Transcript
Netmanias 기술문서: Backhaul Network Design for TPS & VPN Service
2009년1월9일
NMC Consulting Group(tech@netmanias.com)
2
Table of Contents
1. Network Requirements
2. Network Architecture: Topology Design
2.1 Aggregation Network for Towers
2.2 Aggregation Network for Villas
3. Logical Architecture for Residential Services and Business Services
3.1 Backhaul Connectivity Design for Residential TPS Services
3.2 Backhaul Connectivity Design for Business VPN Services
4. Network Availability
5. Scalability
6. QoS Design
6.1 QoS for Residential TPS Service
6.2 QoS for Business VPN Service
7. Multicast
8. Security
8.1 Security: Data Plane
8.2 Security: Control Plane & Management Plane
9. Easy Touch Provisioning
10. Element & Network Management System
3
1. Network Requirements
.# of Subscribers
.Access Technology: FTTH (AON)
.Residential TPS service
.Internet: up to 1Gbps for each tenant
.IP-TV/VoD: HDTV
.VoIP
.Business VPN Services
.MPLS L3 VPN, MPLS L2 VPN (P2P: VPWS), VPLS
.Scalability
.QoS
.Multicast for IP-TV
.Integration with Existing Broadband Network (MPLS)
.Easy Touch Provisioning
.Residential and Business
4
그림6
그림6
router_red
router_red
MDF
…
그림6
AS
10GE
10GE
DS(L2)
NOC-1
NOC-2
AN
ethernet_access_corp_blue
ethernet_access_corp_blue
ethernet_access_corp_blue
ethernet_access_corp_blue
l3_switch_corp_blue
RG
1
20
router_red
router_red
1
20
…
…
…
…
Tower
2x10GE
RG (Residential Gateway)
router_red
ethernet_access_corp_blue
AN (Access Node)
l3_switch_corp_blue
AS (Access Switch)
BRAS/PE
DS(L2)
Existing
MPLS Core
1GE
Tenant
BRAS/PE
l3_switch_corp_blue
l3_switch_corp_orange
8XGE
10GE
l3_switch_corp_orange
l3_switch_corp_blue
8XGE
10GE
10GE
MGX8000MultiserviceSwitch
MGX8000MultiserviceSwitch
P Router
P Router
Role of BRAS
BRAS, MPLS PE, SSG
Protocol Interworking with Backbone Network
IGP: OSPF or IS-IS
IGP TE: OSPF TE or IS-IS TE
MPLS: LDP, RSVP-TE, MP-iBGP, VPWS, VPLS
Role of AS and DS
L2 Ethernet Aggregation
QinQ(for Residential TPS) Termination
BRAS
QinQ(for Enterprise VPN) Termination
BRAS (PE)
Subscriber MAC frame broadcasting
Not to existing IP/MPLS Backbone
Traffic Path
All the traffics (Internet, VoIP, VoD, Multicast/Enterprise VPN) pass through BRAS/PE
l3_switch_corp_blue
l3_switch_corp_orange
DS (Distribution Switch)
BRAS
2. Network Architecture
5
그림6
그림6
router_red
router_red
MDF
…
그림6
AS
10GE
10GE
DS
NOC-1
NOC-2
AN
ethernet_access_corp_blue
ethernet_access_corp_blue
ethernet_access_corp_blue
ethernet_access_corp_blue
l3_switch_corp_blue
RG
1
20
router_red
router_red
1
20
4xGE
(1000baseTX)
…
…
…
…
Tower (Highrise Buildings )
2x10GE
One AS is connected to two NOCs (Dual Homing) for protection
RG
router_red
ethernet_access_corp_blue
AN (Access Node)
l3_switch_corp_blue
AS (Access Switch)
l3_switch_corp_blue
l3_switch_corp_orange
DS (Distribution Switch)
BRAS/PE
10GE
1 GE (1000Base-TX)
1 GE (1000Base-FX)
BRAS/PE
DS
Existing
MPLS Core
1GE
RG in home and business
AN and AS are distributed at each apartment MDF
DS and BRAS in NOC-1 and NOC-2
Direct fiber access to individual subscribers
(Dedicated 1 Gbps bandwidth per user)
Tenant
Co-existence of residential and business subscribers
BRAS/PE
l3_switch_corp_blue
l3_switch_corp_orange
8XGE
10GE
l3_switch_corp_orange
l3_switch_corp_blue
8XGE
10GE
10GE
MGX8000MultiserviceSwitch
MGX8000MultiserviceSwitch
P Router
P Router
Network Architecture: Aggregation Network for Towers
6
Aggregation Network for Villas
그림6
그림6
NOC-1
NOC-2
10GE
router_red
router_red
router_red
router_red
…
ethernet_access_corp_blue
ethernet_access_corp_blue
ethernet_access_corp_blue
ethernet_access_corp_blue
l3_switch_corp_blue
4xGE (T)
…
10GE
DS
DS
AN
AS
RG
1GE
2X10GE
Villas
One AS is connected to two NOCs (Dual Homing) for protection
RG in home
AN and AS are centralized at NOC-1
