More than a decade ago, Cisco introduced wireless solutions that addressed challenges associated with address mobility, seamless authentication and comprehensive backend accounting.
In the last few years, the industry has transformed to offer an immense range of Smart Devices. This unprecedented growth in mobile traffic demands a change to scale to the new reality of any–to-any connectivity. This is a technical deep dive presentation on BNG Deployments and Mobile Offload techniques
Automating for Monitoring and Troubleshooting your Cisco IOS NetworkCisco Canada
Do you wish that you could provide more automatic methods to monitor your network? Have you ever wasted hours to capture evidence of a transient network issue? Do you know which part of your network is likely to fail next? And how to prevent it? Your Cisco IOS® Network provides a wealth of advanced device manageability instrumentation (DMI) and Embedded Automation Systems (EASy) to design and implement your own Network Automations. Learn how Network Automation allows you to automate manual tasks, better operate existing network services and even enable new and innovative networking solutions. This session uncovers embedded Network Automation capabilities you can use to interact with your network elements for the purpose of implementing network testing, verification and service assurance in a more effective, efficient and robust way. Network Automation fundamentals as well as the choice and use of appropriate practices are illustrated through a combination of presentation and best practice examples. The topic is relevant for network planners and administrators, engineers and system integrators for both enterprises and service providers.
More than a decade ago, Cisco introduced wireless solutions that addressed challenges associated with address mobility, seamless authentication and comprehensive backend accounting.
In the last few years, the industry has transformed to offer an immense range of Smart Devices. This unprecedented growth in mobile traffic demands a change to scale to the new reality of any–to-any connectivity. This is a technical deep dive presentation on BNG Deployments and Mobile Offload techniques
Automating for Monitoring and Troubleshooting your Cisco IOS NetworkCisco Canada
Do you wish that you could provide more automatic methods to monitor your network? Have you ever wasted hours to capture evidence of a transient network issue? Do you know which part of your network is likely to fail next? And how to prevent it? Your Cisco IOS® Network provides a wealth of advanced device manageability instrumentation (DMI) and Embedded Automation Systems (EASy) to design and implement your own Network Automations. Learn how Network Automation allows you to automate manual tasks, better operate existing network services and even enable new and innovative networking solutions. This session uncovers embedded Network Automation capabilities you can use to interact with your network elements for the purpose of implementing network testing, verification and service assurance in a more effective, efficient and robust way. Network Automation fundamentals as well as the choice and use of appropriate practices are illustrated through a combination of presentation and best practice examples. The topic is relevant for network planners and administrators, engineers and system integrators for both enterprises and service providers.
Other test equipment providers sell LTE capabilities separately, but following our all-inclusive model, we’ve included LTE testing for every BreakingPoint CTM, existing or new. (All it takes is a firmware update.) The combination of such large-scale testing and our all-in-one pricing model drops the cost per UE to under $0.25. That’s right — less than 25 cents.
Contrast that to the $1,000 price tag mentioned above, and it’s not hard to see the impact it makes. The fact that we can now offer our customers the most cost-effective option of simulating millions of concurrent users with real application traffic (plus security attacks and fuzzing, of course) means that they can now validate their LTE network configurations at scale before going live. This is something they simply could not have done before.
For more information, please visit www.breakingpoint.com/lte
Mobile Transport Evolution with Unified MPLSCisco Canada
Mobile Service Providers are seeing unprecedented challenges in relation to their Transport architectures with the 3GPP evolution towards IP based Node Bs, LTE (Long Term Evolution) and LTE-Advanced. This presentation will initially discuss the network migration trends and factors that are changing how mobile networks are evolving. A description is provided on Unified MPLS and the current issues that need to be fixed and how this architecture addresses this. A more detailed analysis will then examine the options available for transporting GSM/2G, UMTS/3G traffic and IP/Ethernet Node B deployments and some of factors that need consideration like scalability, resiliency and security. Finally, there is a detailed description of the LTE/LTE - A evolution and the feature requirements made on the transport network. There will be detailed analysis of different LTE models and also some technical enhancements and proposals considered for the implementation of LTE in a Unified MPLS environment.
Philippe Langlois - LTE Pwnage - P1securityP1Security
Today, we’re entering the realm of LTE super high speed always-on connectivity and with that comes the victory of TCP/IP in front of the old ITU/3GPP protocols. And with this comes many side effects: software gets standardized, everything runs on top of ATCA (Advanced Telecom Computing Architecture) hardware running mostly Linux -give or take 6 or 8 proprietary FPGA-based sister cards, TFTP-booted with decade old VxWorks that routinely show hardcoded DES credentials and funny “behaviour”. Easily 20 GB of fat C++ binaries, some for x86, PPC, MIPS, some with up to 200 Mbytes file sizes for one single EXE! It’s called a vulnerability research and reverse engineering paradise… or hell.
