Upload
kedi-kebba
View
15
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Netmanias
Citation preview
About NMC Consulting Group NMC Consulting Group is an advanced and professional network consulting company, specializing in IP network areas (e.g., FTTH, Metro Ethernet and IP/MPLS), service areas (e.g., IPTV, IMS and CDN), and wireless network areas (e.g., Mobile WiMAX, LTE and Wi-Fi) since 2002. Copyright © 2002-2013 NMC Consulting Group. All rights reserved.
www.nmcgroups.com
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
Backhaul Network Design for TPS & VPN Service
January 9, 2009
NMC Consulting Group ([email protected])
www.netmanias.com
www.nmcgroups.com
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 2
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
Table of Contents
1. Network Requirements
2. Network Architecture: Topology Design
2.1 Aggregation Network for Towers
2.2 Aggregation Network for Villas
3. Logical Architecture for Residential Services and Business Services
3.1 Backhaul Connectivity Design for Residential TPS Services 3.2 Backhaul Connectivity Design for Business VPN Services
4. Network Availability
5. Scalability
6. QoS Design
6.1 QoS for Residential TPS Service
6.2 QoS for Business VPN Service
7. Multicast
8. Security
8.1 Security: Data Plane 8.2 Security: Control Plane & Management Plane
9. Easy Touch Provisioning
10. Element & Network Management System
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 3
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
1. Network Requirements
# of Subscribers
Access Technology: FTTH (AON)
Residential TPS service Internet: up to 1Gbps for each tenant
IP-TV/VoD: HDTV
VoIP
Business VPN Services MPLS L3 VPN, MPLS L2 VPN (P2P: VPWS),
VPLS
Scalability
QoS
Multicast for IP-TV
Integration with Existing Broadband
Network (MPLS)
Easy Touch Provisioning Residential and Business
Backbone Backbone
NOC-1 NOC-2
#2
#1
#39 #15
#1
#2 #33 (=17+16)
#16
BRAS/PE BRAS/PE
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 4
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
MDF
…
AS
10GE
10GE
DS(L2)
NOC-1
NOC-2
AN
RG 1
20
1
20
…
…
…
…
Tower
2x10GE
RG (Residential Gateway) AN (Access Node) AS (Access Switch)
BRAS/PE
DS(L2)
Existing
MPLS Core
1GE
Tenant
BRAS/PE
8XGE
10GE
8XGE 10GE
10GE
P Router
P Router
Role of BRAS BRAS, MPLS PE, SSG
Protocol Interworking with Backbone Network IGP: OSPF or IS-IS
IGP TE: OSPF TE or IS-IS TE
MPLS: LDP, RSVP-TE, MP-iBGP, VPWS, VPLS
Role of AS and DS L2 Ethernet Aggregation
QinQ (for Residential TPS) Termination BRAS
QinQ (for Enterprise VPN) Termination BRAS (PE)
Subscriber MAC frame broadcasting Not to existing IP/MPLS Backbone
Traffic Path All the traffics (Internet, VoIP, VoD, Multicast/Enterprise VPN)
pass through BRAS/PE
DS (Distribution Switch) BRAS
2. Network Architecture
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 5
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
MDF
…
AS
10GE
10GE
DS
NOC-1
NOC-2 AN
RG 1
20
1
20
4xGE
(1000baseTX) …
…
…
…
Tower (Highrise Buildings )
2x10GE
One AS is connected to
two NOCs (Dual Homing)
for protection