Direct fiber access to individual subscribers
(Dedicated bandwidth per user)
BRAS/PE
Existing
MPLS Core
BRAS/PE
l3_switch_corp_orange
8XGE
10GE
l3_switch_corp_orange
8XGE
10GE
10GE
MGX8000MultiserviceSwitch
MGX8000MultiserviceSwitch
P Router
P Router
l3_switch_corp_blue
l3_switch_corp_blue
RG
router_red
ethernet_access_corp_blue
AN (Access Node)
l3_switch_corp_blue
AS (Access Switch)
l3_switch_corp_blue
l3_switch_corp_orange
DS (Distribution Switch)
BRAS/PE
10GE
1 GE (1000Base-TX)
1 GE (1000Base-FX)
7
SAR: Service Access Router (PE router located at Head End)
AN
MPLS L3 Internet VPN (LSP to BR)
PE/BR
BRAS/PE
VRF
PE2
MPLS L3 Internet VPN (LSP to PE:P2P)
MPLS L3 VPN (LSP to PE 2)
VRF
VRF
MPLS L3 Voice VPN (LSP to SAR)
MPLS L3 Voice VPN (LSP to PE: Data)
VRF
MPLS L3 Video VPN (LSP to SAR)
VRF
MPLS L2 VPN (VPWS)
VSI
MPLS L3 VPN (LSP to PE 3)
MPLS L2 VPN (LSP to PE 2)
C-VID=Internet(5)
C-VID=Voice(3)
C-VID=Video(4)
C-VID=Ent. A
C-VID=Ent. B
C-VID=Ent. C
C-VID=Ent. D
VSI
MPLS L2 VPN (LSP to PE 3)
PE/SAR
PE3
EAPS
VRF
VRF
VRF
Residential
Internet Access
Residential
Voice
Residential
Video
Enterprise
Internet Access
Enterprise
L3 VPN
Enterprise
L2 VPN (PtP: EoMPLS)
Enterprise
L2 VPN (PtMP: VPLS)
VRF
VRF
VRF
VRF
VRF
VSI
VSI
VSI
VSI
VSI
VSI
VSI
VSI
VSI
VSI
VSI
VSI
VSI
VRF
VRF
VSI
VSI
VSI
Residential Internet VLAN
(C-VID=Internet, S-VID=AN)
Residential Voice VLAN
(C-VID=Voice, S-VID=AN)
Residential Video VLAN
(C-VID=Video, S-VID=AN)
DHCP
DHCP
DHCP
Static/Public Subnet
Private Addressing and Routing
Private Addressing and Routing
Private Addressing and Routing
Per-Service VRF (Internet)
VRF
VRF
VRF
Per-Service VRF (Voice)
Per-Service VRF (Video)
AS
DS
Per-Enterprise VLAN
(C-VID=Ent. A, S-VID=Ent. A)
Per-Enterprise VLAN
(C-VID=Ent. B, S-VID=Ent. B)
Per-Enterprise VLAN
(C-VID=Private Use, S-VID=Ent. C)
Per-Enterprise VLAN
(C-VID=Private Use, S-VID=Ent. D)
l3_switch_corp_blue
l3_switch_corp_blue
ethernet_access_corp_blue
router_red
CPE
l3_switch_corp_orange
3. Logical Architecture for Residential Services and Business Services
8
Supported Standard (MPLS PE)
.RFC 4448 (Martini), Encapsulation Methods for Transport of Ethernet over MPLS Networks, April 2006
.RFC 4447 (Martini), PseudowireSetup and Maintenance Using LDP, April 2006
.RFC 4762: Virtual Private LAN Service (VPLS) Using LDP Signaling, Jan. 2007
.RFC 4761: RFC 4761 on Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling, Jan. 2007
.RFC 4664: Framework for Layer 2 Virtual Private Networks (L2VPNs), Sep. 2006
9
3.1 Residential TPS Service
그림6
그림6
그림6
802.1Q: Per Service VLAN
<Tower A>
RG
router_red
BRAS/PE
<Tower B>
802.1ad (QinQ):
S-VID=Per AN VLAN, C-VID=Per Service VLAN
Voice
Video
Data
Voice
Video
Data
AN ID
S-VID
C-VID
Per Service VLAN Encapsulation
Per AN QinQ Encapsulation
MPLS L3VPN per Service
VRF
VRF
VRF
<NOC>
Bridging
Bridging
Voice VPN
Per-Service MPLS L3 VPN
Video VPN
Data VPN
Outer VLAN
Inner VLAN
Residential
A
Residential
B
Residential
C
Residential
D
Residential
E
Residential
F
802.1Q
802.1ad
N:1 VLAN
N:1 VLAN
N:1 VLAN
Layer 2 (Ethernet)
Layer 3 (IP/MPLS)
MGX8000MultiserviceSwitch
IP/MPLS
Backbone
AN
ethernet_access_corp_blue
l3_switch_corp_orange
AS
l3_switch_corp_blue
DS
l3_switch_corp_blue
Private VLAN (N:1 VLAN)
DHCP Option82
Voice
Video
Data
10
Residential TPS Service
.Service Separation: in the backhaul, by Per-Service VLAN (N:1 VLAN). Inside BRAS, by VRF (Each VRF has its own interface and route information)
.User Isolation: Split Horizon Forwarding(Private VLAN) on AN to prohibit Hair-pin
.L2 Scalability Issues
.Broadcast Domain is reduced by Per AN QinQ
.MAC Learning at DS: 224K MAC addresses supported by DS >> 15K subscriber x 4 services = 60K
.Configuration of each RG is same. QinQvalue of AN will be different