All the protocols now run on top of IP, which ends up having 12 layers thanks to encapsulation and still the weight of legacy in bugs quantity and diversity. We’ll see how the porting of SS7 MAP on top of IP (SIGTRAN, Diameter) has given rise to funny Denial of Service (DoS) attacks against telecom core elements (DSR, STP), with trashy-crashy anti-forensics consequences for DPI and tracking (Hey @grugq!!).
We’ll look into specific vulnerabilities, and talk about the very particular way that Network Equipment Vendors deal with security in the telecom domain.
We will demo a virtualized Huawei HSS from our testbed and show some of the vulnerabilities and attacks directly on the equipment itself. We will finally talk about telco equipment and product security reviews and the fallacy of (some) certification and (many) standardization attempts. We will then see how to conduct a practical and fast telecom product security life cycle with automation and open source tools.
SGSN- serving gprs support node - Platform - HW, SW and CLI Mustafa Golam
This presentations contains introductory to Intermediate topics on Ericsson MKVI SGSNs with great details on HW, SW and platform specific CLI. This can be relevant for Introductory to Advance level of knowledge in SGSN.
Tutorial about MPLS Implementation with Cisco Router, this first of two chapter discuss about What is MPLS, Network Design, P, PE, and CE Router Description, Case Study of IP MPLS Implementation, IP and OSPF Routing Configuration
Many network operators still struggle with which type of data-plane encoding they should use for segment routing. The world is hyper-connected and we can’t afford to be late to deliver 5G. Using IPv4, IPv6 and MPLS data-plane encoding keeps us moving forward.
Segment routing is a network technology focused on addressing the pain points of existing IP and Multiprotocol Label Switching (MPLS) networks in terms of simplicity, scale, and ease of operation. It’s a foundation for application engineered routing because it prepares the networks for new business models where applications can direct network behavior.
Segment routing seeks the right balance between distributed intelligence and centralized optimization and programming. It was built for the software-defined networking (SDN) era.
Segment routing enables enhanced packet forwarding behavior. It enables a network to transport unicast packets through a specific forwarding path, other than the normal shortest path that a packet usually takes. This capability benefits many use cases, and you can build those specific paths based on application requirements.
Segment routing uses the source routing paradigm. A node, usually a router but it can also be a switch, a trusted server, or a virtual forwarder running on a hypervisor, steers a packet through an ordered list of instructions, called segments. A segment can represent any instruction, topological or service-based. A segment can have a local semantic to a segment-routing node or global within a segment-routing network. Segment routing allows you to enforce a flow through any topological path and service chain while maintaining per-flow state only at the ingress node to the segment-routing network. To be aligned with modern IP networks, segment routing supports equal-cost multipath (ECMP) by design, and the forwarding within a segment-routing network uses all possible paths, when desired.
Other test equipment providers sell LTE capabilities separately, but following our all-inclusive model, we’ve included LTE testing for every BreakingPoint CTM, existing or new. (All it takes is a firmware update.) The combination of such large-scale testing and our all-in-one pricing model drops the cost per UE to under $0.25. That’s right — less than 25 cents.
Contrast that to the $1,000 price tag mentioned above, and it’s not hard to see the impact it makes. The fact that we can now offer our customers the most cost-effective option of simulating millions of concurrent users with real application traffic (plus security attacks and fuzzing, of course) means that they can now validate their LTE network configurations at scale before going live. This is something they simply could not have done before.
For more information, please visit www.breakingpoint.com/lte
Mobile Transport Evolution with Unified MPLSCisco Canada
Mobile Service Providers are seeing unprecedented challenges in relation to their Transport architectures with the 3GPP evolution towards IP based Node Bs, LTE (Long Term Evolution) and LTE-Advanced. This presentation will initially discuss the network migration trends and factors that are changing how mobile networks are evolving. A description is provided on Unified MPLS and the current issues that need to be fixed and how this architecture addresses this. A more detailed analysis will then examine the options available for transporting GSM/2G, UMTS/3G traffic and IP/Ethernet Node B deployments and some of factors that need consideration like scalability, resiliency and security. Finally, there is a detailed description of the LTE/LTE - A evolution and the feature requirements made on the transport network. There will be detailed analysis of different LTE models and also some technical enhancements and proposals considered for the implementation of LTE in a Unified MPLS environment.