RG
AN (Access Node)
AS (Access Switch)
DS (Distribution Switch)
BRAS/PE
10GE
1 GE (1000Base-TX)
1 GE (1000Base-FX)
BRAS/PE
DS
Existing
MPLS Core
1GE
RG in home and business AN and AS are distributed at
each apartment MDF
DS and BRAS in NOC-1
and NOC-2
Direct fiber access to
individual subscribers
(Dedicated 1 Gbps
bandwidth per user)
Tenant
Co-existence of residential
and business subscribers
BRAS/PE
8XGE
10GE
8XGE
10GE
10GE
P Router
P Router
Network Architecture: Aggregation Network for Towers
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 6
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
Aggregation Network for Villas
NOC-1
NOC-2
10GE
…
4xGE (T)
…
10GE
DS
DS
AN
AS
RG
1GE
2X10GE
Villas
One AS is
connected to two
NOCs (Dual
Homing) for
protection
RG in home AN and AS are
centralized at NOC-1
Direct fiber access to
individual subscribers
(Dedicated bandwidth
per user)
BRAS/PE
Existing
MPLS Core
BRAS/PE
8XGE
10GE
8XGE
10GE
10GE
P Router
P Router
RG
AN (Access Node)
AS (Access Switch)
DS (Distribution Switch)
BRAS/PE
10GE
1 GE (1000Base-TX)
1 GE (1000Base-FX)
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 7
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
SAR: Service Access Router (PE router located at Head End)
AN
MPLS L3 Internet VPN (LSP to BR)
PE/BR BRAS/PE
VRF
PE2
MPLS L3 Internet VPN (LSP to PE:P2P)
MPLS L3 VPN (LSP to PE 2)
VRF
VRF
MPLS L3 Voice VPN (LSP to SAR)
MPLS L3 Voice VPN (LSP to PE: Data)
VRF
MPLS L3 Video VPN (LSP to SAR)
VRF
MPLS L2 VPN (VPWS)
VSI
MPLS L3 VPN (LSP to PE 3)
MPLS L2 VPN (LSP to PE 2)
C-VID=Internet(5)
C-VID=Voice(3)
C-VID=Video(4)
C-VID=Ent. A
C-VID=Ent. B
C-VID=Ent. C
C-VID=Ent. D VSI
MPLS L2 VPN (LSP to PE 3)
PE/SAR
PE3
EAPS
VRF
VRF
VRF
Residential
Internet Access
Residential
Voice
Residential
Video
Enterprise
Internet Access
Enterprise
L3 VPN
Enterprise
L2 VPN (PtP: EoMPLS)
Enterprise
L2 VPN (PtMP: VPLS)
VRF VRF VRF VRF VRF
VSI VSI VSI VSI VSI VSI
VSI VSI VSI VSI VSI VSI VSI
VRF
VRF
VSI
VSI
VSI
Residential Internet VLAN
(C-VID=Internet, S-VID=AN)
Residential Voice VLAN
(C-VID=Voice, S-VID=AN)
Residential Video VLAN
(C-VID=Video, S-VID=AN)
DHCP
DHCP
DHCP
Static/Public Subnet
Private Addressing and Routing
Private Addressing and Routing
Private Addressing and Routing
Per-Service VRF (Internet) VRF
VRF
VRF
Per-Service VRF (Voice)
Per-Service VRF (Video)
AS DS
Per-Enterprise VLAN
(C-VID=Ent. A, S-VID=Ent. A)
Per-Enterprise VLAN
(C-VID=Ent. B, S-VID=Ent. B)
Per-Enterprise VLAN
(C-VID=Private Use, S-VID=Ent. C)
Per-Enterprise VLAN
(C-VID=Private Use, S-VID=Ent. D)
CPE
3. Logical Architecture for Residential Services and Business Services
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 8
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
Supported Standard (MPLS PE)
RFC 4448 (Martini), Encapsulation Methods for Transport of Ethernet over MPLS Networks, April 2006
RFC 4447 (Martini), Pseudowire Setup and Maintenance Using LDP, April 2006
RFC 4762: Virtual Private LAN Service (VPLS) Using LDP Signaling, Jan. 2007
RFC 4761: RFC 4761 on Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling, Jan.