.IP Address Management: Public IP address for Internet access, Private IP address for walled-garden service (VoD, IP-TV, VoIP)
.DHCP Option82 at AN (Per-service VLAN ID, Port ID, AN ID): Subscriber Identification, Location of subscriber, Per-service IP address allocation
11
3.2 Business VPN Service
그림6
그림6
그림6
Outer VLAN
RG/CE
router_red
AN
ethernet_access_corp_blue
802.1Q:Per Enterprise VLAN or Private Use by Enterprise
802.1ad (QinQ): S-VID=Per Enterprise VLAN, C-VID=Per Enterprise VLAN (extension) or Private Use by Enterprise
Per Enterprise QinQ Encapsulation
MPLS L2/L3 VPN per Enterprise
Bridging
Per Enterprise MPLS L2/L3 VPN
VRF
VRF
VSI
VSI
VSI
VSI
Enterprise
A
Enterprise
B
Enterprise
C
Enterprise
D
Enterprise
E
Enterprise
F
Ent-A L3 VPN
Ent-B L3 VPN
Ent-C L2 VPN (VPWS)
Ent-D L2 VPN (VPWS)
Ent-E L2 VPN (VPLS)
Ent-E L2 VPN (VPLS)
Enterprise ID
S-VID
C-VID
<Tower A>
<Tower B>
<NOC>
Per Enterprise VLAN Encapsulation
Layer 2 (Ethernet)
Layer 2/3
.Customer Separation by Per-Enterprise VLAN (1:1 VLAN)
.Need to Provisioning tool for creating Per-Enterprise VLAN
.IP address management: Private IP for VPN service
1:1 VLAN
1:1 VLAN
1:1 VLAN
BRAS/PE
l3_switch_corp_orange
DS
l3_switch_corp_blue
AS
l3_switch_corp_blue
MGX8000MultiserviceSwitch
IP/MPLS
Backbone
Bridging
Inner VLAN
12
MPLS L3 VPN
Metro Ethernet
Backhaul
PE
PE
Metro Ethernet
Backhaul
Site-2, VPN-B
Site-2, VPN-A
Site-1, VPN-B
Site-1, VPN-A
CE2
CE1
CE1
router
router
Per-enterprise VLAN (1:1 VLAN)
Tunnel Signaling (LDP or RSVP-TE)
VPN Route and Label Distribution (MP-iBGP)
IGP (IS-IS or OSPF)
Point-to-Point or Point-to-MultiPoint L3 VPN
L3 VPN (vc-lsp)
Per-enterprise VLAN
router
router
CE2
LSP Tunnel
802.1Q
802.1ad
IP/MPLS Backbone
l3_switch_corp_orange
VPN Routing (BGP, OSPF, IS-IS, RIP, Static)
.RFC 2547bis BGP/MPLS VPN
13
MPLS L2 VPN: VLL/VPWS/EoMPLS Service
Metro Ethernet
Backhaul
Metro Ethernet
Backhaul
Site-2, VPN-B
Site-2, VPN-A
Site-1, VPN-B
Site-1, VPN-A
CE2
CE1
CE1
router
router
Per-enterprise VLAN (1:1 VLAN)
Tunnel Signaling (LDP or RSVP-TE)
PW Signaling
(Martini Signaling/RFC4447)
IGP (IS-IS or OSPF)
Point-to-Point Transparent LAN Service
PW (vc-lsp)
Per-enterprise VLAN
router
router
CE2
LSP Tunnel
802.1Q
802.1ad
IP/MPLS Backbone
l3_switch_corp_orange
.RFC 4448 (Martini), Encapsulation Methods for Transport of Ethernet over MPLS Networks, April 2006
.RFC 4447 (Martini), PseudowireSetup and Maintenance Using LDP, April 2006
PE
PE
14
MPLS L2 VPN: VPLS Service
Metro Ethernet
Backhaul
Metro Ethernet
Backhaul
Site-2, VPN-B
Site-2, VPN-A
Site-1, VPN-B
Site-1, VPN-A
CE2
CE1
CE1
router
router
Per-enterprise VLAN (1:1 VLAN)
Tunnel Signaling (LDP or RSVP-TE)
PW Signaling
(Martini Signaling/RFC4762 or BGP/RFC 4761)
IGP (IS-IS or OSPF)
Point-to-Multi Point Transparent LAN Service
VPLS (Full-meshed PWs)
Per-enterprise VLAN
router
router
CE2
LSP Tunnel
802.1Q
802.1ad
IP/MPLS Backbone
l3_switch_corp_orange
.RFC 4762: Virtual Private LAN Service (VPLS) Using LDP Signaling, Jan. 2007
.RFC 4761: RFC 4761 on Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling, Jan. 2007
.RFC 4664: Framework for Layer 2 Virtual Private Networks (L2VPNs), Sep. 2006
PE
PE
15
그림6
그림6
그림6
4. Network Availability (EAPS): < 50msec
MGX8000MultiserviceSwitch
IP/MPLS
Backbone
router_red
l3_switch_corp_blue
ethernet_access_corp_blue
AS
AN
RG
l3_switch_corp_blue
DS
l3_switch_corp_blue
DS
NOC-1
NOC-2
MGX8000MultiserviceSwitch
Tower A
.Link failure between AS and DS is major threatening and we can provide fast convergence of link fail (under 50ms) by EAPS (Ethernet Automatic Protection Switching)
.Ring based network resiliency protocol between AS and DS/PE, operate at layer 2
.Provides SONET/SDH like fast convergence from network failures
.Proven sub-50ms failover times for voice-class connections
.Designed for carriers/ISP.essentialfor convergence in the enterprise
