• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
WiFi – Mobile BNG Offload Deployments
 

WiFi – Mobile BNG Offload Deployments

on

  • 1,150 views

More than a decade ago, Cisco introduced wireless solutions that addressed challenges associated with address mobility, seamless authentication and comprehensive backend accounting. ...

More than a decade ago, Cisco introduced wireless solutions that addressed challenges associated with address mobility, seamless authentication and comprehensive backend accounting.

In the last few years, the industry has transformed to offer an immense range of Smart Devices. This unprecedented growth in mobile traffic demands a change to scale to the new reality of any–to-any connectivity. This is a technical deep dive presentation on BNG Deployments and Mobile Offload techniques

Statistics

Views

Total Views
1,150
Views on SlideShare
1,150
Embed Views
0

Actions

Likes
3
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    WiFi – Mobile BNG Offload Deployments WiFi – Mobile BNG Offload Deployments Presentation Transcript

    • © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Connect 11© 2012 Cisco and/or its affiliates. All rights reserved.Toronto, CanadaMay 30th, 2013WiFi - Mobile BNGOffload DeploymentsSP-T07-IDerick Linegar, dlinegar@cisco.com
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2Agendav SP Wi-Fi - Key driversv Intelligent Broadbandv SP Wi-Fi Deploymentsv SP WiFi Evolution with MPC Integrationv Call Flowv References
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 3SP-WiFi KeyDrivers
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 4SP-WiFi Solutions
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 5Why Should I Care About WiFi?The “New Normal”
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 6Wi-Fi Subscribers, Wireline/Wi-Fi & MobileDifferent MotivationsWireline Operator withWi-Fi AccessMobile UsersMobile OperatorsWirelineOperator 1WirelineOperator 2Mobile Operator Motivations•  Data traffic growingexponentially•  Licensed spectrum limitations•  Access – Trusted/UntrustedWireline / Wi-Fi OperatorMotivation•  Increase Service Revenues•  Cater to multiple MobileOperators•  Provide a scalable peeringmodel•  Leverage existing infrastructureSubscriber Motivation•  Always connected experience•  Seamless Authentication•  Mobility/Roaming withoutdisrupting apps3G/4G deliveredvia MobileBackhaulWi-Fi AccessGateway PeeringMobileOperator1MobileOperator2Internet
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 7Terminology PrimerService Provider Wi-Fi Wireline BroadbandSession Type IP Based Sessions PPP Based SessionsUser type Mobile Users Fixed ResidentialSession Control Intelligent Services Gateway (ISG) – software componentPlace in Network(PIN) DesignationWireless Access Gateway(WAG)Broadband Network Gateway(BNG)
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 8SP Wi-Fi Solutions – At a GlanceDeployment Type Software ComponentsAvailabilityASR1000 ASR9000Traditional PublicWireless LAN(PWLAN)Open SSID with ISG Redirect forWeb based AuthenticationAvailable Now Available NowSeamlessAuthenticationEAP based secure authenticationusing ISGAvailable NowNow – relies on CiscoAccess Registrar (CAR)Mobile NetworkIntegrationISG and Proxy Mobile (PMIP)configured on a single boxiWAG - Available now Now – ASR5K based
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 9IntelligentBroadband
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 10Evolution in Service Provider ArchitecturesIncreased Service Revenues:ü  Customized servicesü  Rapid deployment of newservicesü  Subscriber Self Subscriptionand Self CareDiverged“Per Service”NetworksConverged“All in One”NetworksConverged“User Centric”NetworksReduced Operational Expenses:ü  Consolidation of multiplenetworks
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 11The New User ExperienceEnabling the Next Wave of Broadband
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 12Multi-Dimensional Identifier for Subscribers overL2/L3 access networksFrom multiple sources and eventsOver session lifecycleL2 – Pt-to-Pt vis-à-vis L3 – Pt-to-CloudServices and Rules updated based onHow subscriber behavesWhat the subscriber requires NOWDifferent Services and Rules applied based onWho the subscriber isLocation of the subscriberRequirement of the subscriberSubscriber Awareness - Elements of CustomizationInitiators &IdentitySessionServicesDynamicServiceManagementIntelligentServiceGatewaySessionauthenticationDynamic Policy Pushand PullSessioninitiation
