Before You Begin: Assign Information Classification

623 views
523 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
623
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Transcript: Of course there's also our core platforms. The 7600, some capabilities that were added to it recently was call admission control. That turns out to be critical for video. Because video is so compressed that you don't want to have packet loss. Packet loss will cause a visible glitch. And the rule of thumb of what they want to keep the glitch rate down to kind of one glitch per two hour period. And that's a very low packet loss ratio you need to obtain. So the way you'd do it is twofold. One, in an optical network your inherent bit error rate is low enough that if you avoid loss due to congestion you can achieve that goal. So that's what call admission control is all about. It's no longer just throw some more traffic in there and hopefully the application will recover it, retransmit. You don't have time to do that for video. So instead anytime you want to ask for a stream or increase the characteristics of the stream, you ask. And you potentially can get back -- no you can't. That way you don't have the additional person that's added to the traffic mix cause packets to be dropped in all the different streams. So you prioritize the traffic. You add call admission control and you can solve that part of the problem. It ended up getting a InfoVision award for some of this technology as well. Transcript : Of course there's also our core platforms. The 7600, some capabilities that were added to it recently was call admission control. That turns out to be critical for video. Because video is so compressed that you don't want to have packet loss. Packet loss will cause a visible glitch. And the rule of thumb of what they want to keep the glitch rate down to kind of one glitch per two hour period. And that's a very low packet loss ratio you need to obtain. So the way you'd do it is twofold. One, in an optical network your inherent bit error rate is low enough that if you avoid loss due to congestion you can achieve that goal. So that's what call admission control is all about. It's no longer just throw some more traffic in there and hopefully the application will recover it, retransmit. You don't have time to do that for video. So instead anytime you want to ask for a stream or increase the characteristics of the stream, you ask. And you potentially can get back -- no you can't. That way you don't have the additional person that's added to the traffic mix cause packets to be dropped in all the different streams. So you prioritize the traffic. You add call admission control and you can solve that part of the problem. It ended up getting a InfoVision award for some of this technology as well. Author’s Original Notes: 45 Transcript: Of course there's also our core platforms. The 7600, some capabilities that were added to it recently was call admission control. That turns out to be critical for video. Because video is so compressed that you don't want to have packet loss. Packet loss will cause a visible glitch. And the rule of thumb of what they want to keep the glitch rate down to kind of one glitch per two hour period. And that's a very low packet loss ratio you need to obtain. So the way you'd do it is twofold. One, in an optical network your inherent bit error rate is low enough that if you avoid loss due to congestion you can achieve that goal. So that's what call admission control is all about. It's no longer just throw some more traffic in there and hopefully the application will recover it, retransmit. You don't have time to do that for video. So instead anytime you want to ask for a stream or increase the characteristics of the stream, you ask. And you potentially can get back -- no you can't. That way you don't have the additional person that's added to the traffic mix cause packets to be dropped in all the different streams. So you prioritize the traffic. You add call admission control and you can solve that part of the problem. It ended up getting a InfoVision award for some of this technology as well. Transcript: Of course there's also our core platforms. The 7600, some capabilities that were added to it recently was call admission control. That turns out to be critical for video. Because video is so compressed that you don't want to have packet loss. Packet loss will cause a visible glitch. And the rule of thumb of what they want to keep the glitch rate down to kind of one glitch per two hour period. And that's a very low packet loss ratio you need to obtain. So the way you'd do it is twofold. One, in an optical network your inherent bit error rate is low enough that if you avoid loss due to congestion you can achieve that goal. So that's what call admission control is all about. It's no longer just throw some more traffic in there and hopefully the application will recover it, retransmit. You don't have time to do that for video. So instead anytime you want to ask for a stream or increase the characteristics of the stream, you ask. And you potentially can get back -- no you can't. That way you don't have the additional person that's added to the traffic mix cause packets to be dropped in all the different streams. So you prioritize the traffic. You add call admission control and you can solve that part of the problem. It ended up getting a InfoVision award for some of this technology as well. Transcript : Of course