.IETF RFC 3619
B
Secondary port logically blocked for protected VLAN data traffic
Normal Data Traffic
EAPS Ring
“Health Check”
Messages sent out periodically
a
b
b
Data Traffic with Link Fail
BRAS/PE
BRAS/PE
l3_switch_corp_orange
l3_switch_corp_orange
.RFC3619: Extreme Network’s Ethernet Automatic Protection Switching (EAPS) Version 1.0
16
a3
그림6
그림6
그림6
l3_switch_corp_blue
ethernet_access_corp_blue
router_red
MGX8000MultiserviceSwitch
MGX8000MultiserviceSwitch
IP/MPLS
Backbone
DS
PE
RG
AN
AS
l3_switch_corp_blue
l3_switch_corp_orange
l3_switch_corp_blue
l3_switch_corp_orange
VRRP
B
EAPS
Blocked Port
a3
그림6
그림6
그림6
l3_switch_corp_blue
ethernet_access_corp_blue
router_red
MGX8000MultiserviceSwitch
MGX8000MultiserviceSwitch
IP/MPLS
Backbone
DS
PE
RG
AN
AS
l3_switch_corp_blue
l3_switch_corp_orange
l3_switch_corp_blue
l3_switch_corp_orange
B
< Normal >
VRRP Master
a3
그림6
그림6
그림6
l3_switch_corp_blue
ethernet_access_corp_blue
router_red
MGX8000MultiserviceSwitch
MGX8000MultiserviceSwitch
IP/MPLS
Backbone
DS
PE
RG
AN
AS
l3_switch_corp_blue
l3_switch_corp_orange
l3_switch_corp_blue
l3_switch_corp_orange
VRRP Master
Become Active
< Link Fail >
Recovery by EAPS (50ms)
a3
그림6
그림6
그림6
l3_switch_corp_blue
ethernet_access_corp_blue
router_red
MGX8000MultiserviceSwitch
MGX8000MultiserviceSwitch
IP/MPLS
Backbone
DS
PE
RG
AN
AS
l3_switch_corp_blue
l3_switch_corp_orange
l3_switch_corp_blue
l3_switch_corp_orange
VRRP Master
Become Active
< DS Fail >
Recovery by EAPS, VRRP & IGP
a3
그림6
그림6
그림6
l3_switch_corp_blue
ethernet_access_corp_blue
router_red
MGX8000MultiserviceSwitch
MGX8000MultiserviceSwitch
IP/MPLS
Backbone
DS
PE
RG
AN
AS
l3_switch_corp_blue
l3_switch_corp_orange
l3_switch_corp_blue
l3_switch_corp_orange
VRRP Master
< Link Fail >
Recovery by VRRP & IGP
a3
그림6
그림6
그림6
l3_switch_corp_blue
ethernet_access_corp_blue
router_red
MGX8000MultiserviceSwitch
MGX8000MultiserviceSwitch
IP/MPLS
Backbone
DS
PE
RG
AN
AS
l3_switch_corp_blue
l3_switch_corp_orange
l3_switch_corp_blue
l3_switch_corp_orange
VRRP Master
< PE Fail >
Recovery by VRRP & IGP
B
B
Unicast Upstream
Unicast Downstream
VRRP Master
Resiliency Mechanism for Unicast
17
a3
그림6
그림6
그림6
l3_switch_corp_blue
ethernet_access_corp_blue
router_red
MGX8000MultiserviceSwitch
MGX8000MultiserviceSwitch
IP/MPLS
Backbone
DS
PE
RG
AN
AS
l3_switch_corp_blue
l3_switch_corp_orange
l3_switch_corp_blue
l3_switch_corp_orange
VRRP Master
< Link Fail >
Recovery by VRRP & IGP
B
a3
그림6
그림6
그림6
l3_switch_corp_blue
ethernet_access_corp_blue
router_red
MGX8000MultiserviceSwitch
MGX8000MultiserviceSwitch
IP/MPLS
Backbone
DS
PE
RG
AN
AS
l3_switch_corp_blue
l3_switch_corp_orange
l3_switch_corp_blue
l3_switch_corp_orange
VRRP Master
< Link Fail >
Recovery by IGP
B
Enable
VRRP I/F tracking
Disable
VRRP I/F tracking
Resiliency Mechanism for Unicast
18
a3
그림6
그림6
그림6
l3_switch_corp_blue
ethernet_access_corp_blue
router_red
MGX8000MultiserviceSwitch
MGX8000MultiserviceSwitch
IP/MPLS
Backbone
DS
PE
RG
AN
AS
l3_switch_corp_blue
l3_switch_corp_orange
l3_switch_corp_blue
l3_switch_corp_orange
PIM Hello
B
EAPS
Blocked Port
a3
그림6
그림6
그림6
l3_switch_corp_blue
ethernet_access_corp_blue
router_red
MGX8000MultiserviceSwitch
MGX8000MultiserviceSwitch
IP/MPLS
Backbone
DS
PE
RG
AN
AS
l3_switch_corp_blue
l3_switch_corp_orange
l3_switch_corp_blue
l3_switch_corp_orange
B
< Normal >
DR
a3
그림6
그림6
그림6
l3_switch_corp_blue
ethernet_access_corp_blue
router_red
MGX8000MultiserviceSwitch
MGX8000MultiserviceSwitch
IP/MPLS
Backbone
DS
PE
RG
AN
AS
l3_switch_corp_blue
l3_switch_corp_orange
l3_switch_corp_blue
l3_switch_corp_orange
DR
Become Active
< Link Fail >
Recovery by EAPS (50ms)
a3
그림6
그림6
그림6
l3_switch_corp_blue
ethernet_access_corp_blue
router_red
MGX8000MultiserviceSwitch
MGX8000MultiserviceSwitch