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 13Building the Identity and Assigning ServicesExampleMAC Addr: 00:DE:34:F1:C0:28IP Addr: ?Username: ?Service: DEFAULT_SRVSubscriber SessionT0DHCP Exchange StartsMAC Addr: 00:DE:34:F1:C0:28IP Addr: 10.1.2.211Username: ?Service: DEFAULT_SRVSubscriber SessionT1DHCP Exchange Completes(*)MAC Addr: 00:DE:34:F1:C0:28IP Addr: 10.1.2.211Username: dlinegarService: PPU_SRVAkshaySubscriber SessionT2Subscriber Authentication(*)MAC Addr: 00:DE:34:F1:C0:28IP Addr: 10.1.2.211Username: dlinegarService: PREMIUM_SRVAkshaySubscriber SessionTNDynamic Service UpdateIdentitiesServicesDEFAULT_SRVOnly permits managementtraffic through the sessionPPU_SRVPay Per Use Service:- Permits all traffic- 512K/1Mbps US./DS- Accounting enabled onsessionPREMIUM_SRVService:- Permits all traffic- 1M/8Mbps US/DSISGSubscriber(*) Order of operations not representative of a real call flowSubscriber SubscriberSubscriber
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 14PolicyServerWhat Is ISG?Cisco Intelligent Services Gateway(ISG) is a licensed feature set onCisco IOS that provides SessionManagement and PolicyManagement services to a variety ofaccess networksSubscriber IdentityManagementPolicyManagement andEnforcementDHCPServer…AAAServerISGWebPortalOpenNorthboundInterfacesSubscriber Policy LayerSo focal, that the entire device is often referred as an:Intelligent Services Gateway router or simply “TheISG”ISG
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 15Open GardenWalled GardenAccess Technology AbstractionATM/EthernetSwitchDSL802.11 or802.16AccessDistributionEthernetCMTSCableSubscriber-centric services regardless of AccessTechnology, Access ProtocolDSLAMBRAS/BNGAccess Technology Access ProtocolLegacy DSL/ATMMetro Ethernet,Wireless LAN, CableIPPPP
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 16SP-WiFiDeployments
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 17SP Wi-Fi Deployment ModelsAt a glanceAccess Type Session Initiator Authentication Type MPC Integration1 Layer 2 Unclassified MAC MAC Address None2 Layer 2 DHCP MAC Address None3 Layer 2 Unclassified MAC/ RadiusProxyMAC Address / EAP HLR based4 Layer 3 Unclassified IP / RadiusProxyIP Address / EAP HLR based5 Layer 2 DHCP / Unclassified MAC /Radius ProxyMAC Address / EAP PMIPv6 / GTPv1 based and HLR based6 Layer 2 DHCP / Unclassified / Radius MAC Address / EAP PMIPv6 based, Wholesale services andHLR based
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 18SP Wi-Fi Access + Aggregation + Core NetworkUnified ArchitectureRadio IntelligenceRoamingPartnerCoreHomeNetworkCoreAPWAGWLCAPAggregationSwitchVLANAPWLCAPOptionalNATAccess & Wholesale ProviderMobile NetworkOperatorsPortal DHCP AAAPGW/LMAGGSNRoamingPartnerCorePCRFHLR OCS CGFInternet ServicesInternet ServicesInternet ServicesGTPGn’S2aPMIPAP/CPEAccess Network PolicyMNO Home Network PolicyHotspotPublic/LargeVenueCommunityWiFi
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 19•  L2 connected network•  FSOL: Unclassified MAC address in data packetConnectivity•  IPv4 Clients•  External DHCPIP Addressing•  Transparent Auto Logon•  Web Based LogonAuthorization•  Wi-Fi Services for Residential, Enterprise users. ( per device Billing)•  For users behind CPE (billing per CPE)•  Pre-paid service•  Dynamic Service SelectionServicesSP WiFi Deployment #1
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 20ISGAAA/Portal HLR OCS PCRFTraffic flowAAA interactionsArchitecture OverviewClientSmartphoneuserPC/LaptopuserLayer 2 networkGE (dot1Q)VPLS/EoIPInt or Sub-intGE (.1Q)ServicesWeb AuthenticationOpen Access usersEAP usersMPLS /IPCoreInternetDHCP Server
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 21•  L2 connected network•  FSOL: DHCP InitiatorConnectivity•  IPv4 Clients•  Internal DHCP ( DHCP Server or Relay)IP Addressing•  Transparent Auto Logon•  Web Based LogonAuthorization•  Wi-Fi Services for Residential, Enterprise users. ( per device Billing)•  For users behind CPE (billing per CPE)•  Pre-paid service•  Dynamic Service SelectionServicesSP WiFi Deployment #2