there's also our core platforms. The 7600, some capabilities that were added to it recently was call admission control. That turns out to be critical for video. Because video is so compressed that you don't want to have packet loss. Packet loss will cause a visible glitch. And the rule of thumb of what they want to keep the glitch rate down to kind of one glitch per two hour period. And that's a very low packet loss ratio you need to obtain. So the way you'd do it is twofold. One, in an optical network your inherent bit error rate is low enough that if you avoid loss due to congestion you can achieve that goal. So that's what call admission control is all about. It's no longer just throw some more traffic in there and hopefully the application will recover it, retransmit. You don't have time to do that for video. So instead anytime you want to ask for a stream or increase the characteristics of the stream, you ask. And you potentially can get back -- no you can't. That way you don't have the additional person that's added to the traffic mix cause packets to be dropped in all the different streams. So you prioritize the traffic. You add call admission control and you can solve that part of the problem. It ended up getting a InfoVision award for some of this technology as well. Author’s Original Notes: Cisco now offers Multicast Connection Admission Control (CAC) on the 7600 series to deliver a high-quality user experience even when demand for video results in network oversubscription, a scenario that will become increasingly common as IPTV systems are more broadly deployed and subscriber numbers rise. The Cisco Multicast CAC capability offers carriers two bandwidth management choices—to provision the network with the maximum bandwidth required to handle service peaks or to deploy a CAC solution to handle service peaks that occasionally exceed available bandwidth. The latter approach balances capital investment with delivery of a high quality user experience. The new Cisco Multicast and previously announced Video on Demand (VoD) CAC solutions help providers differentiate their paid VoD, free VoD, specific high-demand broadcast channels, and many other video services by delivering a higher quality user experience. Cisco routers work in conjunction with the Cisco Broadband Policy Manager (BPM) and on-demand servers and managers to perform the CAC function for superior service control. Video Aware Networking New: Integrated Multicast/Unicast Connection Admission Control (CAC) VoD stream can be denied based on business logic of provider Prioritize blocking of free VoD vs. pay VoD “ Graceful” acceptance or denial of service to subscribers ensures QoS and QoE Video Monitoring New: Network Analysis Module (NAM) Rel 3.5 Monitor video streams in real time Proactive alerts to picture degradation of VOD or IPTV service
  • Transcript : Another important part of it is tracking the quality of experience. This was actually originally trialed with Yahoo broadband Softbank in Japan. It turned out they were having a lot of customers that would just kind of use the service for awhile and drop off. And they would never really call up and complain. Maybe it's a little different culture there in Japan so they don't like to complain as much. Well it turned out the problem they were having is from a lot of packet loss recurring. They wouldn't even know about it. So they needed a way to monitor the traffic loss. And so there was a version of code that was developed for the NAM module to actually track the RTP headers of the sequence numbers and the time stamps to actually monitor packet loss. When you have packet loss ratios are so much smaller than you would typically have on a link on a per stream basis.
  • Transcript : Video error repair, the idea here is that in the server side of the VQE module we're attaching to and we're capturing all the broadcast channel and remembering the last couple of GOPs like the last few seconds to seven seconds of the content. And a set-top box has in it a jitter buffer of a certain amount of time. And if it detects that it didn't get the packet, it missed a packet, it sends a request upstream to the VQE server who has the packet and he retransmits it back down to it. We do this with standard RTP-based mechanisms. So it's an open standards approach. It's in many ways very similar to what Microsoft talks about in their eServer. But they do it with kind of their own closed protocols. Author’s Original Notes: As indicated one of the major challenges facing wireline providers is bad copper lines that are notoriously unpredictable. With Cisco VQE technology this problem can be effectively and transparently managed for IPTV subscribers. This technology innovation has a client and network component. For example, as an STB is streaming video it detects the loss of a packet that will result in a bad picture. The STB sends a standards-based request to the VQE-enabled network. The VQE-enabled router retransmits the missing packet to the STB which resequences it and then passes in along. The error is completely transparent the subscribe since the entire error detection/repair process takes place in under 100ms. The result is copper lines errors can be quickly detected and transparently repaired which now means that DSL networks can be preconditioned for video service delivery. The customer receives a superior video viewing experience due to Cisco VQE. Moreover, call center overload and customer churn are avoided.