2007
RFC 4664: Framework for Layer 2 Virtual Private Networks (L2VPNs), Sep. 2006
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 9
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
3.1 Residential TPS Service
802.1Q: Per Service VLAN
<Tower A>
RG BRAS/PE
<Tower B>
802.1ad (QinQ):
S-VID=Per AN VLAN, C-VID=Per Service VLAN
Voice Video Data
Voice Video Data
AN ID
S-VID
C-VID
Per Service VLAN
Encapsulation Per AN QinQ
Encapsulation MPLS L3VPN per Service
VRF
VRF
VRF
<NOC>
Bridging Bridging
Voice VPN
Per-Service MPLS L3 VPN
Video VPN
Data VPN
Outer VLAN
Inner VLAN
Residential
A
Residential
B
Residential
C
Residential
D
Residential
E
Residential
F
802.1Q 802.1ad
N:1 VLAN
N:1 VLAN
N:1 VLAN
Layer 2 (Ethernet)
Layer 3 (IP/MPLS)
IP/MPLS
Backbone AN AS DS
Private VLAN (N:1 VLAN)
DHCP Option82
Voice Video Data
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 10
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
Residential TPS Service
Service Separation: in the backhaul, by Per-Service VLAN (N:1 VLAN). Inside BRAS, by VRF (Each VRF has its
own interface and route information)
User Isolation: Split Horizon Forwarding (Private VLAN) on AN to prohibit Hair-pin
L2 Scalability Issues
Broadcast Domain is reduced by Per AN QinQ
MAC Learning at DS: 224K MAC addresses supported by DS >> 15K subscriber x 4 services = 60K
Configuration of each RG is same. QinQ value of AN will be different
IP Address Management: Public IP address for Internet access, Private IP address for walled-garden service
(VoD, IP-TV, VoIP)
DHCP Option82 at AN (Per-service VLAN ID, Port ID, AN ID): Subscriber Identification, Location of
subscriber, Per-service IP address allocation
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 11
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
3.2 Business VPN Service
Outer VLAN
RG/CE AN
802.1Q:Per Enterprise VLAN or Private Use by Enterprise
802.1ad (QinQ): S-VID=Per Enterprise VLAN, C-VID=Per Enterprise VLAN
(extension) or Private Use by Enterprise
Per Enterprise QinQ
Encapsulation
MPLS L2/L3 VPN per
Enterprise Bridging
Per Enterprise MPLS L2/L3 VPN
VRF
VRF
VSI
VSI
VSI
VSI
Enterprise
A
Enterprise
B
Enterprise
C
Enterprise
D
Enterprise
E
Enterprise
F
Ent-A L3 VPN
Ent-B L3 VPN
Ent-C L2 VPN (VPWS)
Ent-D L2 VPN (VPWS)
Ent-E L2 VPN (VPLS)
Ent-E L2 VPN (VPLS)
Enterprise ID
S-VID
C-VID
<Tower A>
<Tower B> <NOC>
Per Enterprise VLAN
Encapsulation
Layer 2 (Ethernet)
Layer 2/3
Customer Separation by Per-Enterprise VLAN (1:1 VLAN) Need to Provisioning tool for creating Per-Enterprise VLAN IP address management: Private IP for VPN service
1:1 VLAN
1:1 VLAN
1:1 VLAN
BRAS/PE DS AS
IP/MPLS
Backbone
Bridging
Inner VLAN
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 12
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
MPLS L3 VPN
Metro Ethernet
Backhaul
PE
PE
Metro Ethernet
Backhaul
Site-2, VPN-B
Site-2, VPN-A
Site-1, VPN-B
Site-1, VPN-A
CE2
CE1
CE1
Per-enterprise VLAN (1:1 VLAN)
Tunnel Signaling (LDP or RSVP-TE)
VPN Route and Label Distribution (MP-iBGP)
IGP (IS-IS or OSPF)
Point-to-Point or Point-to-MultiPoint L3 VPN
L3 VPN (vc-lsp)
Per-enterprise VLAN
CE2
LSP Tunnel
802.1Q 802.1ad
IP/MPLS Backbone
VPN Routing (BGP, OSPF, IS-IS,
RIP, Static)
RFC 2547bis BGP/MPLS VPN
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 13
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
MPLS L2 VPN: VLL/VPWS/EoMPLS Service
Metro Ethernet
Backhaul
Metro Ethernet
Backhaul
Site-2, VPN-B
Site-2, VPN-A
Site-1, VPN-B
Site-1, VPN-A
CE2
CE1
CE1
Per-enterprise VLAN (1:1 VLAN)