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 22AAA/Portal HLR OCS PCRFTraffic flowAAA interactionsInternetArchitecture OverviewEoIPTunnelServerVLAN# 2VLAN# 3EoIP Tunnel Transport NWClientSmartphone userAccess NetworkSSID BLUE :: VLAN 2SSID RED :: VLAN 3VLAN #2VLAN #3SSID REDSSID BLUELayer 2 networkGE (dot1Q)VPLS/EoIPDHCP ServerL2 L3 L2EoIP Tunnel Encap Vlan#2L2 L3 L2EoIP Tunnel Encap Vlan#3
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 23•  L2 connected network•  FSOL: [BLUE] DHCP Initiator or [RED] Unclassified MACConnectivity•  [BLUE] Dynamic(VRF) domain customer - Internal DHCP•  [RED] Mobile Data Offload - External DHCPIP Addressing•  SSID [BLUE] Transparent Auto Logon (EAP Auth)•  SSID [RED] Web Based Logon (Open Auth)Authorization•  SSID [BLUE] Mobile Packet Core Integration for Billing•  [BLUE] Dynamic VPN services for L3VPN clients•  SSID [RED] Mobile Offload Wi-Fi Services -Web AuthenticationServicesSP WiFi Deployment #3
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 24Packet core integrationISG Accounting packet alsotrigger session in ASR 5000ISGAAA/Portal HLR OCS PCRFTraffic flowAAA interactionsArchitecture OverviewClientSmartfoneuserAccess NetworkSSID RED :: Simple IP UsersSSID BLUE :: Mobile OffloadVLAN #3VLAN #2SSID REDSSID BLUETrustedWi-FiMobileCoreNAT-FWInternetIPSGDHCP ServerAccounting Trigger
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 25•  L3 connected network•  FSOL: Unclassified IP, Radius Accounting RequestConnectivity•  IPv4 Clients•  External DHCP (DHCP Server or any L3 Router - Access Zone Router)IP Addressing•  IP/ MAC Based Transparent Auto Logon (Collect MAC using DHCP Lease Query)•  Web Based LogonAuthorization•  Wi-Fi Services for Residential, Enterprise users. ( per device Billing)•  For users behind CPE (billing per CPE)•  Pre-paid service•  Dynamic Service SelectionServicesSP WiFi Deployment #4
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 26Architecture OverviewAZRHotspot 1Open GardenServicesAccess Zone Router(simple L3 Router)Open no-WEPWeb AuthenticationEAPClientOpen no-WEPWeb AuthenticationSwitchL2IOS APEAPClientIPASR1KClientSmartphone userPC/Laptop userAccess NetworkClient-to-ISGL3 networkHotspot 2L2ServiceWeb authentication for Unclassified IP session.RADIUS Proxy session with accounting from AZR.MPLS /IPCoreInternetAAA/Portal HLR OCS PCRFDHCP Server
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 27SP-WiFi Walk-bySubscriber Management
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 28Walk-by Subscriber Managementvv$•  Walkby users are attached to network.. but not interested in WiFi service•  Today 9/10 users are Walk-by users ..•  WiFi resources are oversubscribed .. !!!
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 29Session Life cycle29SessionInitiationAuthentication TerminationServiceActivationWeb Logon PhaseSession Allocated with fullresourceMinimal Resource ( Lite session) at session initiationDedicated resource for a session during authentication
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 30Default and Dedicated Session Resource Utilization30One DefaultSessionUpto 128KLiteSessionDefault sessioncreated forinterface.To create DefaultsessionInterfaces areconfigured withdefault policy.Lite Session inherits Default SessionsLite sessions are always Unauthenticatedsessions.Lite session is created for the user onfollowing cases.Session creation with First sign of Life.Default-apply (Optional) to create Litesession on TAL failure case.Upto 48 K Dedicated sessions•  Dedicated session iscreated for the user onfollowing cases.•  Default-exit from Litesession – (Refer TALscenario)•  Portal-Login attempted byuser- (Refer Portal Login)One DedicatedSession$$$ userSameCPU/MemoryUtilized
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 31SP-WiFi Evolution &MPC Integration
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 32SP Wi-Fi Access + Aggregation + Core NetworkUnified ArchitectureRadio IntelligenceInternetCoreAPWAGWLCAPAggregationSwitchVLANAPWLCAPOptionalNATAccess & Wholesale ProviderPortal DHCP AAAInternet ServicesAP/CPEAccess Network PolicyHotspotPublic/LargeVenueCommunityWiFiWalledGardenServices