  • Transcript : Well through SA we have a whole variety of set-top boxes, IP set-top boxes and cable set-top boxes that are optimized for the different ways you might use them in the home. There is a family of IP set-top boxes, the IPN330SD and HD. And actually at this point the SD's kind of obsolete because the delta cost between the standard def and the high def is so small that anybody deploying IP set-top boxes today this technology will probably just go ahead and deploy the high def box. There is two versions of the DVR-based box. This is a single stream DVR with an 80 gig drive but can also act as a server to other devices in the house for example over HPNA or MOCA. And there's also a version of the box that's a whole home box. It has three decoders in it itself. And it delivers the video over the coax cable to slave boxes in the home or analog TVs potentially. So we have an IR remote for the primary set-top box and an RF remote for the other two.
  • Transcript : And service providers really need us to understand the solution end-to-end. Content providers, to service providers, to the network systems, to devices, to the applications and services we're deploying over and down to what subscribers need.
  • IPNGN Carrier Ethernet Design is a Cisco-branded Carrier Ethernet Solution and is the Network layer instantiation of IP NGN for Access and Aggregation as illustrated by the boundaries. Network – IP / MPLS / Ethernet / DWDM The way to talk consistently about our evolving CE story Pragmatic design for optimal service delivery over a truly converged carrer ethernet infrastructure for both consumer and business services. IP NGN approach "recognizes differences in the characteristics and needs of different services and has the service awareness and  flexibility to treat them differently” IPNGN Carrier Ethernet Design is tested as a System Solution to ensure end-to-end scalability, reliability, and consistent service delivery. Included Solution Design Elements: MSA: 7600 with ES20 Modulesr BNG: 10008, PRE-3, Exodus 4 MSE: 12400, E3/5, 12.0.33S Access: DSL, ETTX, WiMax Access : DSBU, GSBU Subscriber : Linksys, 3 rd Party External Interfaces : Core, Connected Home, IP RAN, SEF
  • In the next slide we will observe more specific details, such as, how a package goes through the SCE.
  • The Cisco Service Control solution is delivered through a combination of purpose-built hardware and specific software solutions that address various service control challenges faced by service providers. The SCE platform is designed to support classification, analysis, and control of Internet/IP traffic. Service Control enables service providers to create profitable new revenue streams while capitalizing on their existing infrastructure. With the power of Service Control, service providers have the ability to analyze, charge for, and control IP network traffic at multigigabit wire line speeds. The Cisco Service Control solution also gives service providers the tools they need to identify and target high-margin content-based services and to enable their delivery.
  • Lower diagram shows a more “physical” description of the node. In practice a node can have 1 or more SCE (Service Control Engine) devices.
  • Transcript : I kind of talked on that slide. Oh so we're actually stepping up to provide consulting services in addition to the products even to the point of system integration. So we'll come in, we'll do the business case for you and help you define the service. Author’s Original Notes: Cisco and SA can provide: End to end integration services. Customized services driven by customer choice, but bringing with them Cisco’s end-to-end experience. Our services portfolio for IPTV, triple-play and quad-play is very flexible and can provide enablement, risk reduction and accelerate time to market in almost any go-to-market scenario.