Tunnel Signaling (LDP or RSVP-TE)
PW Signaling
(Martini Signaling/RFC4447)
IGP (IS-IS or OSPF)
Point-to-Point Transparent LAN Service
PW (vc-lsp)
Per-enterprise VLAN
CE2
LSP Tunnel
802.1Q 802.1ad
IP/MPLS Backbone
RFC 4448 (Martini), Encapsulation Methods for Transport of Ethernet over MPLS Networks, April 2006
RFC 4447 (Martini), Pseudowire Setup and Maintenance Using LDP, April 2006
PE
PE
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 14
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
MPLS L2 VPN: VPLS Service
Metro Ethernet
Backhaul
Metro Ethernet
Backhaul
Site-2, VPN-B
Site-2, VPN-A
Site-1, VPN-B
Site-1, VPN-A
CE2
CE1
CE1
Per-enterprise VLAN (1:1 VLAN)
Tunnel Signaling (LDP or RSVP-TE)
PW Signaling
(Martini Signaling/RFC4762 or BGP/RFC 4761)
IGP (IS-IS or OSPF)
Point-to-Multi Point Transparent LAN Service
VPLS (Full-meshed PWs)
Per-enterprise VLAN
CE2
LSP Tunnel
802.1Q 802.1ad
IP/MPLS Backbone
RFC 4762: Virtual Private LAN Service (VPLS) Using LDP Signaling, Jan. 2007
RFC 4761: RFC 4761 on Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling, Jan. 2007
RFC 4664: Framework for Layer 2 Virtual Private Networks (L2VPNs), Sep. 2006
PE
PE
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 15
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
4. Network Availability (EAPS): < 50msec
IP/MPLS
Backbone
AS AN RG
DS
DS
NOC-1
NOC-2
Tower A
Link failure between AS and DS is major threatening and we can provide fast convergence of link fail (under 50ms) by EAPS (Ethernet Automatic Protection Switching)
Ring based network resiliency protocol between AS and DS/PE, operate at layer 2
Provides SONET/SDH like fast convergence from network failures
Proven sub-50ms failover times for voice-class connections
Designed for carriers/ISP—essential for convergence in the enterprise
IETF RFC 3619
B
Secondary port logically blocked for
protected VLAN data traffic
Normal Data
Traffic
EAPS Ring “Health Check”
Messages sent out periodically
a
b b
Data Traffic with
Link Fail BRAS/PE
BRAS/PE
RFC3619: Extreme Network’s Ethernet Automatic Protection Switching (EAPS) Version 1.0
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 16
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
IP/MPLS
Backbone
DS PE RG AN AS
VRRP
B
EAPS
Blocked Port
IP/MPLS
Backbone
DS PE RG AN AS
B
< Normal >
VRRP Master
IP/MPLS
Backbone
DS PE RG AN AS
VRRP Master
Become Active
< Link Fail >
Recovery by EAPS (50ms)
IP/MPLS
Backbone
DS PE RG AN AS
VRRP Master
Become Active
< DS Fail >
Recovery by EAPS, VRRP & IGP
IP/MPLS
Backbone
DS PE RG AN AS
VRRP Master
< Link Fail >
Recovery by VRRP & IGP
IP/MPLS
Backbone
DS PE RG AN AS
VRRP Master
< PE Fail >
Recovery by VRRP & IGP
B
B
Unicast Upstream
Unicast Downstream
VRRP Master
Resiliency Mechanism for Unicast
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 17
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
IP/MPLS
Backbone
DS PE RG AN AS
VRRP Master
< Link Fail >
Recovery by VRRP & IGP
B
IP/MPLS
Backbone
DS PE RG AN AS
VRRP Master
< Link Fail >
Recovery by IGP
B
Enable
VRRP I/F tracking
Disable
VRRP I/F tracking
Resiliency Mechanism for Unicast
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 18
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
IP/MPLS
Backbone
DS PE RG AN AS
PIM Hello
B
EAPS
Blocked Port
IP/MPLS
Backbone
DS PE RG AN AS
B
< Normal >
DR
IP/MPLS
Backbone
DS PE RG AN AS
DR
Become Active
< Link Fail >
Recovery by EAPS (50ms)
IP/MPLS
Backbone
DS PE RG AN AS
Become Active
< DS Fail >
Recovery by EAPS & IGP
IP/MPLS
Backbone
DS PE RG AN AS
< Link Fail >