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 33SP Wi-Fi Access + Aggregation + Core NetworkUnified ArchitectureRadio IntelligenceInternetCoreAPWAGWLCAPAggregationSwitchVLANAPWLCAPOptionalNATAccess & Wholesale ProviderPortal DHCP AAAInternet ServicesAP/CPEAccess Network PolicyHotspotPublic/LargeVenueCommunityWiFiWalledGardenServicesRoamingPartnerCoreMobile NetworkOperatorsPGW/LMAGGSNRoamingPartnerCorePCRFHLR OCS CGFInternet ServicesInternet ServicesGTPGn’S2aPMIPMNO Home Network Policy
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 34Intelligent WirelessAccess Gateway (iWAG)
    • Mobile IP Subscriber•  Subscribers using mobility services (either GTPor PMIPv6)•  Subscriber session is anchored on the MPC(PGW/GGSN) and also maintained on iWAG•  IP address for the subscribers are allocated fromthe MPC, iWAG acts as a proxy DHCP server•  Subscribers maintain IP address persistencywhile roaming across Wi-Fi to Wi-Fi or Wi-Fi to3G/4G•  Subscriber authentication is typically performedusing out-of-band or in-band (w.r.t iWAG) EAP-SIM/AKA§  Simple IP users do not receive a mobilityservice (either GTP or PMIPv6)§  Subscriber session is anchored andmaintained on iWAG§  IP address for the subscribers are allocatedeither via external DHCP server or via iWAGitself§  Subscribers are not expected to have IPpersistency while roaming§  Subscriber authentication is typicallyperformed using web-authentication or/andTransparent Auto-LogonSimple IP Subscriber
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 36What is iWAG?GPRS Tunneling Protocol (GTP) forintegrating Wi-Fi traffic into GatewayGPRS Support Node (GGSN)ISG Features•  IPoE Sessions: DHCP initiated, unclassified IPor MAC-address initiator, Radius-Proxy initiator•  Layer-4 Redirect•  Traffic Classes•  Postpaid & Prepaid Accounting•  Dynamic Rate Limiting•  Lawful Intercept•  Radius based authentication and accounting•  Radius CoA Interface•  Per-subscriber QoS•  IP Session keep-alives, timeouts•  VRF Transfer•  Port Bundle Host Key (PBHK)•  Walk-by session handling/optimization§  Local Breakout of subscriber traffic forSimple IP subscribers§  …..and more http://www.cisco.com/go/isgMobile Access Gateway (MAG)using Proxy Mobile IPv6 (PMIPv6)for integrating Wi-Fi traffic intoPacket Data Network Gateway(PGW)iWAG aka IntelligentWireless Access Gateway
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 37ASR 1000 iWAG – IOS XE 3.8S4G CoreInternetPortalGGSNDHCPGTPPGW/LMA3G CoreL2 ConnectedAPWLCAPAAAMobile Home Network PolicyPCRFHLR OCS CGFAccess Network PolicyGy Gx GaGn’S2aPMIPv6User based LocalBreakout (LBO)Features:•  L2 Access & AAA Policy1.  EAP-SIM/AKA (via WLC) / FSOL – DHCP2.  EAP-SIM/AKA (via ISG) / FSOL – Radius Proxy3.  Web Logon /TAL. FSOL – Unclassified MAC•  GGSN selection via DNS•  Overlapping MNO address support with multiple SSIDiWAGASR1K
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 38PMIPv6 –Proxy Mobile IPv6
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 39Proxy Mobile IPv6 in a nutshell§  Proxy Mobile IPv6 Domain: A network where the mobilitymanagement of a mobile node is handled using the ProxyMobile IPv6 protocol.§  Local Mobility Anchor (LMA): LMA is the home agent forthe mobile node in a PMIPv6 domain. It is the topologicalanchor point for the mobile nodes home network prefix andis the entity that manages the mobile nodes binding state.§  Mobile Access Gateway (MAG): MAG is a function on anaccess router that manages the mobility-related signaling fora mobile node that is attached to its access link. It isresponsible for tracking the mobile nodes movements toand from the access link§  Mobile Node (MN): An IP host or router whose mobility ismanaged by the network. The MN may be an IPv4-onlynode, IPv6-only node, or a dual-stack node and is notrequired to participate in any IP mobility related signaling forachieving mobility for an IP address that is obtained in thatPMIPv6 domain.§  Correspondent Node (CN): The device that the mobilenode (MN) is communicating with such as a web server. Acorrespondent node may be either mobile (e.g. another MN)or stationary (e.g. server).