IP/MPLS
Backbone
DS
PE
RG
AN
AS
l3_switch_corp_blue
l3_switch_corp_orange
l3_switch_corp_blue
l3_switch_corp_orange
Become Active
< DS Fail >
Recovery by EAPS & IGP
a3
그림6
그림6
그림6
l3_switch_corp_blue
ethernet_access_corp_blue
router_red
MGX8000MultiserviceSwitch
MGX8000MultiserviceSwitch
IP/MPLS
Backbone
DS
PE
RG
AN
AS
l3_switch_corp_blue
l3_switch_corp_orange
l3_switch_corp_blue
l3_switch_corp_orange
< Link Fail >
Recovery by IGP
a3
그림6
그림6
그림6
l3_switch_corp_blue
ethernet_access_corp_blue
router_red
MGX8000MultiserviceSwitch
MGX8000MultiserviceSwitch
IP/MPLS
Backbone
DS
PE
RG
AN
AS
l3_switch_corp_blue
l3_switch_corp_orange
l3_switch_corp_blue
l3_switch_corp_orange
< PE Fail >
Recovery by IGP
B
B
DR
DR
DR
Multicast
DR
Resiliency Mechanism for Multicast
19
a3
그림6
그림6
그림6
l3_switch_corp_blue
ethernet_access_corp_blue
router_red
MGX8000MultiserviceSwitch
MGX8000MultiserviceSwitch
IP/MPLS
Backbone
DS
PE
RG
AN
AS
l3_switch_corp_blue
l3_switch_corp_orange
l3_switch_corp_blue
l3_switch_corp_orange
< Link Fail >
Recovery by IGP
B
DR
Resiliency Mechanism for Multicast
20
5. Scalability
Scalability Factor for Enterprise
AS (BD 8806)
DS (BD 10808)
BRAS/PE (E320)
Maximum number of MAC addresses
16K
224K
96K
Maximum number of IP routes
1M
Maximum number of 802.1Q (VLAN) Circuits per Port
4K
4K
4K (16K per chassis)
Maximum number of 802.1ad (QinQ) Circuits per Port
16K (96K per chassis)
Maximum number of Logical Interfaces
96K
Maximum number of MPLS LSPs (LDP/RSVP-TE)
10K
Scalability Factor of MPLS L3VPN for Enterprise
BRAS/PE (E320)
Maximum number of VRF instances
1K
Maximum number of IP routes per VRF
500K
Scalability Factor of MPLS L2VPN for Enterprise
BRAS/PE (E320)
Maximum number of VPWS instances
8K
Maximum number of VPLS instances
1K
Maximum number of MAC addresses per VSI
Totally 64K
.Maximum number of MPLS L3 VPN = 1K (per PE router)
.Maximum number of Point-to-Point MPLS L2 VPN (VPWS) = 8K (per PE router)
.Maximum number of Point-to-Multipoint MPLS L2 VPN (VPLS) = 1K (per PE router)
21
L2 Scalability
.Residential TPS Service
.Broadcast Domain is reduced by Per-AN VLAN (QinQ)
.MAC Learning at DS: 224K MAC addresses supported by DS (Extreme BD10K) >> 15K subscriber x 4 services = 60K
.Enterprise VPN service
.Per-Enterprise VLAN must be provisioned through Ethernet backhaul network (Potential scaling issue)
.802.1Q provides 4K distinct VLANs and 802.1ad provides 16M distinct VLANs
22
a3
RG ~ AN
AN ~ AS
AS ~ DS
DS ~ BRAS/PE
BRAS/PE ~ P
802.1p
802.1p
802.1p
802.1p
MPLS QoS (E-LSP) / IP DiffServ
Voice
COS 5
COS 5
COS 5
COS 5
EXP 5
IPTV
COS 3
COS 3
COS 3
COS 3
DSCP AF3
VoD
COS 2
COS 2
COS 2
COS 2
EXP 2
Internet
COS 0
COS 0
COS 0
COS 0
EXP 0
RG
router_red
AN
ethernet_access_corp_blue
AS
l3_switch_corp_blue
l3_switch_corp_orange
BRAS/PE
DS
l3_switch_corp_blue
802.1p
802.1p
802.1p
802.1p
MPLS QoS/IP DiffServ
Per-Residential Downstream Shaping
Per-Residential Upstream Shaping
.4 service classes
.Internet bandwidth control for both upstream and downstream direction per residential subscriber by RG & BRAS
.Voice, IPTV and VoDtraffic are always higher priority than Internet
MGX8000MultiserviceSwitch
IP/MPLS
Backbone
Internet to User-B
Internet to User-A
Internet to User-C
Per-Residential
shaping
BRAS
A
B
C
Voice to All users
IPTV (multicast)
VoD to All users
SPQ
HIGH
LOW
6.1 QoSfor Residential TPS Service
23
a3
6.2 QoS for Business VPN Service
RG ~ AN
AN ~ AS
AS ~ DS
PE ~ P
802.1p
802.1p
802.1p
MPLS QoS (E-LSP)
Voice
COS 5
COS 5
COS 5
EXP 5
VoD
COS 2
COS 2
COS 2
EXP 2
Mission Critical
COS 1
COS 1
COS 1
EXP 1
Internet
COS 0
COS 0
COS 0
EXP 0
RG
router_red
AN
ethernet_access_corp_blue
AS
l3_switch_corp_blue
Per-Enterprise Downstream Shaping
Per-Enterprise Upstream Shaping
.4 service classes