  • Before You Begin: Assign Information Classification

    1. 1. Сиско Системс – представяне Ясен Спасов [email_address]
    2. 2. Carrier Ethernet Aggregation System Core Network IP / MPLS DPI,SBC DSL Access Node Distribution Node Residential BNG Business MSE Aggregation Node Aggregation Node Ethernet Access Node Aggregation Network MPLS/IP Distribution Node Access Edge Carrier Ethernet Aggregation Service Exchange Carrier Ethernet Aggregation System Business Corporate Residential STB Business Corporate Business Corporate Identity Address Mgmt Portal Subscriber Database Monitoring Policy Definition Billing Service Exchange VoD Content Network TV SIP VoD Content Network TV SIP
    3. 3. Video and Multicast Unmatched, end-to-end connection admission control manages network over-subscription to avoid video packet loss Multicast CAC Broadcast Source Policy Server Available Bandwidth Check IPTV Channel Change Channel Request Request Denied/Accepted Available Bandwidth Check 1 2 3 4 Broadcast TV RSVP-CAC Available Bandwidth Check VoD Request VoD Request Request Denied/Accepted VoD Servers Policy Server Available Bandwidth Check 1 2 4 3 Video on Demand
    4. 4. Measuring IPTV Quality of Experience Proactive Measurement Required <ul><li>Collecting Statistics for Video/IPTV Packet Loss Rate (PLR) </li></ul><ul><ul><li>Periodically collect MIB counters/data for each channel/stream </li></ul></ul><ul><ul><li>Difficult, time-consuming to detect low levels of packet loss with any statistical significance; Not proactive! </li></ul></ul><ul><li>Track RTP Sequence Numbers per IPTV Channel / Stream </li></ul><ul><ul><li>Accurate Loss Statistics as it can detect Low Levels of loss on each IPTV stream near instantaneously </li></ul></ul><ul><ul><li>Can also be used to measure jitter </li></ul></ul><ul><ul><li>Compliments STB quality data (RTCP reports, MPEG PQR, etc) </li></ul></ul><ul><li>Loss Recovery/Conceal Options </li></ul><ul><ul><li>RTP Retransmissions </li></ul></ul><ul><ul><li>FEC </li></ul></ul><ul><li>More analysis on demand </li></ul><ul><ul><li>Network can non-intrusively copy streams situational/on-demand </li></ul></ul><ul><ul><li>Send stream copy to appliances - local or back in a VOC - for more detailed analysis (MDI, MOS, etc) </li></ul></ul><ul><li>Supported on Cisco 7600 NAM Release 3.5 </li></ul>RTP Stream Monitoring RTP Stream Alarms
    5. 5. Cisco VQE — Video Error Repair Reduces SP OpEx and Customer Churn — Avoids costly help desk calls Enhances Customer Video Experience Quality — Delivers better video STB DSLAM Error repair done in less than 100 ms Uses Standard RTP/RTCP protocol STB Detects packet loss Sends standards-based message to VQE VQE Re-transmits missing packet STB Re-sequences video stream
    6. 6. Extensive Cisco Family of IP-STBs Delivering the subscriber experience <ul><li>Single SD or HD plus PIP decode </li></ul>IPN 330HD High Definition Set-top-box <ul><li>Single SD or HD plus PIP decode </li></ul><ul><li>Fanless DVR (80 GB typical) </li></ul><ul><li>Whole house server </li></ul>IPN430MC Digital Video Recorder <ul><li>One set-top for the entire home (3 decoders-in-one) </li></ul><ul><li>HD to primary TV </li></ul><ul><li>Two SD/RF outputs to other TVs </li></ul><ul><li>Fanless DVR (80 GB typical) </li></ul>IPN603MCG Multi-stream DVR Gateway Models with DVB & SCART I/F are also available for Europe Deliver Video
    7. 7. Service Providers require us to have a deep understanding of the overall value space… consumers applications & services devices networks & systems service providers content providers +
    8. 8. WWW.LINKSYS.COM Metro Ethernet Switches