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 40How PMIPv6 Facilitates IP Mobility?§ Retain IP Address & Gateway§ Attach to same Anchor Point LMA/PGW/GGSN§ Resolve to same Gateway’s MAC (or Link-Layer address inIPv6) – RFC6543Benefits§  Location Based service by tracking the movement ofMobile Node – intra & inter MAG movements
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 41PMIPv6 Supports both IPv4 & IPv6Cisco PMIPv6 implementation is address familyagnostic:§  Mobile Nodes in a PMIPv6 domain operating in IPv4-only, IPv6-only, or in dual-stack mode§  Transport network between the MAG and LMA can beeither IPv4-only, IPv6-only or dual-stack (where IPv4would be preferred)
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 42Benefits of iWAG§  Mobile Operatorü  Reduce network congestion: Reduce OpEx and increase network efficiency byoffloading 3G/4G trafficü  Provide access to 3G/4G core inspite of lack of / weak cell signalü  Provide access to mobile backhaul which could have better bandwidth and thusprovide better service§  Wireline/ WiFi Service Providersü  Provide Wi-Fi security and subscriber control: Deliver scalable, manageable,and secure wireless connectivityü  Deliver a Wi-Fi platform that offers new, location-based services and enablesnew revenue-sharing business models§  Usersü  Provide a good QoE to subscribers on Wi-Fi networksü  Unified Billing across access networkü  More options with Wi-Fi platform that enables Location-Based Services
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 43SP-WIFi – iWAGDeployment Models
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 44•  L2 connected network•  FSOL: DHCP Initiator or Unclassified MAC or RADIUS ProxyConnectivity•  IPv4 Clients•  Internal DHCP ( DHCP Server or Relay)IP Addressing•  MAC Based Transparent Auto Logon for EPC/MPC integration [PMIP/ GTPv1]•  Web Based Logon for Local Break Out [LBO]Authorization•  Seamless Mobile Packet Core Integration for Policy & Billing•  Local Break Out [ LBO ] Mobile Offload Wi-Fi ServicesServicesSP WiFi Deployment #5
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 45Wi-Fi Aggregation with Mobile Packet Core (MPC)
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 46•  L2 connected network•  FSOL: DHCP Initiator or Unclassified MAC or RADIUS ProxyConnectivity•  IPv4 Clients•  Internal DHCP ( DHCP Server or Relay)IP Addressing•  MAC Based Transparent Auto Logon for EPC/MPC integration [PMIP/ GTPv1]•  Web Based Logon for Local Break Out [LBO]Authorization•  Local Break Out [ LBO ] Mobile Offload Wi-Fi Services•  Wholesale service to 4G ( Mobile Offload) based on•  NAI: "mn0@serviceprovider.com" Client-id i.e. DHCP option 61•  MAC: Calling-station ID ( Radius attribute 31)ServicesSP WiFi Deployment #6
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 47Wi-Fi Aggregation with Multiple Mobile Network Operator(MNO)
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 48WAG Configs
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 49Structured ISG Configuration Modelcontrol policyGlobalOn BoxOut Of BoxinterfaceI.II.III.IV.III.Some global configurationalso requiredII.IV.V.IV.I. Configure Northbound interfacesAAAPortal/Policy Server - CoAII. Configure Services and User ProfilesSession ServicesTraffic Class ServicesUser ProfilesIII. Configure Subscriber AccessConfigure session type and initiatorCreate and apply the control policyIV. Configure Subscriber AuthenticationV. Dynamic Management ofSubscriber Services
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 50Control Policy Structure…•  Configuring ISG mostly implies configuring the control policy•  Control policy determines the operations to be executed on a session upon differenteventsEvents:• Session-start• Account-logon• Service-start• ....Actions:• apply/unapply a service• authenticate (Web Logon)• authorize (TAL)• ....policy-Event 1Action 1Action 2Event 2Control policyEvent1Action1Action2