Philippe Langlois - LTE Pwnage - P1securityP1Security
Today, we’re entering the realm of LTE super high speed always-on connectivity and with that comes the victory of TCP/IP in front of the old ITU/3GPP protocols. And with this comes many side effects: software gets standardized, everything runs on top of ATCA (Advanced Telecom Computing Architecture) hardware running mostly Linux -give or take 6 or 8 proprietary FPGA-based sister cards, TFTP-booted with decade old VxWorks that routinely show hardcoded DES credentials and funny “behaviour”. Easily 20 GB of fat C++ binaries, some for x86, PPC, MIPS, some with up to 200 Mbytes file sizes for one single EXE! It’s called a vulnerability research and reverse engineering paradise… or hell.
All the protocols now run on top of IP, which ends up having 12 layers thanks to encapsulation and still the weight of legacy in bugs quantity and diversity. We’ll see how the porting of SS7 MAP on top of IP (SIGTRAN, Diameter) has given rise to funny Denial of Service (DoS) attacks against telecom core elements (DSR, STP), with trashy-crashy anti-forensics consequences for DPI and tracking (Hey @grugq!!).
We’ll look into specific vulnerabilities, and talk about the very particular way that Network Equipment Vendors deal with security in the telecom domain.
We will demo a virtualized Huawei HSS from our testbed and show some of the vulnerabilities and attacks directly on the equipment itself. We will finally talk about telco equipment and product security reviews and the fallacy of (some) certification and (many) standardization attempts. We will then see how to conduct a practical and fast telecom product security life cycle with automation and open source tools.
SGSN- serving gprs support node - Platform - HW, SW and CLI Mustafa Golam
This presentations contains introductory to Intermediate topics on Ericsson MKVI SGSNs with great details on HW, SW and platform specific CLI. This can be relevant for Introductory to Advance level of knowledge in SGSN.
Tutorial about MPLS Implementation with Cisco Router, this first of two chapter discuss about What is MPLS, Network Design, P, PE, and CE Router Description, Case Study of IP MPLS Implementation, IP and OSPF Routing Configuration
Many network operators still struggle with which type of data-plane encoding they should use for segment routing. The world is hyper-connected and we can’t afford to be late to deliver 5G. Using IPv4, IPv6 and MPLS data-plane encoding keeps us moving forward.
Segment routing is a network technology focused on addressing the pain points of existing IP and Multiprotocol Label Switching (MPLS) networks in terms of simplicity, scale, and ease of operation. It’s a foundation for application engineered routing because it prepares the networks for new business models where applications can direct network behavior.
Segment routing seeks the right balance between distributed intelligence and centralized optimization and programming. It was built for the software-defined networking (SDN) era.
Segment routing enables enhanced packet forwarding behavior. It enables a network to transport unicast packets through a specific forwarding path, other than the normal shortest path that a packet usually takes. This capability benefits many use cases, and you can build those specific paths based on application requirements.
Segment routing uses the source routing paradigm. A node, usually a router but it can also be a switch, a trusted server, or a virtual forwarder running on a hypervisor, steers a packet through an ordered list of instructions, called segments. A segment can represent any instruction, topological or service-based. A segment can have a local semantic to a segment-routing node or global within a segment-routing network. Segment routing allows you to enforce a flow through any topological path and service chain while maintaining per-flow state only at the ingress node to the segment-routing network. To be aligned with modern IP networks, segment routing supports equal-cost multipath (ECMP) by design, and the forwarding within a segment-routing network uses all possible paths, when desired.
Convergence of digital information has been initiated a couple decades ago. Practically, almost all networks have now been utilising Internet Protocol. However, networks, applications, and contents managements vary by the nature of service types: IMS, SDP, IPTV, etc. Should another convergence be arranged to unify the management of the entire network for optimal results?
Sao Paulo Multi-network Event 2012 - VerimatrixVerimatrix
Presentation by Steve Christian, Verimatrix, on Aug 1, 2012. The Multi‑network Solutions in the Real World Forum with focus on Latin America took place in Sao Paulo on August 1st, in parallel with the ABTA show. An expert panel specializing in multi‑network video provided insights and case studies demonstrating how operators are addressing the new opportunities, challenges and solutions for video delivery over combinations of managed and unmanaged networks.
How to implement smart networks to unlock more profitEricsson
Traffic Management - How to implement Smart Networks to unlock more profit
Speaker Francois Lemarchand, Director, IP Strategies
Presentation from the Broadband World Forum, Amsterdam, 2012
An SDN Based Approach To Measuring And Optimizing ABR Video Quality Of Experi...Cisco Service Provider
Reprinted with permission of NCTA, from the 2014 Cable Connection Spring Technical Forum Conference Proceedings. For more information on Cisco video solutions, visit: http://www.cisco.com/c/en/us/products/video/index.html
Faced with the dual threats of rising operating costs and declining revenues, network service providers are increasingly turning to network functions virtualization (NFV) to help them keep up with constantly changing market conditions.