    9. 9. Cisco ME Series Switches Product Positioning WiMAX CPE Access Residential STB Business Corporate Internet Aggregation Edge Core 7600 Demarc/CPE CRS-1 ME3400-24FS Broadcast Video Content PSTN ME340024-TS ME3400G-2CS ME3400G-2CS ME3400G-12
    10. 10. Multicast features <ul><li>IGMP Snooping helps enable intelligent management of multicast traffic by examining IGMP </li></ul><ul><li>messages. </li></ul><ul><li>IGMP Fast Leave provides a fast channel-changing capability for IPTV services. </li></ul><ul><li>IGMP filtering provides control of groups each user can access. </li></ul><ul><li>IGMP Throttling controls the maximum number of multicast groups each user can access. </li></ul><ul><li>IGMP Proxy allows users anywhere on a downstream network to join an upstream sourced multicast group. </li></ul>
    11. 11. WWW.LINKSYS.COM Linksys SP Switches
    12. 12. ID Design SPS208G SPS224G4 SPS2024
    13. 13. Added features to SRW products (Service Provider Switches) STP Root Guard 12 CLI 13 FEATURE # 11 10 9 8 7 6 5 4 3 2 1 Q-in-Q (Port based) MVR 802.1X - Per User (Each New user need to be authenticated) Multiple MAC Authentications (MAC based 802.1X) DHCP Guard (included in Snooping) – termed DHCP trusted interface Dynamic ARP inspection IP Source Guard DHCP Snooping DHCP Relay Option 82 at Layer 2 Firefox Web Browser Storm Control includes unknown Unicast
    14. 14. Added Features description (1) <ul><li>Storm Control: Protect your organization's LAN from broadcast storms, which can cause network slowdowns if they become severe. </li></ul><ul><li>Firefox Web Browser: Cross-platform browser, providing support for various versions of Microsoft Windows, Mac OS X, and Linux. Note that current testing is only performed on Windows platforms </li></ul><ul><li>DHCP Relay Option 82: Allow a DHCP Relay Agent to insert circuit specific information into a request that is being forwarded to a DHCP server. </li></ul><ul><li>DHCP Snooping: A security feature that filters untrusted DHCP messages. Protects clients on the network from peering up with an unauthorized DHCP server. Eliminates rogues as behaving as a DHCP Server. </li></ul>
    15. 15. Added Features description (2) <ul><li>IP Source Guard: Provides per-port IP traffic filtering of the assigned source IP addresses at wire speed. It dynamically maintains per-port VLAN ACLs based on IP-to-MAC-to-switch port bindings. Prevents IP address Spoofing. </li></ul><ul><li>Dynamic ARP inspection: Prevent man-in-the-middle attacks by not relaying invalid or gratuitous Address Resolution Protocol (ARP). Stops man-in-the-middle attacks </li></ul><ul><li>DHCP Guard (DHCP trusted interface): Protects clients on the network from peering up with an unauthorized DHCP server. </li></ul><ul><li>(Multiple) MAC Authentications: Means of authenticating without the user login required by the web-based and 802.1X methods. </li></ul>
    16. 16. Added Features description (3) <ul><li>802.1X - User: A per-user (per session) access control protocol. Each user connected to a switch port goes through the 802.1x authentication process before being allowed to send data. </li></ul><ul><li>MVR: Multicast VLAN Registration. Reduces duplication of multicast traffic across multiple VLANs in Layer2 ring networks by centralizing the distribution of multicast traffic in a single video VLAN. </li></ul><ul><li>Q-in-Q: Tunneling an 802.1q packet inside another 802.1q packet to distinguish different customer’s VLANs. SPs might use Q-in-Q if they are providing Metro Ethernet service to multiple customers for high speed metropolitan-area network (MAN) connectivity. </li></ul>
