• Save
Backhaul Network Design for TPS & VPN Service
Upcoming SlideShare
Loading in...5
×
 

Backhaul Network Design for TPS & VPN Service

on

  • 629 views

Click the link to download a PDF file http://www.netmanias.com/en/?m=view&id=techdocs&no=5916&vm=ppt

Click the link to download a PDF file http://www.netmanias.com/en/?m=view&id=techdocs&no=5916&vm=ppt

You can also find and download more materials from http://www.netmanias.com

Statistics

Views

Total Views
629
Views on SlideShare
510
Embed Views
119

Actions

Likes
0
Downloads
0
Comments
0

4 Embeds 119

http://www.netmanias.com 111
http://192.168.10.111 5
http://netmanias.com 2
http://192.168.10.210 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Backhaul Network Design for TPS & VPN Service Backhaul Network Design for TPS & VPN Service Presentation Transcript

  • About NMC Consulting Group NMC Consulting Group is an advanced and professional network consulting company, specializing in IP network areas (e.g., FTTH, Metro Ethernet and IP/MPLS), service areas (e.g., IPTV, IMS and CDN), and wireless network areas (e.g., Mobile WiMAX, LTE and Wi-Fi) since 2002. Copyright © 2002-2013NMC Consulting Group. All rights reserved. www.nmcgroups.com Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service Backhaul Network Design for TPS & VPN Service January 9, 2009 NMC Consulting Group (tech@netmanias.com) www.netmanias.com www.nmcgroups.com
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 2 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service Table of Contents 1. Network Requirements 2. Network Architecture: Topology Design 2.1 Aggregation Network for Towers 2.2 Aggregation Network for Villas 3. Logical Architecture for Residential Services and Business Services 3.1 Backhaul Connectivity Design for Residential TPS Services 3.2 Backhaul Connectivity Design for Business VPN Services 4. Network Availability 5. Scalability 6. QoS Design 6.1 QoS for Residential TPS Service 6.2 QoS for Business VPN Service 7. Multicast 8. Security 8.1 Security: Data Plane 8.2 Security: Control Plane & Management Plane 9. Easy Touch Provisioning 10. Element & Network Management System
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 3 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service 1. Network Requirements  # of Subscribers  Access Technology: FTTH (AON)  Residential TPS service  Internet: up to 1Gbps for each tenant  IP-TV/VoD: HDTV  VoIP  Business VPN Services  MPLS L3 VPN, MPLS L2 VPN (P2P: VPWS), VPLS  Scalability  QoS  Multicast for IP-TV  Integration with Existing Broadband Network (MPLS)  Easy Touch Provisioning  Residential and Business Backbone Backbone NOC-1 NOC-2 #2 #1 #39 #15 #1 #2 #33 (=17+16) #16 BRAS/PE BRAS/PE
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 4 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service MDF … AS 10GE 10GE DS(L2) NOC-1 NOC-2 AN RG 1 20 1 20 … ……… Tower 2x10GE RG (Residential Gateway) AN (Access Node) AS (Access Switch) BRAS/PE DS(L2) Existing MPLS Core 1GE Tenant BRAS/PE 8XGE 10GE 8XGE 10GE 10GE P Router P Router Role of BRAS BRAS, MPLS PE, SSG Protocol Interworking with Backbone Network IGP: OSPF or IS-IS IGP TE: OSPF TE or IS-IS TE MPLS: LDP, RSVP-TE, MP-iBGP, VPWS, VPLS Role of AS and DS L2 Ethernet Aggregation QinQ (for Residential TPS) Termination BRAS QinQ (for Enterprise VPN) Termination BRAS (PE) Subscriber MAC frame broadcasting Not to existing IP/MPLS Backbone Traffic Path All the traffics (Internet, VoIP, VoD, Multicast/Enterprise VPN) pass through BRAS/PE DS (Distribution Switch) BRAS 2. Network Architecture
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 5 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service MDF … AS 10GE 10GE DS NOC-1 NOC-2 AN RG 1 20 1 20 4xGE (1000baseTX) … ……… Tower (Highrise Buildings ) 2x10GE One AS is connected to two NOCs (Dual Homing) for protection RG AN (Access Node) AS (Access Switch) DS (Distribution Switch) BRAS/PE 10GE 1 GE (1000Base-TX) 1 GE (1000Base-FX) BRAS/PE DS Existing MPLS Core 1GE RG in home and business AN and AS are distributed at each apartment MDF DS and BRAS in NOC-1 and NOC-2 Direct fiber access to individual subscribers (Dedicated 1 Gbps bandwidth per user) Tenant Co-existence of residential and business subscribers BRAS/PE 8XGE 10GE 8XGE 10GE 10GE P Router P Router Network Architecture: Aggregation Network for Towers