In a virtualized Telco environment, service providers can deploy and deliver new network functions, services and capacity on demand—reducing normal rollout time from months and weeks to just hours.
Leveraging the principles of cloud computing, network service providers can deliver a level of responsiveness never before available, easily scaling capacity up or down to meet the evolving needs of their subscribers.
The result is a highly agile system that allows new revenue-generating services to be quickly developed, exhaustively tested and selectively rolled out to targeted groups in a fraction of the time and at a much lower cost than previously thought possible.
In this session, the speaker will present how the solution from Juniper networks look like and how it can be deployed by service provider to improve their agility in delivering services to their customers.
PPT by Jose Recio presented at IMTC 2025 Forum, during the Triple Play in the living room panel.
In this ppt is explained how using currently available javascript frameworks for tv widgets or STB apps, you can create a view of a more complex Rich Communication Suite client in a shared platform in the cloud, becoming feasible a real triple play and making true common experience for enhanced mesaging and UC also in the TV screen.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
4. Evolution in SP Network Architectures
Diverged “per
Service”
Networks
• Increased revenue by decreasing
Converged “All cost of managing and
in One” maintaining multiple networks
Networks
• Increased overall revenue by increasing
Converged revenue per user
“User Centric” • Customized services
Networks • Rapid deployment of new services based on
market trends
• Subscriber Self Subscription and Self Care
5. The New User Experience – Cisco ISG
Enabling the Next Wave of Broadband
Add Subscribers
Register Log in
Add Services
Pay As You Pay What Broadband Broadband Broadband
Go! You Use! Light Basic Premium
Buy credit Buy Buy: $19.99 Buy: $29.99 Buy: $39.99
Add Value
Branded Branded Branded
VoD TV Phone
($4.99/movie) ($29.99) ($15.99 + LD)
6. The elements of customization
Subscriber identified using multiple
dimensions. Identity gathered:
Identity Subscriber
From multiple sources and events Sessions
Over session lifecycle
Subscriber
Different Services and Rules Services
applied based on: Intelligent
Differentiated Who subscriber is
Services Services
Where he is Session creation/
Gateway
What he requires authentication
Services and Rules updated based on :
Dynamic Service Subscriber
How subscriber behaves Services
Management Dynamic Policy
What he requires NOW Push and Pull
7. Building the Identity and Assigning Services
Example
Subscriber
DHCP Exchange Starts DHCP Exchange Completes(*) Subscriber Authentication(*) Dynamic Service Update
T0 T1 T2 TN
BHAVANI BHAVANI
ISG Subscriber Session Subscriber Session Subscriber Session
Subscriber Session
MAC Addr: 00:DE:34:F1:C0:28 MAC Addr: 00:DE:34:F1:C0:28 MAC Addr: 00:DE:34:F1:C0:28 MAC Addr: 00:DE:34:F1:C0:28
Identities IP Addr: ? IP Addr: 10.1.1.211 IP Addr: 10.1.1.211
IP Addr: 10.1.1.211
Username: ? Username: ? Username: Bhavani Username: Bhavani
Services Service: DEFAULT_SRV Service: PPU_SRV Service: PREMIUM_FR_SRV
Service: DEFAULT_SRV
DEFAULT_SRV PPU_SRV PREMIUM_FR_SRV
Only permits Pay Per Use Service: Flat Rate Premium Data Service:
management traffic - Permits all traffic - Permits all traffic
through the session - 512K/1Mbps US./DS - 1M/8Mbps US/DS
- Accounting enabled on
session
(*) Order of operations not representative of a real call flow
8. Access Technology Abstraction
DSL DSLAM ATM/Ethernet
Switch
CMTS
Cable
Walled Garden Open Garden BRAS/BNG
Subscriber-centric services regardless of: Access
Ethernet Distribution
Access Technology
Access Protocol
Access Technology:
Legacy DSL/ATM 802.11 or
Metro Ethernet, Wireless LAN, Cable 802.16
Access Protocol:
IP
PPP
9. PPP to IP Migration
Key Requirements Goal
There are 3 subscribers
connected through Create a per subscriber
Subscriber G0/1.10 construct over a shared
Access interface (“subscriber
