You are on page 1of 36

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

www.nmcgroups.com

Backhaul Network Design for TPS & VPN Service

January 9, 2009

NMC Consulting Group (tech@netmanias.com)


www.netmanias.com
www.nmcgroups.com

About NMC Consulting Group


NMC Consulting Group is an advanced and professional network consulting company, specializing in IP network areas (e.g., FTTH, Metro Ethernet and IP/MPLS), service areas (e.g., IPTV, IMS and CDN), and wireless network areas
(e.g., Mobile WiMAX, LTE and Wi-Fi) since 2002.
Copyright 2002-2013 NMC Consulting Group. All rights reserved.

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

Table of Contents
1. Network Requirements
2. Network Architecture: Topology Design
2.1 Aggregation Network for Towers
2.2 Aggregation Network for Villas

3. Logical Architecture for Residential Services and Business Services


3.1 Backhaul Connectivity Design for Residential TPS Services
3.2 Backhaul Connectivity Design for Business VPN Services

4. Network Availability
5. Scalability
6. QoS Design
6.1 QoS for Residential TPS Service
6.2 QoS for Business VPN Service

7. Multicast
8. Security
8.1 Security: Data Plane
8.2 Security: Control Plane & Management Plane

9. Easy Touch Provisioning

10. Element & Network Management System


Copyright 2002-2013 NMC Consulting Group. All rights reserved.

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

1. Network Requirements
Backbone

NOC-1

Backbone
NOC-2
BRAS/PE

BRAS/PE

#33 (=17+16)

#2
#1
#39

#2

# of Subscribers
Access Technology: FTTH (AON)
Residential TPS service

#15
#16

#1

Business VPN Services

MPLS L3 VPN, MPLS L2 VPN (P2P: VPWS),


VPLS

Scalability
QoS
Multicast for IP-TV
Integration with Existing Broadband
Network (MPLS)
Easy Touch Provisioning

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

Internet: up to 1Gbps for each tenant


IP-TV/VoD: HDTV
VoIP

Residential and Business

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

2. Network Architecture
Tower
Tenant

NOC-1

RG

20

DS(L2)

BRAS/PE P Router
10GE

1GE
8XGE

MDF
10GE

2x10GE

20

10GE

8XGE

10GE

Existing
MPLS Core

10GE

AS

AN

DS(L2)

BRAS/PE

P Router

NOC-2

RG (Residential Gateway)

AN (Access Node)

AS (Access Switch)

DS (Distribution Switch)

BRAS

Role of BRAS

BRAS, MPLS PE, SSG

Protocol Interworking with Backbone Network

IGP: OSPF or IS-IS


IGP TE: OSPF TE or IS-IS TE
MPLS: LDP, RSVP-TE, MP-iBGP, VPWS, VPLS

Role of AS and DS

L2 Ethernet Aggregation

QinQ (for Residential TPS) Termination

BRAS

QinQ (for Enterprise VPN) Termination

BRAS (PE)

Subscriber MAC frame broadcasting

Not to existing IP/MPLS Backbone

Traffic Path

All the traffics (Internet, VoIP, VoD, Multicast/Enterprise VPN)


pass through BRAS/PE

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

Network Architecture: Aggregation Network for Towers


Tower (Highrise Buildings )
DS and BRAS in NOC-1
and NOC-2

Tenant
RG
1

20

Direct fiber access to


individual subscribers
(Dedicated 1 Gbps
bandwidth per user)
1GE

NOC-1
Co-existence of residential
and business subscribers

DS

BRAS/PE

P Router

10GE
8XGE

10GE

MDF

2x10GE

Existing
MPLS Core

10GE

4xGE
(1000baseTX)

20

P Router
AS

10GE
One AS is connected to
two NOCs (Dual Homing)
for protection

AN

RG in home and business

10GE

DS

8XGE

BRAS/PE

NOC-2

AN and AS are distributed at


each apartment MDF

RG

DS (Distribution Switch)

AN (Access Node)
AS (Access Switch)