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 6 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service Aggregation Network for Villas NOC-1 NOC-2 10GE … 4xGE (T) … 10GE DS DS AN AS RG 1GE 2X10GE Villas One AS is connected to two NOCs (Dual Homing) for protection RG in home AN and AS are centralized at NOC-1 Direct fiber access to individual subscribers (Dedicated bandwidth per user) BRAS/PE Existing MPLS Core BRAS/PE 8XGE 10GE 8XGE 10GE 10GE P Router P Router RG AN (Access Node) AS (Access Switch) DS (Distribution Switch) BRAS/PE 10GE 1 GE (1000Base-TX) 1 GE (1000Base-FX)
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 7 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service SAR: Service Access Router (PE router located at Head End) AN MPLS L3 Internet VPN (LSP to BR) PE/BRBRAS/PE VRF PE2 MPLS L3 Internet VPN (LSP to PE:P2P) MPLS L3 VPN (LSP to PE 2) VRF VRF MPLS L3 Voice VPN (LSP to SAR) MPLS L3 Voice VPN (LSP to PE: Data) VRF MPLS L3 Video VPN (LSP to SAR) VRF MPLS L2 VPN (VPWS) VSI MPLS L3 VPN (LSP to PE 3) MPLS L2 VPN (LSP to PE 2) C-VID=Internet(5) C-VID=Voice(3) C-VID=Video(4) C-VID=Ent. A C-VID=Ent. B C-VID=Ent. C C-VID=Ent. D VSI MPLS L2 VPN (LSP to PE 3) PE/SAR PE3 EAPS VRF VRF VRF Residential Internet Access Residential Voice Residential Video Enterprise Internet Access Enterprise L3 VPN Enterprise L2 VPN (PtP: EoMPLS) Enterprise L2 VPN (PtMP: VPLS) VRFVRFVRFVRFVRF VSIVSIVSIVSIVSIVSI VSIVSIVSIVSIVSIVSIVSI VRF VRF VSI VSI VSI Residential Internet VLAN (C-VID=Internet, S-VID=AN) Residential Voice VLAN (C-VID=Voice, S-VID=AN) Residential Video VLAN (C-VID=Video, S-VID=AN) DHCP DHCP DHCP Static/Public Subnet Private Addressing and Routing Private Addressing and Routing Private Addressing and Routing Per-Service VRF (Internet)VRF VRF VRF Per-Service VRF (Voice) Per-Service VRF (Video) AS DS Per-Enterprise VLAN (C-VID=Ent. A, S-VID=Ent. A) Per-Enterprise VLAN (C-VID=Ent. B, S-VID=Ent. B) Per-Enterprise VLAN (C-VID=Private Use, S-VID=Ent. C) Per-Enterprise VLAN (C-VID=Private Use, S-VID=Ent. D) CPE 3. Logical Architecture for Residential Services and Business Services
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 8 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service Supported Standard (MPLS PE)  RFC 4448 (Martini), Encapsulation Methods for Transport of Ethernet over MPLS Networks, April 2006  RFC 4447 (Martini), Pseudowire Setup and Maintenance Using LDP, April 2006  RFC 4762: Virtual Private LAN Service (VPLS) Using LDP Signaling, Jan. 2007  RFC 4761: RFC 4761 on Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling, Jan. 2007  RFC 4664: Framework for Layer 2 Virtual Private Networks (L2VPNs), Sep. 2006
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 9 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service 3.1 Residential TPS Service 802.1Q: Per Service VLAN <Tower A> RG BRAS/PE <Tower B> 802.1ad (QinQ): S-VID=Per AN VLAN, C-VID=Per Service VLAN Voice Video Data Voice Video Data AN ID S-VID C-VID Per Service VLAN Encapsulation Per AN QinQ Encapsulation MPLS L3VPN per Service VRF VRF VRF <NOC> Bridging Bridging Voice VPN Per-Service MPLS L3 VPN Video VPN Data VPN Outer VLAN Inner VLAN Residential A Residential B Residential C Residential D Residential E Residential F 802.1Q 802.1ad N:1 VLAN N:1 VLAN N:1 VLAN Layer 2 (Ethernet) Layer 3 (IP/MPLS) IP/MPLS BackboneAN AS DS Private VLAN (N:1 VLAN) DHCP Option82 Voice Video Data