Detection G0/1.10 session”)
John Subscribers are John,
Mike Mike and Ted. Uniquely establish
Ted
Subscriber John and Mike are HSI subscriber identity and
John users, Ted is VoIP user
authentication determine services and
and authorization Mike
G0/1.10 service levels per
Ted
subscriber
10.1.1.10 John
10.1.1.20 Mike Subscribers addresses
10.1.1.30 Ted should be:
Subscriber 10.1.1.10 John
Assign a unique IP address
John to each subscriber based
address 10.1.1.20 Mike
management Mike 10.1.1.30 Ted on provider domain
Ted G0/1.10
10. What is ISG? Subscriber Policy Layer
AAA Policy Web DHCP
…
Server Server Portal Server
Cisco Intelligent Services Gateway (ISG) is
Open a licensed feature set on Cisco IOS that
Northbound provides Session Management and Policy
Interfaces Management services to a variety of access
Policy networks
Subscriber
Management
Identity
Management ISG and Addresses PPPoE to IPoE migration while
Enforcement maintaining all subscriber management
functions
ISG
So focal, that the entire device is often referred as an:
Intelligent Services Gateway router or simply “The ISG”
12. ISG’s place in the network
AAA Policy Portal DHCP
Aggregation Internet/Core
Subscriber Identification:
based on:
- who he is,
- where he is,
• Deployed at access or - how he behaves
service edge - what he requires
Subscriber Authentication:
• Communicates with other - PPP CHAP/PAP
devices to control all - Transparent Auto Logon (TAL)
- Web Logon
aspects of subscriber - RADIUS
access in network
Subscriber Services Determination and Enforcement
• Single point of contact Dynamic Service update
Session Lifecycle Management: establishment, configuration and tear dow
13. ISG’s Subscriber Policy Layer
Subscriber Policy Layer
AAA Policy Web DHCP
Server Server Portal Server
Subscriber Authentication
Subscriber Authorization: User and ServiceInternet/Core
Profile Repository
AAA Server Per access and Per Service Accounting
Front-end toward billing system
Guest Video
Policy Server Dynamic Policy Push (Application Level Trigger)
Portal Audio
Open Garden Servers
Walled Garden
Front end toward the subscriber for:
Self Subscription
Web Portal Web Logon
Service Selection (Application Level Trigger)
Hand over of addresses to subscribers
DHCP Server Class-based address handover for ISG driven address pool selection
Note: AAA Server, Policy Server, Web Portal can co-reside in the sample appliance
14. ISG’s Dynamic Policy Activation
Dynamic Policy Pull Dynamic Policy Push
(e.g. Automatic Service-Profile (e.g. “Turbo Button”)
Download on Session Establishment) Application/
Service Layer event
Subscriber Policy Layer Subscriber Policy Layer
DHCP Web Policy AAA DHCP Web Policy AAA
Server Portal Server Server Server Portal Server Server
Network
Layer
Event
Guest Guest
Portal Portal
Open Garden Walled Garden Open Garden Walled Garden
15. ISG’s Northbound Interfaces
Subscriber Policy Layer
AAA Policy Web DHCP
Server Server Portal Server
Internet/Core
Guest Video
Portal Audio
Open Garden Servers
Walled Garden
RADIUS Interface, for subscriber AAA functionalities and Policy
service download PULL
RADIUS Extensions (RFC 3576) and XML based (SGI(*)) Policy
Open Interfaces, for dynamic, administrator or subscriber
driven, session and service management functions PUSH
(*) SGI: Services Gateway Interface
16. The Subscriber Session in ISG ISG Session
Subscriber Policy Layer
AAA Policy Web DHCP
Server Server Portal Server
Subscriber 1 Subscriber 1
session
Subscriber 2
Subscriber 2 Internet/Core session
Subscriber 3
Guest Video session
Subscriber 3 Portal Audio
Open Garden Servers
Walled Garden
• Construct within Cisco IOS that represents a subscriber
– subscriber: billable entity and/or an entity that should be authenticated/authorize
• Common context on which services are activated
• Created at first sign of peer activity (FSOL = First Sign Of Life)
17. Dynamic Session Initiation ISG Session
• ISG sessions are initiated at the First Sign of Life (FSOL)
• FSOL depends on the Session Type
PPP Sessions - FSOL IP Sessions - FSOL
.... there are options .....