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

10GE
1 GE (1000Base-TX)

BRAS/PE

1 GE (1000Base-FX)

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

Aggregation Network for Villas


Villas
RG in home

RG

Direct fiber access to


individual subscribers
(Dedicated bandwidth
per user)
1GE

AN and AS are
centralized at NOC-1

AN

NOC-1

4xGE (T)

DS

AS

BRAS/PE

P Router

10GE

10GE

8XGE

One AS is
connected to two
10GE
NOCs (Dual
Homing) for
protection

2X10GE

Existing
MPLS Core

10GE

P Router
10GE

DS

8XGE

NOC-2

RG

DS (Distribution Switch)

AN (Access Node)
AS (Access Switch)

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

BRAS/PE

10GE
1 GE (1000Base-TX)

BRAS/PE

1 GE (1000Base-FX)

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

3. Logical Architecture for Residential Services and Business Services


BRAS/PE

AN

CPE

Residential
Internet Access
DHCP

C-VID=Internet(5)

Residential
Voice
DHCP

C-VID=Voice(3)

Residential
Video
DHCP

AS

DS

Residential Internet VLAN


(C-VID=Internet, S-VID=AN)

PE/BR
VRF

Per-Service VRF (Internet)

VRF

Per-Service VRF (Voice)

VRF

Per-Service VRF (Video)

PE/SAR

PE2

PE3

MPLS L3 Internet VPN (LSP to BR)


VRF

VRF

MPLS L3 Internet VPN (LSP to PE:P2P)


Residential Voice VLAN
(C-VID=Voice, S-VID=AN)

MPLS L3 Voice VPN (LSP to SAR)


VRF

VRF
MPLS L3 Voice VPN (LSP to PE: Data)

C-VID=Video(4)

Enterprise
C-VID=Ent. A
Internet Access
Static/Public Subnet
Enterprise
C-VID=Ent. B
L3 VPN
Private Addressing and Routing

Enterprise
C-VID=Ent. C
L2 VPN (PtP: EoMPLS)
Private Addressing and Routing

C-VID=Ent. D
Enterprise
L2 VPN (PtMP: VPLS)
Private Addressing and Routing

Residential Video VLAN


(C-VID=Video, S-VID=AN)

VRF
VRF

MPLS L3 Video VPN (LSP to SAR)

VRF

Per-Enterprise VLAN
(C-VID=Ent. A, S-VID=Ent. A)

Per-Enterprise VLAN
(C-VID=Ent. B, S-VID=Ent. B)

Per-Enterprise VLAN
(C-VID=Private Use, S-VID=Ent. C)

VRF
VRF
VRF
VRF
VRF
VRF
VSI

MPLS L3 VPN (LSP to PE 2)

VRF

MPLS L3 VPN (LSP to PE 3)

MPLS L2 VPN (VPWS)

VRF

VSI

VSI
VSI
VSI
VSI
VSI
VSI
Per-Enterprise VLAN
(C-VID=Private Use, S-VID=Ent. D)

EAPS

VSI
VSI
VSI
VSI
VSI
VSI
VSI
VSI

MPLS L2 VPN (LSP to PE 2)

VSI

MPLS L2 VPN (LSP to PE 3)


VSI

SAR: Service Access Router (PE router located at Head End)

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

Supported Standard (MPLS PE)


RFC 4448 (Martini), Encapsulation Methods for Transport of Ethernet over MPLS Networks, April 2006
RFC 4447 (Martini), Pseudowire Setup and Maintenance Using LDP, April 2006
RFC 4762: Virtual Private LAN Service (VPLS) Using LDP Signaling, Jan. 2007
RFC 4761: RFC 4761 on Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling, Jan.
2007
RFC 4664: Framework for Layer 2 Virtual Private Networks (L2VPNs), Sep. 2006

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

3.1 Residential TPS Service


RG

AN

Voice
Video
Data

AS

DS

Voice
Video
Data

802.1Q: Per Service VLAN

Per-Service MPLS L3 VPN


AN ID

Private VLAN (N:1 VLAN)