Recovery by IGP
IP/MPLS
Backbone
DS PE RG AN AS
< PE Fail >
Recovery by IGP
B
B
DR
DR
DR
Multicast
DR
Resiliency Mechanism for Multicast
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 19
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
IP/MPLS
Backbone
DS PE RG AN AS
< Link Fail >
Recovery by IGP
B
DR
Resiliency Mechanism for Multicast
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 20
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
5. Scalability
Scalability Factor for Enterprise AS (BD 8806) DS (BD 10808) BRAS/PE (E320)
Maximum number of MAC addresses 16K 224K 96K
Maximum number of IP routes 1M
Maximum number of 802.1Q (VLAN) Circuits per Port 4K 4K 4K (16K per chassis)
Maximum number of 802.1ad (QinQ) Circuits per Port 16K (96K per chassis)
Maximum number of Logical Interfaces 96K
Maximum number of MPLS LSPs (LDP/RSVP-TE) 10K
Scalability Factor of MPLS L3VPN for Enterprise BRAS/PE (E320)
Maximum number of VRF instances 1K
Maximum number of IP routes per VRF 500K
Scalability Factor of MPLS L2VPN for Enterprise BRAS/PE (E320)
Maximum number of VPWS instances 8K
Maximum number of VPLS instances 1K
Maximum number of MAC addresses per VSI Totally 64K
Maximum number of MPLS L3 VPN = 1K (per PE router)
Maximum number of Point-to-Point MPLS L2 VPN (VPWS) = 8K (per PE router)
Maximum number of Point-to-Multipoint MPLS L2 VPN (VPLS) = 1K (per PE router)
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 21
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
L2 Scalability
Residential TPS Service
Broadcast Domain is reduced by Per-AN VLAN (QinQ)
MAC Learning at DS: 224K MAC addresses supported by DS (Extreme BD10K) >> 15K subscriber x 4 services = 60K
Enterprise VPN service
Per-Enterprise VLAN must be provisioned through Ethernet backhaul network (Potential scaling issue)
802.1Q provides 4K distinct VLANs and 802.1ad provides 16M distinct VLANs
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 22
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
RG ~ AN AN ~ AS AS ~ DS DS ~ BRAS/PE BRAS/PE ~ P
802.1p 802.1p 802.1p 802.1p MPLS QoS (E-LSP) / IP DiffServ
Voice COS 5 COS 5 COS 5 COS 5 EXP 5
IPTV COS 3 COS 3 COS 3 COS 3 DSCP AF3
VoD COS 2 COS 2 COS 2 COS 2 EXP 2
Internet COS 0 COS 0 COS 0 COS 0 EXP 0
RG AN
AS BRAS/PE
DS
802.1p
802.1p 802.1p 802.1p MPLS QoS/IP DiffServ
Per-Residential Downstream Shaping
Per-Residential Upstream Shaping
4 service classes
Internet bandwidth control for both upstream and downstream direction per residential subscriber by RG & BRAS
Voice, IPTV and VoD traffic are always higher priority than Internet
IP/MPLS
Backbone
Internet to User-B
Internet to User-A
Internet to User-C
Per-Residential
shaping
BRAS
A
B
C
Voice to All users
IPTV (multicast)
VoD to All users
SPQ
HIGH
LOW
6.1 QoS for Residential TPS Service
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 23
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
6.2 QoS for Business VPN Service
RG ~ AN AN ~ AS AS ~ DS PE ~ P
802.1p 802.1p 802.1p MPLS QoS (E-LSP)
Voice COS 5 COS 5 COS 5 EXP 5
VoD COS 2 COS 2 COS 2 EXP 2
Mission Critical COS 1 COS 1 COS 1 EXP 1
Internet COS 0 COS 0 COS 0 EXP 0
RG AN
AS
Per-Enterprise Downstream Shaping
Per-Enterprise Upstream Shaping
4 service classes
Bandwidth control for both upstream and downstream direction per enterprise subscriber by PE
PE supports hierarchical shaper
IP/MPLS
Backbone
PE
Per-Enterprise
Hierarchical shaping
(PIR/CIR)
S-VLAN
1001
S-VLAN
1400
I
T V
RT Video
RT Voice
Best Effort
Mission Critical
M
S-VLAN
1500
1
2 3
BRAS/PE
DS