.Bandwidth control for both upstream and downstream direction per enterprise subscriber by PE
.PE supports hierarchical shaper
MGX8000MultiserviceSwitch
IP/MPLS
Backbone
PE
Per-Enterprise
Hierarchical shaping
(PIR/CIR)
S-VLAN
1001
S-VLAN
1400
I
T
V
RT Video
RT Voice
Best Effort
Mission Critical
M
S-VLAN
1500
1
2
3
l3_switch_corp_orange
BRAS/PE
DS
l3_switch_corp_blue
802.1p
802.1p
802.1p
MPLS QoS
802.1p
24
7. Multicast
.All IPTV channels (multicast streams) are always reach to the core-facing port of DS for fast channel zapping by IGMP Static Join function of BRAS/PE
그림6
그림6
그림6
MGX8000MultiserviceSwitch
IP/MPLS
Backbone
router_red
ethernet_access_corp_blue
AS
AN
RG
l3_switch_corp_blue
BRAS/PE
DS
l3_switch_corp_blue
DS
NOC-1
NOC-2
MGX8000MultiserviceSwitch
Tower A
ethernet_access_corp_blue
router_red
router_red
router_red
router_red
l3_switch_corp_blue
그림6
router_red
ethernet_access_corp_blue
AS
AN
RG
Tower B
ethernet_access_corp_blue
router_red
router_red
router_red
router_red
l3_switch_corp_blue
그림6
router_red
ethernet_access_corp_blue
AS
AN
RG
Tower C
ethernet_access_corp_blue
router_red
router_red
router_red
router_red
l3_switch_corp_blue
DR
All IPTV channels
IGMP Report (CH1)
BRAS/PE
l3_switch_corp_orange
l3_switch_corp_orange
IGMP Static Join
IGMP Snooping
IGMP Snooping
IGMP Proxy
IGMP Snooping
IPTV CH1
25
8.1 Security: Attack and Defensive Features/Actions
Attack
Defensive Features/Actions
NE
MAC attacks
Limit number of MAC address per port, Allow only static MAC address
AN, AS
VLAN hopping
Disable auto trunking on user-facing port, Do not use VLAN1 for anything
AN, AS, DS
Private DHCP server
Filter DHCP message using wire-speed ACLs, Private VLAN
AN, AS, DS
Source MAC address spoofing
Limit number of MAC address per port, Allow only static MAC address
AN, AS
Abnormal Source MAC attacks (all 0’s all F’s, …)
Filter abnormal source MAC address using wire-speed ACLs
AN, AS, DS
ARP attacks
AN, AS, DS: Storm control, Rate-limit of ARP protocol type
BRAS/PE: CPU rate-limit, IP Source Guard
AN, AS, DS, BRAS/PE
Storm attacks
Storm control for broadcast & unknown-unicastpacket
AN, AS, DS
System attacks
CPU rate-limit & filtering, Prioritize control traffic (telnet, SNMP is high)
AN, AS, DS, BRAS/PE
DHCP attacks
Limit number of MAC address per port, Check Integrity of DHCP message
AN, BRAS/PE
Poison ARP tables
Dynamic ARP inspection using DHCP snoop binding table
BRAS/PE
DDoS of TCP SYN flooding
AN, AS, DS: Rate-limit of TCP SYN
BRAS/PE: IP Source Guard
AN, AS, DS, BRAS/PE
Smurf attacks
Disable direct broadcast
BRAS/PE
IGMP attacks
Enable IGMP Join Filter, Limit number of IGMP Join message
AN, AS
Multicast stream attacks
Filter multicast address (except IGMP message) on user-facing port
AN, AS
PIM attacks
Filter PIM neighbor (Allow only registered PIM neighbor)
BRAS/PE
26
8.1 Attack and Defensive Features/Actions
Attack
Defensive Features/Actions
NE
Attack with the spoofed source IP address
IP Source Guard, RPF (Reverse Path Filtering)
BRAS/PE
Route information spoofing
Misdirecting traffic
.MD5 authentication for IP routing/MPLS signaling protocol
.GTSM (Generalized TTL Security Mechanism)
.Route filtering: Martian filter, Bogonlist, RFC 1918/3330 address
BRAS/PE
27
RG
router_red
AN
ethernet_access_corp_blue
AS
l3_switch_corp_blue
l3_switch_corp_orange
BRAS/PE
DS
l3_switch_corp_blue
IP Source Guard/DHCP Security
Resource (# of Routes/MACs) Limitation/
Rate-Limit of Protocol Update per VRF
Filter Martian-addresses, RFC 1918 addresses, Bogon prefixes
Filter Directed Broadcast
Rate Limit ICMP echo & TCP SYN (to CPU & Transit)
Reject other ICMP packets (ex. ICMP Redirect),
IP with Option, Malicious Fragment packets
Protect IGMP Attack
Unicast RPF Loose mode
Filter well-known attack traffic (worms/viruses)
Protect MAC Attack
User Isolation (Prohibit direction connection between users)