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 51Structure of a Policy Map…•  Configuring ISG mostly implies configuring the control policy•  Control policy determines the operations to be executed on a session upon differenteventsEvent 1Action 1Action 2policy-map type control <map name>class type control always event session-start10 service-policy type service name <service name>20 authorize aaa password lab identifier macEvents:• Session-start• Account-logon• Service-start• ....Actions:• apply/unapply a service• authenticate (Web Logon)• authorize (TAL)• ....class type control <condition> event service-startCondition:Qualify in what cases the event is validConfigured as a control class:class-map type control <name>The event isalways valid
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 52Example: Configure Services and UserProfilesTraffic Class Services: L4 RedirectHTTPIP SA: 192.168.11.1IP DA: 74.125.19.99TCP: <SSAP>:80www.google.comHTTPIP SA: 192.168.11.1IP DA: 192.168.110.10TCP: <SSAP>:<redirect port>Web Portal192.168.110.10 74.125.19.99class-map type traffic match-any L4R_CMmatch access-group input L4R_ACL_IN!policy-map type service L4R_SERV10 class type traffic L4R_CMredirect to group REDIR_GRPService-Name = “L4R_SERV”Service Password = “servicecisco”AVPair: ip:traffic-class=input access-groupname L4R_ACL_IN priority 10AVPair: ip:l4redirect=redirect to group REDIR_GRPCLI AAA Service Profilesredirect server-group REDIR_GRPserver ip 192.168.110.10 port 8091!ip access-list extended L4R_ACL_INpermit tcp any any eq www•  Subscriber’s traffic, matching a flowdescription, is redirected to a destinationand a L4 port defined on the ISG•  Any TCP and UDP traffic can be redirected•  The target server responsible to handle theredirected trafficAdditional Configuration required on the ISGConfigure the redirect group• redirect address• redirect destination portMatch traffic eligible forredirection
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 53Example: Configure Services and UserProfilesTraffic Class Services: OpenGardenSubscriberManagement Network• Used to permit specific traffic over an unauthenticated session while dropping everything else• Typically used to allow bidirectional communication w/ the subscriber management network• Also used to grant access to guest access networks• DHCP Server• DNS Server• AAA Server• Policy Server• Web Portal• ....class-map type traffic match-any OG_CMmatch access-group input OG_ACL_INmatch access-group output OG_ACL_IN!policy-map type service OPENGARDEN_SERV20 class type traffic OG_CM!class type traffic default in-outdropService-Name = “OPENGARDEN_SERV”Service Password = “servicecisco”AVPair: ip:traffic-class=input access-groupname OG_ACL_IN priority 20AVPair: ip:traffic-class=output access-groupname OG_ACL_OUT priority 20AVPair: ip:traffic-class=in default dropAVPair: ip:traffic-class=out default dropip access-list extended OG_ACL_INpermit ip any 192.168.110.0 0.0.0.255!ip access-list extended OG_ACL_OUTpermit ip 192.168.110.0 0.0.0.255 any192.168.110.0allow bidirectional communication w/ the subscribermanagement networkA more specific ACL targeting exact servers can and shouldbe cfged
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 54WAG Call-Flows
    • Portal AAADHCPIP PacketSession-startevent posted2 BNG session creation3 PBHK service applied (*)4a Access-Requestusername = mac4bAccess-Reject5 OpenGarden and L4R servicesapplied (*)26 Authentication Timer started(*) assumes that the definition ofPBHK, L4R and OpenGarden arealready available on the BNGclass type control always event session-start10 service-policy type service name PBHK_SRV20 authorize aaa list IP_AUTHOR_LIST passwordcisco123 identifier mac-addr30 service-policy type service name OG_SRV40 service-policy type service name L4R_SRV50 set-timer AUTHEN_TMR 10234a56interface GigabitEthernet 0/0.1encapsulation dot1Q 10ip address ...service-policy type control IP_SESSION_RULE1ip subscriber l2-connectedinitiator unclassified-macpolicy-map type control IP_SESSION_RULE1<snip>2Client obtains IP addressindependent of the BNG1