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 10 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service Residential TPS Service  Service Separation: in the backhaul, by Per-Service VLAN (N:1 VLAN). Inside BRAS, by VRF (Each VRF has its own interface and route information)  User Isolation: Split Horizon Forwarding (Private VLAN) on AN to prohibit Hair-pin  L2 Scalability Issues  Broadcast Domain is reduced by Per AN QinQ  MAC Learning at DS: 224K MAC addresses supported by DS >> 15K subscriber x 4 services = 60K  Configuration of each RG is same. QinQ value of AN will be different  IP Address Management: Public IP address for Internet access, Private IP address for walled-garden service (VoD, IP-TV, VoIP)  DHCP Option82 at AN (Per-service VLAN ID, Port ID, AN ID): Subscriber Identification, Location of subscriber, Per-service IP address allocation
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 11 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service 3.2 Business VPN Service Outer VLAN RG/CE AN 802.1Q:Per Enterprise VLAN or Private Use by Enterprise 802.1ad (QinQ): S-VID=Per Enterprise VLAN, C-VID=Per Enterprise VLAN (extension) or Private Use by Enterprise Per Enterprise QinQ Encapsulation MPLS L2/L3 VPN per Enterprise Bridging Per Enterprise MPLS L2/L3 VPN VRF VRF VSI VSI VSI VSI Enterprise A Enterprise B Enterprise C Enterprise D Enterprise E Enterprise F Ent-A L3 VPN Ent-B L3 VPN Ent-C L2 VPN (VPWS) Ent-D L2 VPN (VPWS) Ent-E L2 VPN (VPLS) Ent-E L2 VPN (VPLS) Enterprise ID S-VID C-VID <Tower A> <Tower B> <NOC> Per Enterprise VLAN Encapsulation Layer 2 (Ethernet) Layer 2/3  Customer Separation by Per-Enterprise VLAN (1:1 VLAN)  Need to Provisioning tool for creating Per-Enterprise VLAN  IP address management: Private IP for VPN service 1:1 VLAN 1:1 VLAN 1:1 VLAN BRAS/PEDSAS IP/MPLS Backbone Bridging Inner VLAN
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 12 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service MPLS L3 VPN Metro Ethernet Backhaul PE PE Metro Ethernet Backhaul Site-2, VPN-B Site-2, VPN-A Site-1, VPN-B Site-1, VPN-A CE2 CE1 CE1 Per-enterprise VLAN (1:1 VLAN) Tunnel Signaling (LDP or RSVP-TE) VPN Route and Label Distribution (MP-iBGP) IGP (IS-IS or OSPF) Point-to-Point or Point-to-MultiPoint L3 VPN L3 VPN (vc-lsp) Per-enterprise VLAN CE2 LSP Tunnel 802.1Q 802.1ad IP/MPLS Backbone VPN Routing (BGP, OSPF, IS-IS, RIP, Static)  RFC 2547bis BGP/MPLS VPN
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 13 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service MPLS L2 VPN: VLL/VPWS/EoMPLS Service Metro Ethernet Backhaul Metro Ethernet Backhaul Site-2, VPN-B Site-2, VPN-A Site-1, VPN-B Site-1, VPN-A CE2 CE1 CE1 Per-enterprise VLAN (1:1 VLAN) Tunnel Signaling (LDP or RSVP-TE) PW Signaling (Martini Signaling/RFC4447) IGP (IS-IS or OSPF) Point-to-Point Transparent LAN Service PW (vc-lsp) Per-enterprise VLAN CE2 LSP Tunnel 802.1Q 802.1ad IP/MPLS Backbone  RFC 4448 (Martini), Encapsulation Methods for Transport of Ethernet over MPLS Networks, April 2006  RFC 4447 (Martini), Pseudowire Setup and Maintenance Using LDP, April 2006 PE PE
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 14 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service MPLS L2 VPN: VPLS Service Metro Ethernet Backhaul Metro Ethernet Backhaul Site-2, VPN-B Site-2, VPN-A Site-1, VPN-B Site-1, VPN-A CE2 CE1 CE1 Per-enterprise VLAN (1:1 VLAN) Tunnel Signaling (LDP or RSVP-TE) PW Signaling (Martini Signaling/RFC4762 or BGP/RFC 4761) IGP (IS-IS or OSPF) Point-to-Multi Point Transparent LAN Service VPLS (Full-meshed PWs) Per-enterprise VLAN CE2 LSP Tunnel 802.1Q 802.1ad IP/MPLS Backbone  RFC 4762: Virtual Private LAN Service (VPLS) Using LDP Signaling, Jan. 2007  RFC 4761: RFC 4761 on Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling, Jan. 2007  RFC 4664: Framework for Layer 2 Virtual Private Networks (L2VPNs), Sep. 2006 PE PE