802.1p 802.1p 802.1p MPLS QoS 802.1p
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 24
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
7. Multicast
All IPTV channels (multicast streams) are always reach to the core-facing port of DS for fast channel zapping by IGMP Static Join function of BRAS/PE
IP/MPLS
Backbone
AS AN
RG
BRAS/PE DS
DS
NOC-1
NOC-2
Tower A
AS AN
RG Tower B
AS AN
RG Tower C
DR
All IPTV channels
IGMP Report (CH1)
BRAS/PE
IGMP Static Join
IGMP Snooping
IGMP Snooping
IGMP Proxy IGMP
Snooping
IPTV CH1
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 25
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
8.1 Security: Attack and Defensive Features/Actions
Attack Defensive Features/Actions NE
MAC attacks Limit number of MAC address per port, Allow only static MAC address AN, AS
VLAN hopping Disable auto trunking on user-facing port, Do not use VLAN1 for anything AN, AS, DS
Private DHCP server Filter DHCP message using wire-speed ACLs, Private VLAN AN, AS, DS
Source MAC address spoofing
Limit number of MAC address per port, Allow only static MAC address AN, AS
Abnormal Source MAC attacks (all 0’s all F’s, …)
Filter abnormal source MAC address using wire-speed ACLs AN, AS, DS
ARP attacks AN, AS, DS: Storm control, Rate-limit of ARP protocol type
BRAS/PE: CPU rate-limit, IP Source Guard AN, AS, DS, BRAS/PE
Storm attacks Storm control for broadcast & unknown-unicast packet AN, AS, DS
System attacks CPU rate-limit & filtering, Prioritize control traffic (telnet, SNMP is high) AN, AS, DS, BRAS/PE
DHCP attacks Limit number of MAC address per port, Check Integrity of DHCP message AN, BRAS/PE
Poison ARP tables Dynamic ARP inspection using DHCP snoop binding table BRAS/PE
DDoS of TCP SYN flooding AN, AS, DS: Rate-limit of TCP SYN
BRAS/PE: IP Source Guard AN, AS, DS, BRAS/PE
Smurf attacks Disable direct broadcast BRAS/PE
IGMP attacks Enable IGMP Join Filter, Limit number of IGMP Join message AN, AS
Multicast stream attacks Filter multicast address (except IGMP message) on user-facing port AN, AS
PIM attacks Filter PIM neighbor (Allow only registered PIM neighbor) BRAS/PE
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 26
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
8.1 Attack and Defensive Features/Actions
Attack Defensive Features/Actions NE
Attack with the spoofed source IP address
IP Source Guard, RPF (Reverse Path Filtering) BRAS/PE
Route information spoofing
Misdirecting traffic
MD5 authentication for IP routing/MPLS signaling protocol
GTSM (Generalized TTL Security Mechanism)
Route filtering: Martian filter, Bogon list, RFC 1918/3330 address
BRAS/PE
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 27
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
RG AN
AS BRAS/PE DS
IP Source Guard/DHCP Security
Resource (# of Routes/MACs) Limitation/
Rate-Limit of Protocol Update per VRF
Filter Martian-addresses, RFC 1918 addresses, Bogon prefixes
Filter Directed Broadcast
Rate Limit ICMP echo & TCP SYN (to CPU & Transit)
Reject other ICMP packets (ex. ICMP Redirect),
IP with Option, Malicious Fragment packets
Protect IGMP Attack
Unicast RPF Loose mode
Filter well-known attack traffic (worms/viruses)
Protect MAC Attack
User Isolation (Prohibit direction connection between users)
/Service Isolation
Protect ARP Attack
Protect MAC Spoofing
Control CPU Traffic
Storm Control
Filter Multicast stream from Abnormal source
Protect DHCP Attack
IP/MPLS
Backbone
8.2 Security: Data Plane
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 28