Unclassified MAC or IP IP packet with unknown MAC
Data Traffic or IP source address
Use MAC for L2-connected IP
sessions
PPP Call Request (LCP) Use IP for routed IP sessions
DHCP
DHCP Discover message
DHCP discover
ISG must be DHCP Relay or
Server
RADIUS RADIUS
Access Request OR
RADIUS Access/Accnt Start
Accounting Start ISG must be a Radius Proxy
Wireless
AP
Typically used in PWLAN and
Client
WiMAX environments
18. Session Authentication Resources Only to
Authentication: Allow Access to Network
ISG Session
Recognized Users
Authentication models supported:
• Access Protocol Native Authentication:
– PPP: CHAP/PAP
– IP: EAP for wireless client
– DHCP Authentication
• Transparent Auto Logon (TAL):
– Authenticates using subscriber related
network identifiers
– e.g. MAC/IP address, DHCP Option 82,
PPPoE Tags...
• Web Logon
Authentication Is Not Mandatory on a Session,
but Used in Most Situations
19. ISG’s Subscriber Authentication
- IP sessions
IP – common scenarios
+ Web Logon Web AAA • User traffic redirected to Web Portal to enter credentials
Portal Server • User Credentials propagated to ISG
• ISG uses credentials to authenticate user with AAA server
RADIUS
Data Traffic Username: WebLogon • Applicable to all session types
Username
redirection
TAL: Option82 Auth AAA • Access Switch inserts Option82 Circuit and Remote ID in DHCP
Server Requests
DHCP exchange RADIUS • ISG performs authentication using a combination of Circuit and
Username: RemoteID
Access SW inserts Option 82 MAC/RemoteID:CircuitID
CircuitID/RemoteID
• ISG session must be DHCP initiated
• User starts EAP authentication with Access Point (AP)
EAP Auth
AAA • ISG impersonates RADIUS server toward AP, and RADIUS client
RADIUS Server toward real server
EAP (EAP based auth)
RADIUS • ISG learns session authentication status by proxying RADIUS
Wireless Username: messages betw/ real RADIUS client and Server
Client AP EAP username
• ISG session must be RADIUS initiated
TAL:IP/MAC AAA • ISG performs authentication using identifiers from subscriber traffic
Data Traffic Server (source IP/MAC)
RADIUS • Typically used in topologies w/ L2 connected subscribers to support
- Username:
MAC or IP
clients w/ static IP address or in IP-routed topologies
20. Session TerminationPPP Sessions
IP and
ISG Session
Idle and Absolute Timeouts/Timer Expiry Web Logoff Web
Portal
RADIUS CoA
Account-Logoff
PPP Sessions Exclusively IP Sessions Exclusively
ICMP/ARP keepalive failure
Keepalive failure
PPP and PPPoX protocol events
ICMP Keepalives used for routed sessions
ppp disconnect; ppp keepalives or L2TP ARP keepalives used for l2-connected sessions
hellos failure DHCP OR DHCP DHCP
lease expiry initiated
DHCP Release
RADIUS PoD (Packet Of Disconnect) Policy sessions
Manager only
RADIUS PoD
RADIUS
RADIUS RADIUS
EAP Accounting Stop initiated
Wireless sessions
Client AP only
21. ISG Services ISG services
• Service: A collection of features that are applicable on a subscriber session Service =
{feat.1, feat.2,...,feat.n}
Portbundle (PBHK)
Session
Keepalives: ICMP and ARP based
Features Administration Timeouts: Idle, Absolute
QoS: Policing, MQC
Traffic Conditioning
Security: Per User ACLs
Subscriber Address Assignment Control
Traffic Forwarding Redirection: Initial, Permanent, Periodic
Control VRF assignment: Initial, Transfer Associated to
L2TP assignment
Primary Services
PostPaid
Prepaid: Time/Volume based
Traffic Accounting Tariff Switching
Interim
Broadcast
Primary Service: Contains one “traffic forwarding” feature and optionally
other features; only one primary service can be active on a session
22. ISG Feature Granularity
Subscriber Session
Classification
ACL
TC1 Session
Flow Features
ACL
SubscriberX TC2 grouped in
Features
Data Session
ACL
TC3 Services
• ISG Classification resembles • Each Traffic Class can have a
different set of features applied
Modular QoS CLI (MQC)
• A Traffic Class and associated
• IP ACL (standard or extended) features also referred as
are used to create differential TC service
flows (Traffic Classes) • A Default TC can be used to drop
traffic that could not be classified
23. Defining Services
1
Premium HSI service
AAA Server should be activated 2 RADIUS Access-request
Services defined in Service Profiles on the session Username: Premium_HSI
Standard and Vendor Specific No definition yet Password: <service pwd>
available
RADIUS attributes used
Service Activated on session 3 RADIUS Access-accept
On demand download on a Service Stored in local cache Features associated w/ service