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 15 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service 4. Network Availability (EAPS): < 50msec IP/MPLS Backbone AS ANRG DS DS NOC-1 NOC-2 Tower A  Link failure between AS and DS is major threatening and we can provide fast convergence of link fail (under 50ms) by EAPS (Ethernet Automatic Protection Switching)  Ring based network resiliency protocol between AS and DS/PE, operate at layer 2  Provides SONET/SDH like fast convergence from network failures  Proven sub-50ms failover times for voice-class connections  Designed for carriers/ISP—essential for convergence in the enterprise  IETF RFC 3619 B Secondary port logically blocked for protected VLAN data traffic Normal Data Traffic EAPS Ring “Health Check” Messages sent out periodically a b b Data Traffic with Link Fail BRAS/PE BRAS/PE  RFC3619: Extreme Network’s Ethernet Automatic Protection Switching (EAPS) Version 1.0
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 16 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service IP/MPLS Backbone DS PERG AN AS VRRP B EAPS Blocked Port IP/MPLS Backbone DS PERG AN AS B < Normal > VRRP Master IP/MPLS Backbone DS PERG AN AS VRRP Master Become Active < Link Fail > Recovery by EAPS (50ms) IP/MPLS Backbone DS PERG AN AS VRRP Master Become Active < DS Fail > Recovery by EAPS, VRRP & IGP IP/MPLS Backbone DS PERG AN AS VRRP Master < Link Fail > Recovery by VRRP & IGP IP/MPLS Backbone DS PERG AN AS VRRP Master < PE Fail > Recovery by VRRP & IGP B B Unicast Upstream Unicast Downstream VRRP Master Resiliency Mechanism for Unicast
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 17 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service IP/MPLS Backbone DS PERG AN AS VRRP Master < Link Fail > Recovery by VRRP & IGP B IP/MPLS Backbone DS PERG AN AS VRRP Master < Link Fail > Recovery by IGP B Enable VRRP I/F tracking Disable VRRP I/F tracking Resiliency Mechanism for Unicast
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 18 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service IP/MPLS Backbone DS PERG AN AS PIM Hello B EAPS Blocked Port IP/MPLS Backbone DS PERG AN AS B < Normal > DR IP/MPLS Backbone DS PERG AN AS DR Become Active < Link Fail > Recovery by EAPS (50ms) IP/MPLS Backbone DS PERG AN AS Become Active < DS Fail > Recovery by EAPS & IGP IP/MPLS Backbone DS PERG AN AS < Link Fail > Recovery by IGP IP/MPLS Backbone DS PERG AN AS < PE Fail > Recovery by IGP B B DR DR DR Multicast DR Resiliency Mechanism for Multicast
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 19 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service IP/MPLS Backbone DS PERG AN AS < Link Fail > Recovery by IGP B DR Resiliency Mechanism for Multicast
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 20 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service 5. Scalability Scalability Factor for Enterprise AS (BD 8806) DS (BD 10808) BRAS/PE (E320) Maximum number of MAC addresses 16K 224K 96K Maximum number of IP routes 1M Maximum number of 802.1Q (VLAN) Circuits per Port 4K 4K 4K (16K per chassis) Maximum number of 802.1ad (QinQ) Circuits per Port 16K (96K per chassis) Maximum number of Logical Interfaces 96K Maximum number of MPLS LSPs (LDP/RSVP-TE) 10K Scalability Factor of MPLS L3VPN for Enterprise BRAS/PE (E320) Maximum number of VRF instances 1K Maximum number of IP routes per VRF 500K Scalability Factor of MPLS L2VPN for Enterprise BRAS/PE (E320) Maximum number of VPWS instances 8K Maximum number of VPLS instances 1K Maximum number of MAC addresses per VSI Totally 64K  Maximum number of MPLS L3 VPN = 1K (per PE router)  Maximum number of Point-to-Point MPLS L2 VPN (VPWS) = 8K (per PE router)  Maximum number of Point-to-Multipoint MPLS L2 VPN (VPLS) = 1K (per PE router)
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 21 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service L2 Scalability  Residential TPS Service  Broadcast Domain is reduced by Per-AN VLAN (QinQ)  MAC Learning at DS: 224K MAC addresses supported by DS (Extreme BD10K) >> 15K subscriber x 4 services = 60K  Enterprise VPN service  Per-Enterprise VLAN must be provisioned through Ethernet backhaul network (Potential scaling issue)  802.1Q provides 4K distinct VLANs and 802.1ad provides 16M distinct VLANs