/Service Isolation
Protect ARP Attack
Protect MAC Spoofing
Control CPU Traffic
Storm Control
Filter Multicast stream from Abnormal source
Protect DHCP Attack
MGX8000MultiserviceSwitch
IP/MPLS
Backbone
8.2 Security: Data Plane
28
RG
router_red
AN
ethernet_access_corp_blue
AS
l3_switch_corp_blue
l3_switch_corp_orange
BRAS/PE
DS
l3_switch_corp_blue
MD5 Authentication for IP Routing/MPLS Signaling
Generalized TTL Security Mechanism (GTSM)
SNMPv3
SSH (Secure Shell)/SCP (Secure Copy Protocol)
TACACS+
Control # of concurrent SSH connection
Control rate of SSH connection
MGX8000MultiserviceSwitch
IP/MPLS
Backbone
8.3 Security: Control Plane & Management Plane
29
db_red
server_red
OSS/BSS
db_orange
server_orange
Web Portal
db_blue
server_blue
Policy Server
db_purple
server_purple
LDAP
db_slate
server_slate
AAA
db_slate
server_slate
DHCP
router_red
RG
AN
AS
BRAS/SSG
DS
AN
router_red
RG
router_red
RG
AS
AN
ethernet_access_corp_blue
l3_switch_corp_blue
IP/MPLS
Backbone
router_red
RG
ethernet_access_corp_blue
1
DHCP DISCOVER
2
DHCP OFFER
3
DHCP REQUEST
4
DHCP ACK
5
“Client Table” is created
“SI” is created
7
COPS: Interface Event
8
COPS: Address Event
9
COPS: Default Policy
10
LDAP Search: MAC ..ID/PW
11
LDAP Result: NULL return
12
HTTP/HTTPS: ID/PW by subscriber
13
CORBA: ID/PW information
14
RADIUS: Request Authentication (ID/PW)
15
RADIUS: Authentication Result
16
RADIUS: Type of Service for Subscriber
17
CORBA: Authentication Result
18
COPS: Service Policy
19
HTTP/HTTPS: Authentication Result &
Show “Subscriber Homepage”
LDAP: Service adds
TRANSPORT
PLANE
SERVICE
INTELLIGENCE
CONTROL PLANE
BACK OFFICE
l3_switch_corp_blue
l3_switch_corp_blue
ethernet_access_corp_blue
6
l3_switch_corp_orange
MGX8000MultiserviceSwitch
9. Easy Touch Provisioning Tool: SSG (Service Selection Gateway) for TPS Users
30
.Connection Manager helps reduce overall administration and management costs by providing automated resource management and rapid profile-based provisioning capabilities that speed deployment and time to market of Metro Ethernet technologies
.It provides 802.1Q VLAN, 802.1ad QinQprovisioning methods for AN, AS and DS
l3_switch_corp_blue
l3_switch_corp_blue
l3_switch_corp_blue
l3_switch_corp_blue
l3_switch_corp_blue
l3_switch_corp_blue
l3_switch_corp_blue
l3_switch_corp_blue
l3_switch_corp_blue
l3_switch_corp_blue
router_red
l3_switch_corp_blue
l3_switch_corp_blue
ethernet_access_corp_blue
AS
AN
RG/CE
IP/MPLS
Backbone
BRAS/PE
DS
P
P
PE
CE
MGX8000MultiserviceSwitch
MGX8000MultiserviceSwitch
Site-1, VPN-A
Site-2, VPN-A
db_orange
server_orange
Connection Manager for Enterprise
router_red
RG/CE
Site-1, VPN-B
router
Site-2, VPN-B
CE
MGX8000MultiserviceSwitch
router
B
B
A
Per Enterprise VLAN
Per Enterprise MPLS VPN (L2/L3)
A
QinQ assignment of user-facing port for Enterprise user
B
VLAN ID assignment of access-facing port for Enterprise user
l3_switch_corp_orange
Easy Touch Provisioning Tool: VLAN Connection Management for Enterprise
31
perfgrap
l3_switch_corp_blue
l3_switch_corp_blue
l3_switch_corp_blue
l3_switch_corp_blue
l3_switch_corp_blue
l3_switch_corp_blue
l3_switch_corp_blue
l3_switch_corp_blue
l3_switch_corp_blue
l3_switch_corp_blue
router_red
l3_switch_corp_blue
l3_switch_corp_blue
ethernet_access_corp_blue
AS
AN
RG/CPE
l3_switch_corp_orange
BRAS
DS
MGX8000MultiserviceSwitch
MGX8000MultiserviceSwitch
router_red
RG/CPE
MGX8000MultiserviceSwitch
World2-r
IP/MPLS Core
MGX8000MultiserviceSwitch
Internet
db_blue
server_blue
BRAS EMS
db_blue
server_blue
AS/DS EMS
db_blue
server_blue
AN EMS
db_blue
server_blue
RG EMS
db_gray
server_gray
DHCP
db_gray
server_gray
TFTP/FTP
db_orange
server_orange
NMS
Fault
Configuration
Accounting
Performance
Security
Network elements
Element & Network management
FCAPS
Southbound