    17. 17. Added Features description (4) <ul><li>STP Root Guard: Allows a device to participate in STP (Spanning Tree Protocol) as long as the device does not try to become the root. </li></ul><ul><li>CLI: Command Line Interface. A means of communication between a program and its user, based on textual input and output. Commands are input with the help of a keyboard or similar device and are interpreted and executed by the program. The user sees the command line on the monitor and a prompt that is waiting to accept instructions from the user. </li></ul>
    18. 18. Metro Access Security Mechanisms: Subscriber Security <ul><li>One of the biggest concerns in using a shared Ethernet Access device for multiple customers is how to prevent one customer from affecting another customer </li></ul>DHCP Snooping DHCP Rogue Server DHCP Snooping + IP Source Guard IP Address Spoofing DHCP Snooping + Dynamic ARP Inspection ARP Spoofing (Man-in-the-Middle) Private VLAN Edge (PVE) Layer 2 Isolation across switches Use: Security Concern:
    19. 19. Subscriber Security <ul><li>What It Does: </li></ul><ul><li>Private VLANs partition a regular VLAN domain into subdomains, consisting of a pair of VLANs: a primary VLAN and a secondary VLAN </li></ul><ul><li>Two types of Secondary VLANs: </li></ul><ul><ul><li>Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level – Supported with SPS switches </li></ul></ul><ul><ul><li>Community VLANs—Ports within a community VLAN can communicate with each other but cannot communicate with ports in other communities at the Layer 2 level – only supported with Cisco Catalyst switches </li></ul></ul><ul><li>Benefit: </li></ul><ul><li>In addition to addressing service provider VLAN ID scalability and IP address management issues, the Private VLAN feature offers Layer 2 separation across switches </li></ul>Private VLAN Primary VLAN Primary VLAN Domain Subdomain Subdomain Secondary Community VLAN Secondary Isolated VLAN
    20. 20. Switch Security <ul><li>What It Does: </li></ul><ul><li>Rate limiters can limit traffic per VLAN, port or user to mitigate the impact of packet-blasting worms and limit amount of traffic a user can send onto the network </li></ul><ul><li>Can rate limit using either traffic policing or shaping functions </li></ul><ul><li>Benefit: </li></ul><ul><li>Prevents a malicious user from flooding the network with traffic, affecting other users and the management of the network itself </li></ul>80 Mbps “Overage” 100 Mbps Port with 20 Mbps Allowance Management Traffic Given Highest Priority Rate Limiting
    21. 21. Switch Security <ul><li>What It Does: </li></ul><ul><li>SSH is a protocol that can provide a secure connections to a remote device for management </li></ul><ul><li>Data is sent through an encrypted tunnel (DES or 3DES) to secure transmission and integrity of data </li></ul><ul><li>Authenticates users and ensures secure file transfer and copying </li></ul><ul><li>To use this feature, you must install the cryptographic (encrypted) software image on your switch </li></ul><ul><li>Benefit: </li></ul><ul><li>Both sides of tunnel are authenticated so that man-in-the-middle attacks are prevented and critical management information is not compromised </li></ul><ul><li>Provides improved security as compared to Telnet sessions by providing strong encryption when a device is authenticated </li></ul><ul><li>Protects passwords and configuration information </li></ul>Privacy (Using SSH for Encryption) telnet foo.bar.org username: dan password: NetworkAdmin Secure Shell (SSH) telnet edge switch username: @#r); password: %a)t#> Hacker