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 22 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service RG ~ AN AN ~ AS AS ~ DS DS ~ BRAS/PE BRAS/PE ~ P 802.1p 802.1p 802.1p 802.1p MPLS QoS (E-LSP) / IP DiffServ Voice COS 5 COS 5 COS 5 COS 5 EXP 5 IPTV COS 3 COS 3 COS 3 COS 3 DSCP AF3 VoD COS 2 COS 2 COS 2 COS 2 EXP 2 Internet COS 0 COS 0 COS 0 COS 0 EXP 0 RG AN AS BRAS/PE DS 802.1p 802.1p 802.1p 802.1p MPLS QoS/IP DiffServ Per-Residential Downstream Shaping Per-Residential Upstream Shaping  4 service classes  Internet bandwidth control for both upstream and downstream direction per residential subscriber by RG & BRAS  Voice, IPTV and VoD traffic are always higher priority than Internet IP/MPLS Backbone Internet to User-B Internet to User-A Internet to User-C Per-Residential shaping BRAS A B C Voice to All users IPTV (multicast) VoD to All users SPQ HIGH LOW 6.1 QoS for Residential TPS Service
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 23 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service 6.2 QoS for Business VPN Service RG ~ AN AN ~ AS AS ~ DS PE ~ P 802.1p 802.1p 802.1p MPLS QoS (E-LSP) Voice COS 5 COS 5 COS 5 EXP 5 VoD COS 2 COS 2 COS 2 EXP 2 Mission Critical COS 1 COS 1 COS 1 EXP 1 Internet COS 0 COS 0 COS 0 EXP 0 RG AN AS Per-Enterprise Downstream Shaping Per-Enterprise Upstream Shaping  4 service classes  Bandwidth control for both upstream and downstream direction per enterprise subscriber by PE  PE supports hierarchical shaper IP/MPLS Backbone PE Per-Enterprise Hierarchical shaping (PIR/CIR) S-VLAN 1001 S-VLAN 1400 I T V RT Video RT Voice Best Effort Mission Critical M S-VLAN 1500 1 2 3 BRAS/PE DS 802.1p 802.1p 802.1p MPLS QoS802.1p
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 24 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service 7. Multicast  All IPTV channels (multicast streams) are always reach to the core-facing port of DS for fast channel zapping by IGMP Static Join function of BRAS/PE IP/MPLS Backbone ASAN RG BRAS/PEDS DS NOC-1 NOC-2 Tower A ASAN RG Tower B ASAN RG Tower C DR All IPTV channels IGMP Report (CH1) BRAS/PE IGMP Static Join IGMP Snooping IGMP SnoopingIGMP Proxy IGMP Snooping IPTV CH1
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 25 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service 8.1 Security: Attack and Defensive Features/Actions Attack Defensive Features/Actions NE MAC attacks Limit number of MAC address per port, Allow only static MAC address AN, AS VLAN hopping Disable auto trunking on user-facing port, Do not use VLAN1 for anything AN, AS, DS Private DHCP server Filter DHCP message using wire-speed ACLs, Private VLAN AN, AS, DS Source MAC address spoofing Limit number of MAC address per port, Allow only static MAC address AN, AS Abnormal Source MAC attacks (all 0’s all F’s, …) Filter abnormal source MAC address using wire-speed ACLs AN, AS, DS ARP attacks AN, AS, DS: Storm control, Rate-limit of ARP protocol type BRAS/PE: CPU rate-limit, IP Source Guard AN, AS, DS, BRAS/PE Storm attacks Storm control for broadcast & unknown-unicast packet AN, AS, DS System attacks CPU rate-limit & filtering, Prioritize control traffic (telnet, SNMP is high) AN, AS, DS, BRAS/PE DHCP attacks Limit number of MAC address per port, Check Integrity of DHCP message AN, BRAS/PE Poison ARP tables Dynamic ARP inspection using DHCP snoop binding table BRAS/PE DDoS of TCP SYN flooding AN, AS, DS: Rate-limit of TCP SYN BRAS/PE: IP Source Guard AN, AS, DS, BRAS/PE Smurf attacks Disable direct broadcast BRAS/PE IGMP attacks Enable IGMP Join Filter, Limit number of IGMP Join message AN, AS Multicast stream attacks Filter multicast address (except IGMP message) on user-facing port AN, AS PIM attacks Filter PIM neighbor (Allow only registered PIM neighbor) BRAS/PE
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 26 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service 8.1 Attack and Defensive Features/Actions Attack Defensive Features/Actions NE Attack with the spoofed source IP address IP Source Guard, RPF (Reverse Path Filtering) BRAS/PE Route information spoofing Misdirecting traffic  MD5 authentication for IP routing/MPLS signaling protocol  GTSM (Generalized TTL Security Mechanism)  Route filtering: Martian filter, Bogon list, RFC 1918/3330 address BRAS/PE