need basis while in use by at least 1 sessions
4
• Definition of all existing Services
Policy Manager typically pre-downloaded on Box
(supporting the SGI Interface) 1 SGI Request
Services defined in XML Premium, Standard, Basic
3 HSI service definitions
Pre-download of all existing services Services permanently stored
in local database 2 SGI Response
ISG
Services pre-configured using CLI
Services permanently stored
Services defined on Service Policies: in local database
policy-map type service <name>
24. How Services Are Activated on a Session?
During Subscriber Via an External Policy Via the On-Box Policy
Authentication/ Manager/Web Portal Manager
Authorization
from
Administrator external PM
Subscriber Policy Layer Subscriber Policy Layer
events
Policy
plane plane plane
DHCP Web Portal / AAA DHCP Web Portal / AAA actions
Server Policy Server Server Server Policy Server Server
Data Control
from
RADIUS RADIUS data
Acc-req RADIUS CoA or SGI plane
Acc-accept Request
Subscriber Subscriber
Policy Plane determines what actions
Subscriber is successfully Service Activation request sent to take on session based on events
authenticated by External Policy Managers via actions *include* applying a service
a RADIUS CoA or a SGI
RADIUS Response includes Request message Control Plane ensures actions are
Services and Features to activate taken –i.e. provisions the data plane
on Session (from UserProfile)
Data Plane enforces traffic conditioning
policies to the session
26. Broadband Aggregation Architecture
BNG
Content Farm Mobile Core
Subscriber
WiFi Mesh ESE+BNG
GGSN PDN GW HA
VOD TV SIP LNS
Mobile
Access Aggregation Edge IP / MPLS Core
Residential
Core
Aggregation Network
Business MPLS/IP Network
Corporate MPLS /IP
Access Node
ISG
(SP-WiFi)
MSE+BNG
27. ASR1000 BNG/ISG
Deployment models – Subscriber Services
LAC/LNS/ISG
Migration from Legacy Broadband Subscriber auto provisioning
networks – ATM & Ethernet Dynamic service creation
Wholesale and Retail options IPv4 & IPv6-based services
Wireline and Wireless (WiFi)
aggregation
Range of scale for small to HA & ISSU
Large networks
Sub-4K to 64K sessions scale Stateful Intra-chassis
5G to 40G (160G future) redundancy
128K queues In Service Software
1RU to 13RU form-factor Upgrade
28. Why ASR1000 for BNG/ISG?
•Prepaid services, Per subscriber Firewall, Portal integration for self-
Feature richness & services support provisioning, Policy server solutions, Services accounting within a
session, Integrated DPI (by mid-CY11) etc
•Dual-stack subscribers - PPPoE now and IPoE by mid-CY11)
IPv6 Subscriber Support: •IPv6 native sessions with ISG
•IPv6 subscribers tunneled in L2TP
•NAT44 - maximum of 2M NAT sessions
IPv4 Address Exhaust solutions •NAT64 - stateless model now and stateful NAT64 by mid-CY11
•6RD - IPv6 Rapid Deployment tunneling model
•LNS - aggregating the hotspots
•ISG - Managing individual subscriber authentication, services, billing
SP WiFi Aggregation
etc
•NAT - Providing translation for private IPv4 address to public
•PPPoEoA
Legacy Broadband Migration options •PPPoA
•RBE
•LNS
Wholesale Broadband Deployment •PW based backhaul
•RA-MPLS
•HA for PPP, L2TP, AAA
High Availability and ISSU
•HA for IPoE and TCs
29. HLR OCS PCRF CGF
ASR1k in SP Wi-Fi - Today DHCP AAA Portal
Gy Gx Ga
Mobile Home Network Policy
AP Features & Scale – (IOS XE 3.6S)
AP IPoE Sessions: Radius CoA Interface
WLC DHCP initiated, Per-User ACLs
unclassified IP or IP Session Keep-alives,
MAC-address timeouts
Access Network Policy initiator, Radius- • VRF Transfer
L2 Connected
Proxy initiator • Port Bundle Host Key
AP L4 Redirect (PBHK)
Traffic Classes Stateful inter-chassis
Postpaid & Prepaid redundancy with HSRP
L2 Switch
AZR Accounting Max scale: 32k Sessions
L3 Dynamic Rate with ESP40/RP2
ASR1K
ISG Limiting
L3 Connected
LI
VLAN
AP
AP/CPE Tunnel (L2TP)
LAC
LNS Internet
Residential WiFi