(SNMP)
Northbound
(SNMP, XML)
.Network management systems make use of a wide range of tools, applications, interfaces and devices to assist the network operators work in monitoring and maintaining the network. A standard model is defined by the ITU-T for all management systems, called FCAPS
.Fault management
.Configuration management
.Accounting management
.Performance management
.Security management
10. Element & Network Management System
32
General managements
Fault
Configuration
Performance/Statistics Reports
Security
Topology map
Fault detection
Resource initialization
Data collection
User access right checking
Command history
Alarm generation
Provisioning
Data reporting
Access logging
-
Alarm handling
Backup and restore
Data analysis
Security alarm reporting
-
Error logging
Remote configuration
Alarm history
Data backup
-
-
Automated software installation
-
-
l3_switch_corp_blue
l3_switch_corp_blue
l3_switch_corp_blue
l3_switch_corp_blue
l3_switch_corp_blue
l3_switch_corp_blue
l3_switch_corp_blue
l3_switch_corp_blue
l3_switch_corp_blue
l3_switch_corp_blue
Alarm statistics summary
#NAME?
#NAME?
3
1
Elements lists
#NAME?
#NAME?
#NAME?
2
Topology map
#NAME?
#NAME?
#NAME?
4
Detail view for selected elements/networks
5
Alarm status / history
EMS/NMS Features
33
Features
Sub features
Descriptions
System General Information
Monitoring condition
Monitoring time, retry count, retry timeout
Monitoring condition and threshold control based on system performance
Topology MAP
Map service based on topology
Utility
Ping, Trace, Telnet
Alarm history
Alarm history by regional, elements and ports
Tool-tip
display detail information when you move the mouse across a element or port
Element information
CPU, MEMORY, DISK, temperature, element boot time, OS version, number of interface
Interface information
Interface ID, Interface Operation/Admin status
Performance
Performance reports
Top N performance by daily, weekly and monthly
System resource
CPU utilization, MEMORY usage, DISK usage, Response time
Traffic performance
Interface input/output throughput (BPS, PPS)
Interface input/output utilization rate
Interface input/output error rate
Interface input/output discard rate
Configuration
Elements status
Status of the registered elements
Elements configuration
Node and port configuration such as VLAN, QoS, ACL, Multicast, etc
Port (physical/logical) Up/Down status
Port status
Port (physical/logical) Up/Down control
Port remote control by EMS/NMS system
Element/Link management
Element or Link management (add/modify/delete)
EMS/NMS Functionality Summary
34
Features
Sub features
Descriptions
Fault
SNMP Trap
SNMP TRAP, syslog, CLI
Alarm notify
web event , e-mail, sms
Alarm history
Alarm history search
Alarm severity management
Critical, Major, Minor, Warning, Normal
Syslog management
syslogcollect, sysloghistory search
Alarm analysis report for each elements
Analysis of the alarm count, alarm duration and alarm type for each elements
Alarm analysis report for the each interfaces
Analysis of the alarm count, alarm duration and alarm type for each interfaces
Alarm threshold
Alarm threshold setting
Statistics Report
Report file format
Statistics report of Microsoft’s excel or word format
Elements or Port inventory report
inventory including alarm or log history of Elements or Port
Elements performance report
Performance reports for traffic utilization, Resource usage, alarm, response time, etc (daily, weekly, monthly)
Traffic statistics
Traffic analysis report per period, application
Security
Account management
Account management, User id support access right control
Backup and Restore of Data
Backup and restore
Configuration backup / recovery of all the element
Automatic and scheduled backup
EMS/NMS Functionality Summary
35
End of Document