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 27 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service RG AN AS BRAS/PEDS IP Source Guard/DHCP Security Resource (# of Routes/MACs) Limitation/ Rate-Limit of Protocol Update per VRF Filter Martian-addresses, RFC 1918 addresses, Bogon prefixes Filter Directed Broadcast Rate Limit ICMP echo & TCP SYN (to CPU & Transit) Reject other ICMP packets (ex. ICMP Redirect), IP with Option, Malicious Fragment packets Protect IGMP Attack Unicast RPF Loose mode Filter well-known attack traffic (worms/viruses) Protect MAC Attack User Isolation (Prohibit direction connection between users) /Service Isolation Protect ARP Attack Protect MAC Spoofing Control CPU Traffic Storm Control Filter Multicast stream from Abnormal source Protect DHCP Attack IP/MPLS Backbone 8.2 Security: Data Plane
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 28 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service RG AN AS BRAS/PEDS MD5 Authentication for IP Routing/MPLS Signaling Generalized TTL Security Mechanism (GTSM) SNMPv3 SSH (Secure Shell)/SCP (Secure Copy Protocol) TACACS+ Control # of concurrent SSH connection Control rate of SSH connection IP/MPLS Backbone 8.3 Security: Control Plane & Management Plane
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 29 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service OSS/BSS Web Portal Policy Server LDAP AAA DHCP RG AN AS BRAS/SSGDS AN RG RG AS AN IP/MPLS Backbone RG 1 DHCP DISCOVER 2 DHCP OFFER 3 DHCP REQUEST 4 DHCP ACK 5 “Client Table” is created “SI” is created 7 COPS: Interface Event 8 COPS: Address Event 9 COPS: Default Policy 10 LDAP Search: MAC  ID/PW 11 LDAP Result: NULL return 12 HTTP/HTTPS: ID/PW by subscriber 13 CORBA: ID/PW information 14 RADIUS: Request Authentication (ID/PW) 15 RADIUS: Authentication Result 16 RADIUS: Type of Service for Subscriber 17 CORBA: Authentication Result 18 COPS: Service Policy 19 HTTP/HTTPS: Authentication Result & Show “Subscriber Homepage” LDAP: Service adds TRANSPORT PLANE SERVICE INTELLIGENCE CONTROL PLANE BACK OFFICE 6 9. Easy Touch Provisioning Tool: SSG (Service Selection Gateway) for TPS Users
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 30 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service  Connection Manager helps reduce overall administration and management costs by providing automated resource management and rapid profile-based provisioning capabilities that speed deployment and time to market of Metro Ethernet technologies  It provides 802.1Q VLAN, 802.1ad QinQ provisioning methods for AN, AS and DS AS AN RG/CE IP/MPLS Backbone BRAS/PEDS P P PE CE Site-1, VPN-A Site-2, VPN-A Connection Manager for Enterprise RG/CE Site-1, VPN-B Site-2, VPN-B CE B BA Per Enterprise VLAN Per Enterprise MPLS VPN (L2/L3) A QinQ assignment of user-facing port for Enterprise user B VLAN ID assignment of access-facing port for Enterprise user Easy Touch Provisioning Tool: VLAN Connection Management for Enterprise
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 31 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service ASAN RG/CPE BRAS DS RG/CPE IP/MPLS Core Internet BRAS EMSAS/DS EMSAN EMSRG EMS DHCP TFTP/FTP NMS Fault Configuration Accounting Performance Security Network elements Element & Network management FCAPS Southbound (SNMP) Northbound (SNMP, XML)  Network management systems make use of a wide range of tools, applications, interfaces and devices to assist the network operators work in monitoring and maintaining the network. A standard model is defined by the ITU-T for all management systems, called FCAPS  Fault management  Configuration management  Accounting management  Performance management  Security management 10. Element & Network Management System