30. SP Wi-Fi Target Architecture HLR OCS PCRF CGF
DHCP AAA Portal
AP
Gy Gx Ga
AP Mobile Home Network Policy
WLC
Access Network Policy
L2 Connected 4G Core
PGW/LMA
AP
L2 Switch
AZR GTP
L3 ASR1K Gn’ GGSN
3G Core
IWAG
L3 Connected
LMA/sGRE agg
AP
AP/CPE
Internet
MAG/sGRE Initiator Target Scale: 128k sessions
Residential WiFi
31. ASR1000 iWAG – Phase 1: IOS XE 3.8S HLR OCS PCRF CGF
DHCP AAA Portal
AP Gy Gx Ga
AP Mobile Home Network Policy
WLC
Access Network Policy
L2 Connected 4G Core
PGW/LMA
GTP
Features: ASR1K Gn’ GGSN
3G Core
IWAG
• L2 Access & AAA Policy
1. EAP - FSOL: Radius Proxy/DHCP
2. TAL - FSOL: Unclassified MAC
3. Web Logon - FSOL: DHCP
• GGSN/LMA selection via AAA attribute Internet
• Overlapping MNO address support with multiple SSID
Scale:
• 32k authenticated
33. ASR 9000 System Portfolio
One Edge System to meet all of your needs
• 240G Line Cards
• From 512K to 2M MACs learned in
Hardware
• From 1.3M to 4M IPv4 prefixes
• From 512k to 2M IPv6 prefixes
• Hyper-Intelligent
• Video buffering for lossless multicast
• In-line video monitoring
• Integrated G.709
• SyncE / IEEE 1588-2008 PTP timing
• Tunneling services optimized
ASR 9001 ASR 9006 ASR 9010 ASR 9922
2 RU 6 slots (¼ rack) 10 slots (½ rack) 22 slots (fullrack)
LC / Chassis 2 IO Slots 4 LC + 2 RSP 8 LC + 2 RSP 20 LC
Max Bandwidth / Slot 440G 440G 1.2TB
BW / Chassis 240 Gb 3.2 Tb 6.4 Tb 48 Tb
Double your system capacity by upgrading any ASR 9000 product to an ASR 9000 nV System
37. BNG and CGN NAT44 on ISM
ingress LC ISM egress LC CGN supported
at full session
scale
Inside Outside
VRF VRF
Private IPv4 Interface
Public IPv4
Subscribers AppSVI ISM AppSVI VLAN
Subscriber session ISM performs Translated
traffic sent to ISM translation and subscriber’s traffic
through VRF mapping forward packet forwarded on
or ABF into outside VRF interface in outside
VRF
Compliant with standard NAT behaviors (RFC4787, RFC5382, RFC5508)
38. ASR 9000 nV (Network Virtualization) Technology
Simplify operations & scale
ASR 9000 “nV System”
ASR 9000 Simplify Operations
Cloud Reduce overall TCO
nV Integrated A to Z
Management
Network
Multi-dimensional
nV Scale
Client
System and services scale
ASR ASR
9000v 9000v Increased Service
Velocity
Quickly deploy new services
40. Creating an ASR 9000 Virtual System with nV Technology
Enables a self protected, self managed ASR 9000 virtualized system
Third-Party
Services/ Content
Control
plane
Virtualized Control & Data Plane
Remote Data
plane Inter-chassis Connections
ASR 9K
Control
Series Core
plane 0 1
Activ Standb Activ Standb
Remote Data e y e y
plane RSP RSP RSP RSP
Edg
L L L L L L L L
e C C C C C C C C
Remote nodes are viewed as linecards and
remote platforms are discovered automatically. Aggregat
ion
Remote nodes are provisioned by the host. Virtualized control plane achieved via EOBC between
RSP’s provides hitless outage upon node failure.
Software images for remote nodes can be Acce
upgraded automatically and features are in sync. ss Virtualized data plane achieved through linecard inter-
chassis connections.
A self-managed access is created allowing scale
to be decoupled from a single platform. A self-protected virtual chassis is created doubling the
system capacity.
46. We value your feedback.
Please be sure to complete the Evaluation Form for this session.
Access today’s presentations at cisco.com/ca/plus
Follow @CiscoCanada and join the #CiscoPlusCA conversation
47. ISG’s Subscriber Identification
AAA Policy Portal DHCP
A construct in
Cisco IOS that
Aggregation Internet/Core represents
subscriber
ISG subscriber session: created at First Sign Of Life (FSOL)
N:1 relationship between session and interface
FSOL
PPP Sessions PPP call request
Received Packet w/ unknown IP or MAC source
address IP or MAC initiated IP session
IP Session DHCP Discover DHCP initiated IP session
RADIUS Request RADIUS initiated IP session