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
RG AN
AS BRAS/PE DS
MD5 Authentication for IP Routing/MPLS Signaling
Generalized TTL Security Mechanism (GTSM)
SNMPv3
SSH (Secure Shell)/SCP (Secure Copy Protocol)
TACACS+
Control # of concurrent SSH connection
Control rate of SSH connection
IP/MPLS
Backbone
8.3 Security: Control Plane & Management Plane
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 29
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
OSS/BSS
Web Portal Policy Server
LDAP
AAA
DHCP
RG
AN
AS
BRAS/SSG DS
AN
RG
RG
AS
AN
IP/MPLS
Backbone RG
1
DHCP DISCOVER
2 DHCP OFFER
3 DHCP REQUEST
4 DHCP ACK
5 “Client Table” is created
“SI” is created
7 COPS: Interface Event
8 COPS: Address Event
9 COPS: Default Policy
10 LDAP Search: MAC ID/PW
11 LDAP Result: NULL return
12 HTTP/HTTPS: ID/PW by subscriber
13 CORBA: ID/PW information
14 RADIUS: Request Authentication
(ID/PW)
15 RADIUS: Authentication Result
16 RADIUS: Type of Service for Subscriber
17 CORBA: Authentication Result
18 COPS: Service Policy
19 HTTP/HTTPS: Authentication Result &
Show “Subscriber Homepage”
LDAP: Service adds
TRANSPORT PLANE
SERVICE INTELLIGENCE CONTROL PLANE
BACK OFFICE
6
9. Easy Touch Provisioning Tool: SSG (Service Selection Gateway) for TPS Users
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 30
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
Connection Manager helps reduce overall administration and management costs by providing automated resource management and rapid profile-based provisioning capabilities that speed deployment and time to market of Metro Ethernet technologies
It provides 802.1Q VLAN, 802.1ad QinQ provisioning methods for AN, AS and DS
AS AN
RG/CE
IP/MPLS
Backbone BRAS/PE DS P P PE
CE
Site-1, VPN-A Site-2, VPN-A
Connection Manager for Enterprise
RG/CE
Site-1, VPN-B
Site-2, VPN-B
CE
B B A
Per Enterprise VLAN
Per Enterprise MPLS VPN (L2/L3)
A QinQ assignment of user-facing port for Enterprise user
B VLAN ID assignment of access-facing port for Enterprise user
Easy Touch Provisioning Tool: VLAN Connection Management for Enterprise
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 31
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
AS AN
RG/CPE BRAS
DS RG/CPE
IP/MPLS Core
Internet
BRAS EMS AS/DS EMS AN EMS RG EMS
DHCP
TFTP/FTP
NMS
Fault Configuration Accounting Performance Security
Network elements
Element & Network
management
FCAPS
Southbound
(SNMP)
Northbound
(SNMP, XML)
Network management systems make use of a wide range of tools, applications, interfaces and devices to assist the network operators work in monitoring and maintaining the network. A standard model is defined by the ITU-T for all management systems, called FCAPS Fault management
Configuration management
Accounting management
Performance management
Security management
10. Element & Network Management System
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 32
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
General managements Fault Configuration Performance/Statistics Reports Security
Topology map Fault detection Resource initialization Data collection User access right checking
Command history Alarm generation Provisioning Data reporting Access logging
- Alarm handling Backup and restore Data analysis Security alarm reporting
- Error logging Remote configuration Alarm history Data backup
- - Automated software installation - -
Alarm statistics summary
- Alarm count per fault category
- Alarm Color per fault category
3
1
Elements lists
- Elements lists view
- Elements searching
- Diagnostics for elements