    • Portal AAADHCPhttp://www.cisco.com7 L4Redirect to Portal8HTTP Redirect. User self-registers9CoA Req. Account Logonusername, password11bAccess-Acceptservice: BASIC_HSI_SRVAccess-Requestusername, passwordAccount-Logon eventpostedService-startevent posted11a12bAccess-Accept BASIC_HSI_SRVdefinitionAccess-RequestBASIC_HSI_SRV, srvpwd12a13 BASIC_HSI_SRV is appliedL4R and OpenGarden services are unapplied10aCoA Ack. Account Logonhttp://www.cisco.com1410c11a15Accounting-Request (Start) andResponseSimplified call flow10b10b11caaa author subscriber-service defaultSERVER_GRP1subscriber service password serviceciscoclass type control always event account-logon10 authenticate aaa list IP_AUTHEN_LIST20 service-policy type service unapplyname L4R_SRV30 service-policy type service unapplyname OG_SRV!class type control BASIC_HSI_SRV_CM event service-start10 service-policy type service identifier service- nameService-Name: “BASIC_HSI_SRV”Service-Password: “servicecisco”Attr 28: idle-timeout = 600AVPair: “subscriber:accounting-list= IP_ACCNT_LIST”ServiceInfo: QU;256000;D;768000;12a12b11c
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 57interface Ethernet0/0service-policy type control default <default-pmap-name>service-policy type control <regular-pmap-name>ip subscriber [l2conected | routed]initiator [radius-proxy | unclassified-ip | unclassified-mac ]Default session created when the defaultservice-policy defined.Supported initiators:unclassified-macunclassified-ipradius-proxy for DHCP-accountingDHCP initiator in roadmapWalk-by Interface configuration
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 58Walk-by58Default PolicyStep1 :: Default interface Session to manage WalkbySubscribersData Traffic from User towards Gateway(BNG)Step2 :: Based on the Default policy a Lite session is createddynamically for Walkby Subscribers (inherits DefaultSession)Account / ServiceLogon3) User enters credentials in Portal for authorizingStep 4 ::DedicatedUser SessionCreatedWalkby UserLite SessionDedicatedSession
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 59interface bundle-ether100.1ipv4 point-to-pointipv4 unnumbered loopback2000service-policy type control subscriber WEB_LOGONencapsulation dot1q 10ipsubscriber ipv4 l2-connectedinitiator dhcpdhcp ipv4profile IP_DEFAULT proxyhelper-address <DHCP Server> giaddr <giaddr>relay information optionrelay information policy keeprelay information option allow-untrustedinterface Bundle-Ether100.1 proxy profile IP_DEFAULTPORTALSession-startBNG session creationaaa attribute format USERNAMEformat-string length 253 "%s" client-mac-addressdynamic-templatetype ipsubscriber UNAUTH_TPLipv4 unnumbered Loopback100policy-map type control subscriber WEB_LOGON_PMevent session-start match-firstclass type control subscriber DHCP do-until-failure10 activate dynamic-template UNAUTH_TPL20 authorize aaa list format USERNAME password ciscoDHCP-DiscoverDHCP-OfferDHCP-AcceptDHCP-Requesthttp://www.cisco.com – HTTP TCP SYNHTTP TCP SYN ACKHTTP TCP ACKHTTP GETHTTP 307 (redirect URL)HTTP session establishmentWAG HTTP Redirect from XR 4.2.1 ASR9000For YourReference
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 60Portal AAADHCPHTTP Redirect. User self-registersCoA Req. Account Logonusername, passwordAccess-Requestusername, passwordAccount-Logon eventpostedHTTPRDRT service is unappliedCoA Ack. Account Logonhttp://www.cisco.comAccounting-Request (Start) andResponseSimplified call flowdynamic-templatetype ipsubscriber HTTPRDRT_TPLservice-policy type pbr HTTPRDRT_PBRpolicy-map type pbr HTTPRDRT_PBRclass type traffic OpG_CMtransmitclass type traffic HTTPRDRT_CMhttp-redirect http://192.168.210.168/class type traffic class-defaultdropend-policy-mappolicy-map type control subscriber WEB_LOGONevent authorization-failure match-firstclass type control subscriber DHCP do-until-failure10 activate dynamic-template HTTPRDRT_TPL20 set-timer UNAUTH_TMR 7event account-logon match-allclass type control subscriber DHCP do-all1 authenticate aaa list default10 deactivate dynamic-template HTTPRDRT_TPLevent timed-policy-expiry match-firstclass type control subscriber DHCP do-until-failure10 disconnectAccess-AcceptWAG HTTP Redirect from XR 4.2.1 ASR9000 For YourReference