    22. 22. Network Security <ul><li>What It Does: </li></ul><ul><li>ACLs filter traffic as it passes through a router or switch and permit or deny packets crossing specified interfaces or VLANs </li></ul><ul><li>An ACL is a sequential collection of permit and deny conditions (ACEs) that apply to packets </li></ul><ul><li>IP ACLs filter IPv4 traffic, including TCP, User Datagram Protocol (UDP), Internet Group Management Protocol (IGMP), and Internet Control Message Protocol (ICMP) </li></ul><ul><li>Ethernet (MAC) ACLs are used to filter non-IP traffic </li></ul><ul><li>Port, VLAN and Router ACLs are supported </li></ul><ul><li>Benefit: </li></ul><ul><li>Restrict network use by certain users or devices </li></ul><ul><li>Administrators can selectively apply extended ACLs based on the time of day and week for added flexibility and/or automation </li></ul>Access Control Lists (ACLs)
    23. 23. Service Control Engine
    24. 24. Deployment / Application Lifecycle Phases of a Service Control deployment: 1 2 3 <ul><li>Objectives: Monitor traffic distribution & usage patterns </li></ul><ul><li>Network topology: Receive only </li></ul>Usage Analysis <ul><li>Objectives: Improve network experience & reduce operational expense </li></ul><ul><li>Network topology: Active mode </li></ul>Global Traffic Optimization <ul><li>Objectives: Service creation, subscriber differentiation </li></ul><ul><ul><li> billing and value-added services </li></ul></ul><ul><li>Integrated into back office (AAA, billing, </li></ul><ul><li>Policy-Server) </li></ul>Subscriber Service Creation Portal Policy
    25. 25. Process of Service Control <ul><li>Intelligent inspection and control of IP packets </li></ul><ul><ul><li>… Classify to end-user application. Determine application semantics </li></ul></ul><ul><ul><li>… Map to subscriber identity, policy and state </li></ul></ul><ul><ul><li>… Select action based on network condition – time of day, congestion, other concurrent activities </li></ul></ul><ul><ul><li>… Take action </li></ul></ul>Application Block Redirect Set QoS Mark Subscriber Network Condition
    26. 26. Solution Overview Modular solution: Includes SCE devices, management tools and integration APIs Network Service Control Engine Subscribers Subscriber Manager AAA DHCP Radius Billing Reporting Tool Engage Console Service Portal Collection Manager Policy Server
    27. 27. Service Control Platforms - 2 x 10/100/1000 FE - 2 x 10/100/1000 FE Mgmt. Interface <ul><li>Receive-only </li></ul><ul><li>Inline </li></ul><ul><li>- Cascade </li></ul>- Receive-only - Inline Network configuration 80,000 40,000 Max Subscriber-Contexts 2M (1M bi-directional) 2M (1M bi-directional) Max. Flows 1.5GB 768MB Processor Memory - 4-GBE (fiber SX/LX) SCE2020 - 2-GBE (fiber SX/LX) SCE1010 Interfaces
    28. 28. Network Insertion Point <ul><li>Typical insertion point—Broadband Edge/Aggregation </li></ul><ul><ul><li>Directly after subscriber-aggregator (B-RAS/CMTS, Retail-LNS) </li></ul></ul><ul><ul><li>Aggregation point further down the network edge </li></ul></ul><ul><ul><li>Support for inline (active) and receive-only (monitoring) configurations </li></ul></ul><ul><li>Issues to consider: </li></ul><ul><ul><li>Traffic visibility (engine must see all traffic it needs to control) </li></ul></ul><ul><ul><li>Network interfaces </li></ul></ul><ul><ul><li>IP/Tunneling environment </li></ul></ul><ul><ul><li>Network redundancy </li></ul></ul><ul><ul><li>Split-flow </li></ul></ul>