2
Topology map
- Network topology map
- Elements status view
- Link/Port status view
4 Detail view for selected
elements/networks
5 Alarm status / history
EMS/NMS Features
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 33
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
Features Sub features Descriptions
System General Information
Monitoring condition Monitoring time, retry count, retry timeout
Monitoring condition and threshold control based on system performance
Topology MAP Map service based on topology
Utility Ping, Trace, Telnet
Alarm history Alarm history by regional, elements and ports
Tool-tip display detail information when you move the mouse across a element or port
Element information CPU, MEMORY, DISK, temperature, element boot time, OS version, number of interface
Interface information Interface ID, Interface Operation/Admin status
Performance
Performance reports Top N performance by daily, weekly and monthly
System resource CPU utilization, MEMORY usage, DISK usage, Response time
Traffic performance
Interface input/output throughput (BPS, PPS)
Interface input/output utilization rate
Interface input/output error rate
Interface input/output discard rate
Configuration
Elements status Status of the registered elements
Elements configuration Node and port configuration such as VLAN, QoS, ACL, Multicast, etc
Port (physical/logical) Up/Down status
Port status
Port (physical/logical) Up/Down control
Port remote control by EMS/NMS system
Element/Link management Element or Link management (add/modify/delete)
EMS/NMS Functionality Summary
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 34
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
Features Sub features Descriptions
Fault
SNMP Trap SNMP TRAP, syslog, CLI
Alarm notify web event , e-mail, sms
Alarm history Alarm history search
Alarm severity management Critical, Major, Minor, Warning, Normal
Syslog management syslog collect, syslog history search
Alarm analysis report for each elements
Analysis of the alarm count, alarm duration and alarm type for each elements
Alarm analysis report for the each interfaces
Analysis of the alarm count, alarm duration and alarm type for each interfaces
Alarm threshold Alarm threshold setting
Statistics Report
Report file format Statistics report of Microsoft’s excel or word format
Elements or Port inventory report inventory including alarm or log history of Elements or Port
Elements performance report Performance reports for traffic utilization, Resource usage, alarm, response time, etc (daily, weekly, monthly)
Traffic statistics Traffic analysis report per period, application
Security Account management Account management, User id support access right control
Backup and Restore of Data
Backup and restore Configuration backup / recovery of all the element
Automatic and scheduled backup
EMS/NMS Functionality Summary
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 35
Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service
End of Document
Copyright © 2002-2013 NMC Consulting Group. All rights reserved. 36
Carrier WiFi
Data Center Migration
WirelineNetwork
LTE
Mobile Network
Mobile WiMAX
Carrier Ethernet
FTTH
Data Center
Policy Control/PCRF
IPTV/TPS
Metro Ethernet
MPLS
IP Routing
99 00 01 02 03 04 05 06 07 08 09 10 11 12 13
eMBMS/Mobile IPTV
Services
CDN/Mobile CDN
Transparent Caching
BSS/OSS
Cable TPS
Voice/Video Quality
IMS
LTE Backaul
Netmanias Research and Consulting Scope
Visit http://www.netmanias.com to view and download more technical documents.