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 61SP WiFi-4G Integration ArchitectureL2 ConnectedAPWLCAPInternetiWAGASR1KAAAMobile Home Network PolicyPCRFHLR OCS CGFAccess Network PolicyEAP-SIM/AKAAuthentication(out-of-band)FSOL: DHCP DiscoverGy Gx GaModel #AccessTypeAuthentication FSOL Service IP1 Layer 2EAP-SIM/AKA (out-of-band)DHCPDiscoverPGW/LMADHCPService IP4G CoreS2a PMIPPGW/LMA
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 624G Mobile user: EAP-SIM (out-of-band), FSOL: DHCP,tunnel: PMIPv6Device AP+WLC HLRAAACAR+ITP802.1xEAP Request/IDEAP ID Response/IDEAP-SIM Method, Recover IMSI from Pseudonym or Fast Re-Auth IDRADIUS Access AcceptMAP SENDAUTH INFO ResMAP SENDAUTH INFO ReqiWAG P-GW PCRFMAP SRI forLCS Req (IMSI)MAP SRI for LCSRes (MSISDN)Cache MAC,IMSI, MSISDN,subscriber profilePolicy ManagerSub DBRecover SubscriptionProfile (IMSI)Store MSISDNConfigure authorized IMSIs on theSubscriber database with WiFiSubscriber Profile.WiFi Subscriber Profile:Realm, WiFi APN, ChargingCharacteristics, IPv4/IPv6 serviceIMSI Authenticated, but MSISDNunknownITPITPITPITPRADIUS Access Request(username= EAP ID, calling station ID = MAC, called-station-ID = AP:SSID)EAP SUCCESSVLAN
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 63Call flow 4G EAP-SIM out-of-band (2/2)Device AP+WLC HLRDHCP/MAGDHCP Offer (a.b.c.d)DHCP Req/Ack(Primary DNS recovered fromPBA)P-GW/LMA PCRFPBUGx:CCR-IGx:CCA-IPBAPMIPv6PBA: IPv4 Home Address (HoA)PCO: Primary DNSSPR/Sub DBOpen PGW-CDRWith container for WiFiService, subscriber ID =MSISDNRF: Diameter ACRRF: Diameter ACAGx:CCR-I: IMSI, MSISDN, APN,RAT TypeSubscriber ID Type = E.164,RAT=WiFiSP: Recover Subscriber ProfilePolicy Profile to ApplyIPv4 HoA = 0.0.0.0MN-ID (imsi@realm), SSMO (APN),MSISDN, CHARGINGCHARACTERISTICS , ATT = Wi-FiiWAGITPITPITPITPAAACAR+ITPRADIUS Access Request (Calling Station ID = Source MAC address)RADIUS Access Accept(User Profile)Source MAC Address: DHCP DiscoverUser Profile VSAs:CISCO-SERVICE-SELECTION (APN),CISCO-MOBILE-NODE-IDENTIFIER(IMSI@realm) , LMA,CISCO-MSISDN,3GPP-CHARGING-CHARS,CISCO-MN-SERVICE (IPv4)4G Mobile user: EAP-SIM (out-of-band), FSOL: DHCP,tunnel: PMIPv6
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 64SP Wi-Fi Deployment ModelsAt a glanceAccess Type Session Initiator Authentication Type MPC Integration1 Layer 2 Unclassified MAC MAC Address None2 Layer 2 DHCP MAC Address None3 Layer 2 Unclassified MAC/ RadiusProxyMAC Address / EAP HLR based4 Layer 3 Unclassified IP / RadiusProxyIP Address / EAP HLR based5 Layer 2 DHCP / Unclassified MAC /Radius ProxyMAC Address / EAP PMIPv6 / GTPv1 based and HLR based6 Layer 2 DHCP / Unclassified / Radius MAC Address / EAP PMIPv6 based, Wholesale services andHLR based
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 65Recommended Reading for BRKSPG-26876565Please visit the Cisco Book Store in theWorld of Solutions and browse through theextensive range of Cisco Press titles.
    • Complete Your Paper“Session Evaluation”Give us your feedback and you could win1 of 2 fabulous prizes in a random draw.Complete and return your paperevaluation form to the room attendantas you leave this session.Winners will be announced today.You must be present to win!..visit them at BOOTH# 100
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 67Thank you.
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 6868SatelliteLinksSWRadioMWRadioFMRadioMobileTelephonyWLANsBlueooth1,000 Km100 Km10 Km1 Km100 m10 m1 mWireless Systems: Range ComparisonSource : Introduction to IEEE Std. 802.22-2011 and its Amendment PAR for P802.22b:Broadband Extension and Monitoring – Apurva N. Mody & teamWireless Communication Dr. B. Baha, University of Brighton, UKFor Given Range of Power there are severalWireless communication Possible
    • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 69Bit rate (Mbit/s) – Values are approximated for overviewStandard Peak Downlink Peak Uplink RangeCDMA 4.9 1.8000 ~29 km (18 mi)GSM EDGE Evolution 1.9 0.9472 ~26 km (16 mi)LTE 326.4 86.4WiMAX : 802.16e 70 70 ~6.4 km (4 mi)WiFi : 802.11a 54 54 ~30mWiFi: 802.11b 11 11 ~30mWiFi: 802.11g 54 54 ~30mWiFi: 802.11n 600 600 ~50mWiGi: 802.11ac & 802.11ad >1000 >1000 ~!!!!!SP Wireless Communication standards