    29. 29. SCA-BB Topology Configurations <ul><li>Inline — single SCE platform inline (default) </li></ul><ul><ul><li>Monopath – using both links on an SCE2020 </li></ul></ul><ul><li>Receive-only — single SCE platform receive-only </li></ul><ul><ul><li>Optical splitters or Port-Span </li></ul></ul><ul><li>Inline-cascade — two cascaded SCE platforms inline </li></ul><ul><li>Receive-only-cascade — two cascaded SCE platforms receive-only </li></ul><ul><li>Multi-Gig Cluster (MGSCP) </li></ul><ul><li>MPLS-VPN Configurations </li></ul><ul><li>Value Added Services Configurations </li></ul><ul><li>SCE API Interconnects (SM – PRPC, ISG/PS – SCMP) </li></ul>
    30. 30. Inline and Receive-Only Configurations <ul><li>Receive-only configuration </li></ul><ul><ul><li>GIG-E: Using Optical Splitters/Port-Span </li></ul></ul><ul><ul><li>FE: Port-Span </li></ul></ul><ul><ul><li>Traffic monitoring only </li></ul></ul><ul><li>Inline configuration </li></ul><ul><ul><li>Engine installed in data-path </li></ul></ul><ul><ul><li>Monitor and control traffic </li></ul></ul>o.splitter o.splitter Subscribers Network
    31. 31. Transparent Topologies <ul><li>Two monopath </li></ul><ul><ul><li>Single SCE2000 on 2 links </li></ul></ul><ul><ul><li>Bypass config: Fail closed </li></ul></ul><ul><li>Asymmetric 1+1 </li></ul><ul><ul><li>Active/Active; SCE on each link </li></ul></ul><ul><ul><li>SCE2000 cascade resolves asymmetric routing </li></ul></ul><ul><ul><li>Bypass config: Fail open </li></ul></ul>S1 N1 S2 N2 SCE2000 Subscribers Network Active Link Active Link Master Slave Active Link Active Link S1 N1 S2 N2 SCE2000 S1 N1 S2 N2 Subscribers Network SCE2000
    32. 32. Active/Standby Schemes <ul><li>1+0 (SCE1000, SCE2000) </li></ul><ul><ul><li>Active/Standby; SCE on active link </li></ul></ul><ul><ul><li>On failure network uses alternate path </li></ul></ul><ul><ul><li>No service redundancy </li></ul></ul><ul><ul><li>Bypass config: Fail opened </li></ul></ul><ul><li>1+1 (SCE1000, SCE2000) </li></ul><ul><ul><li>Active/Standby; SCE on each link </li></ul></ul><ul><ul><li>On failure network uses alternate path </li></ul></ul><ul><ul><li>Standby SCE resumes service </li></ul></ul><ul><ul><li>Bypass config: Fail opened </li></ul></ul>Standby Link Standby Link Active Link
    33. 33. SCE2000 Cascade for High Availability <ul><li>Resolves split flow between two links </li></ul><ul><li>SCE2000 cascade feature ensures flow consistency </li></ul><ul><ul><li>Slave forwards all traffic to Master for processing </li></ul></ul><ul><ul><li>Master updates Slave with subscriber policy/state information </li></ul></ul><ul><ul><li>Roles change on failure of primary path </li></ul></ul>Master Slave Active Link Active Link
    34. 34. Multi-Gig Cluster Solution <ul><li>Split flows between more than two GBE links </li></ul><ul><li>SCE(s) are hair pinned to redundant 6500/7600 matching EtherChannels on 6500/7600 ensure traffic of single subscriber flows to same SCE </li></ul><ul><ul><li>Can use PBR as well </li></ul></ul><ul><li>Support for N+1 configuration through EC failover </li></ul>BRASs/CMTSs Core Routers SCE 2000s 7600/ 6500 7600/ 6500
    35. 35. New 10Gig DPI: SCE8000 <ul><li>chassis hosting the SPA modules and DPI modules </li></ul><ul><li>4-slot chassis : </li></ul><ul><ul><li>Slots #1 & #2 : DPI Modules/Blades </li></ul></ul><ul><ul><li>Slot #3 : 10G SPA jacket card </li></ul></ul><ul><ul><li>Slot #4 : Internal Optical Bypass </li></ul></ul>Internal Optical Bypass (Optional) Two DPI Modules (2 nd is optional) SPA Jacket Card With 4 x 10Gig SPAs
    36. 36. Cisco + Scientific Atlanta Delivering Glass-to-Glass Integrated IPTV Solutions IP DNA Video DNA Home Net DNA Integrated End-End Platform Order-to-Bill Home Network & Devices BSS / OSS Video HE Carrier IP Network Video Control Video Experience Preserve SYSTEM INTEGRATION

    ×