DHCP Option82
Per AN QinQ
Encapsulation

802.1Q
Residential
A
Residential
B

N:1 VLAN

802.1ad

Bridging

S-VID
Voice
Video
Data

802.1ad (QinQ):
S-VID=Per AN VLAN, C-VID=Per Service VLAN

Per Service
VLAN
Encapsulation

IP/MPLS
Backbone

BRAS/PE

C-VID

MPLS L3VPN
per Service

Bridging
Outer VLAN
Inner VLAN

N:1 VLAN

Residential
C

VRF

Residential
D

VRF

<Tower A>

Voice VPN
Video VPN
Data VPN

VRF

N:1 VLAN
Residential
E
Residential
F

<NOC>

<Tower B>
Layer 2 (Ethernet)

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

Layer 3 (IP/MPLS)

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

Residential TPS Service

Service Separation: in the backhaul, by Per-Service VLAN (N:1 VLAN). Inside BRAS, by VRF (Each VRF has its
own interface and route information)

User Isolation: Split Horizon Forwarding (Private VLAN) on AN to prohibit Hair-pin

L2 Scalability Issues

Broadcast Domain is reduced by Per AN QinQ

MAC Learning at DS: 224K MAC addresses supported by DS >> 15K subscriber x 4 services = 60K

Configuration of each RG is same. QinQ value of AN will be different

IP Address Management: Public IP address for Internet access, Private IP address for walled-garden service
(VoD, IP-TV, VoIP)

DHCP Option82 at AN (Per-service VLAN ID, Port ID, AN ID): Subscriber Identification, Location of
subscriber, Per-service IP address allocation

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

10

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

3.2 Business VPN Service


RG/CE

AN

AS

DS

BRAS/PE

802.1Q:Per Enterprise VLAN or Private Use by Enterprise

Per Enterprise MPLS L2/L3 VPN

802.1ad (QinQ): S-VID=Per Enterprise VLAN, C-VID=Per Enterprise VLAN


(extension) or Private Use by Enterprise
Per Enterprise
VLAN
Encapsulation

Per Enterprise
QinQ
Encapsulation

IP/MPLS
Backbone

Bridging

Enterprise ID

S-VID
C-VID

MPLS L2/L3
VPN per
Enterprise

Bridging
Outer VLAN

1:1 VLAN

Enterprise
A

Inner VLAN

VRF

Enterprise
B

VRF

1:1 VLAN

Enterprise
C

VSI
VSI

Enterprise
D

Ent-A L3 VPN
Ent-B L3 VPN

Ent-C L2 VPN (VPWS)


Ent-D L2 VPN (VPWS)

<Tower A>
1:1 VLAN

Enterprise
E
Enterprise
F

VSI
VSI

<Tower B>

Ent-E L2 VPN (VPLS)

<NOC>
Layer 2 (Ethernet)

Ent-E L2 VPN (VPLS)

Layer 2/3

Customer Separation by Per-Enterprise VLAN (1:1 VLAN)


Need to Provisioning tool for creating Per-Enterprise VLAN
IP address management: Private IP for VPN service

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

11

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

MPLS L3 VPN

Point-to-Point or Point-to-MultiPoint L3 VPN

VPN Routing (BGP, OSPF, IS-IS,


RIP, Static)
Per-enterprise VLAN (1:1 VLAN)
802.1Q

VPN Route and Label Distribution (MP-iBGP)


Per-enterprise VLAN

L3 VPN (vc-lsp)
Tunnel Signaling (LDP or RSVP-TE)

802.1ad

LSP Tunnel
IGP (IS-IS or OSPF)