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 32 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service General managements Fault Configuration Performance/Statistics Reports Security Topology map Fault detection Resource initialization Data collection User access right checking Command history Alarm generation Provisioning Data reporting Access logging - Alarm handling Backup and restore Data analysis Security alarm reporting - Error logging Remote configuration Alarm history Data backup - - Automated software installation - - Alarm statistics summary - Alarm count per fault category - Alarm Color per fault category 3 1 Elements lists - Elements lists view - Elements searching - Diagnostics for elements 2 Topology map - Network topology map - Elements status view - Link/Port status view 4 Detail view for selected elements/networks 5 Alarm status / history EMS/NMS Features
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 33 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service Features Sub features Descriptions System General Information Monitoring condition Monitoring time, retry count, retry timeout Monitoring condition and threshold control based on system performance Topology MAP Map service based on topology Utility Ping, Trace, Telnet Alarm history Alarm history by regional, elements and ports Tool-tip display detail information when you move the mouse across a element or port Element information CPU, MEMORY, DISK, temperature, element boot time, OS version, number of interface Interface information Interface ID, Interface Operation/Admin status Performance Performance reports Top N performance by daily, weekly and monthly System resource CPU utilization, MEMORY usage, DISK usage, Response time Traffic performance Interface input/output throughput (BPS, PPS) Interface input/output utilization rate Interface input/output error rate Interface input/output discard rate Configuration Elements status Status of the registered elements Elements configuration Node and port configuration such as VLAN, QoS, ACL, Multicast, etc Port (physical/logical) Up/Down status Port status Port (physical/logical) Up/Down control Port remote control by EMS/NMS system Element/Link management Element or Link management (add/modify/delete) EMS/NMS Functionality Summary
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 34 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service Features Sub features Descriptions Fault SNMP Trap SNMP TRAP, syslog, CLI Alarm notify web event , e-mail, sms Alarm history Alarm history search Alarm severity management Critical, Major, Minor, Warning, Normal Syslog management syslog collect, syslog history search Alarm analysis report for each elements Analysis of the alarm count, alarm duration and alarm type for each elements Alarm analysis report for the each interfaces Analysis of the alarm count, alarm duration and alarm type for each interfaces Alarm threshold Alarm threshold setting Statistics Report Report file format Statistics report of Microsoft’s excel or word format Elements or Port inventory report inventory including alarm or log history of Elements or Port Elements performance report Performance reports for traffic utilization, Resource usage, alarm, response time, etc (daily, weekly, monthly) Traffic statistics Traffic analysis report per period, application Security Account management Account management, User id support access right control Backup and Restore of Data Backup and restore Configuration backup / recovery of all the element Automatic and scheduled backup EMS/NMS Functionality Summary
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 35 Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service End of Document
  • Copyright © 2002-2013NMC Consulting Group. All rights reserved. 36 Carrier WiFi Data Center Migration Wireline Network LTE Mobile Network Mobile WiMAX Carrier Ethernet FTTH Data Center Policy Control/PCRF IPTV/TPS Metro Ethernet MPLS IP Routing 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 eMBMS/Mobile IPTV Services CDN/Mobile CDN Transparent Caching BSS/OSS Cable TPS Voice/Video Quality IMS LTE Backaul Netmanias Research and Consulting Scope Visit http://www.netmanias.com to view and download more technical documents.