1 PVID Egress Untagged
                  20
                  50
@@ -141,22 +168,21 @@ eth4              1 PVID Egress Untagged
                  50
 wl0               1 PVID Egress Untagged
 wl1               1 PVID Egress Untagged
-sink_peer1        1 PVID Egress Untagged
+br-lan            1 PVID Egress Untagged
-br-lan            1
+                  20 Egress Untagged
-                  20
+                  50 Egress Untagged
-                  50
 wl1.1             1 PVID Egress Untagged
-wl1.2             20 PVID Egress Untagged
 wl0.1             1 PVID Egress Untagged
-wl0.2             50 PVID Egress Untagged
+wl0.2             1 Egress Untagged
-sink_peer50       50 PVID Egress Untagged
+                  50 PVID Egress Untagged
-sink_peer20       20 PVID Egress Untagged
+wl1.2             1 Egress Untagged
+                  20 PVID Egress Untagged
 ```
-PVID Egress Untagged entries will add/remove vlan id tag on for incoming/outgoing frames
+PVID Egress Untagged entries will add/remove VLAN ID tag on for
-on that port. Vlan id listed without PVID Egress Untagged mean that particular
+incoming/outgoing frames on that port. VLAN IDs listed without PVID Egress
-vlan tag is accepted on the port, non listed vlan tags are dropped.
+Untagged mean that particular VLAN tag is accepted on the port, non listed VLAN
-In example above *eth2* will:
+tags are dropped. In example above *eth2* will:
 * Accept 802.1q frames with VIDs 20 and 50
 * Change untagged incoming ethernet frames to 802.1q with vid 1
 * Remove tags for outgoing frames