Site-1, VPN-A

PE

PE

CE1

Site-2, VPN-A
CE2

Metro Ethernet
Backhaul

Site-1, VPN-B
CE1

IP/MPLS Backbone

Metro Ethernet
Backhaul

Site-2, VPN-B
CE2

RFC 2547bis BGP/MPLS VPN

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

12

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

MPLS L2 VPN: VLL/VPWS/EoMPLS Service

Point-to-Point Transparent LAN Service

PW Signaling
(Martini Signaling/RFC4447)
Per-enterprise VLAN (1:1 VLAN)
802.1Q

Per-enterprise VLAN

PW (vc-lsp)
Tunnel Signaling (LDP or RSVP-TE)

802.1ad

LSP Tunnel
IGP (IS-IS or OSPF)

Site-1, VPN-A

PE

PE

CE1

Site-2, VPN-A
CE2

Metro Ethernet
Backhaul

Site-1, VPN-B

CE1

IP/MPLS Backbone

Metro Ethernet
Backhaul

Site-2, VPN-B
CE2

RFC 4448 (Martini), Encapsulation Methods for Transport of Ethernet over MPLS Networks, April 2006
RFC 4447 (Martini), Pseudowire Setup and Maintenance Using LDP, April 2006

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

13

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

MPLS L2 VPN: VPLS Service

Point-to-Multi Point Transparent LAN Service

PW Signaling
(Martini Signaling/RFC4762 or BGP/RFC 4761)
Per-enterprise VLAN (1:1 VLAN)
802.1Q

Per-enterprise VLAN

VPLS (Full-meshed PWs)


Tunnel Signaling (LDP or RSVP-TE)

802.1ad

LSP Tunnel
IGP (IS-IS or OSPF)

Site-1, VPN-A

PE

PE

CE1

Site-2, VPN-A
CE2

Metro Ethernet
Backhaul

Site-1, VPN-B

CE1

IP/MPLS Backbone

Metro Ethernet
Backhaul

Site-2, VPN-B
CE2

RFC 4762: Virtual Private LAN Service (VPLS) Using LDP Signaling, Jan. 2007
RFC 4761: RFC 4761 on Virtual Private LAN Service (VPLS) Using BGP for Auto-Discovery and Signaling, Jan. 2007
RFC 4664: Framework for Layer 2 Virtual Private Networks (L2VPNs), Sep. 2006
Copyright 2002-2013 NMC Consulting Group. All rights reserved.

14

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

4. Network Availability (EAPS): < 50msec

Link failure between AS and DS is major threatening and we can provide fast convergence of link fail (under 50ms) by EAPS
(Ethernet Automatic Protection Switching)
Ring based network resiliency protocol between AS and DS/PE, operate at layer 2
Provides SONET/SDH like fast convergence from network failures
Proven sub-50ms failover times for voice-class connections
Designed for carriers/ISPessential for convergence in the enterprise
IETF RFC 3619
NOC-1

DS
Normal Data
Traffic

Tower A
RG

BRAS/PE

AN

AS

EAPS Ring
Health Check
Messages sent out periodically

B
b

Secondary port logically blocked for


protected VLAN data traffic

Data Traffic with


Link Fail

NOC-2

IP/MPLS
Backbone

DS

BRAS/PE

RFC3619: Extreme Networks Ethernet Automatic Protection Switching (EAPS) Version 1.0
Copyright 2002-2013 NMC Consulting Group. All rights reserved.

15

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

Resiliency Mechanism for Unicast


RG

AN

AS

DS

PE

VRRP Master

RG

AN

AS

DS

PE

EAPS

VRRP

Blocked Port

IP/MPLS
Backbone

IP/MPLS
Backbone

Become Active

Recovery by EAPS, VRRP & IGP


< DS Fail >

RG

AN

AS

DS

PE

VRRP Master

RG

AN

VRRP Master

AS

DS

IP/MPLS
Backbone

Unicast Upstream
Unicast Downstream

AN

IP/MPLS
Backbone

Recovery by VRRP & IGP

< Normal >

RG

PE

< Link Fail >

AS

DS

PE

VRRP Master

RG

AN

VRRP Master

AS

DS

PE

Become Active

Recovery by EAPS (50ms)


< Link Fail >

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

IP/MPLS
Backbone

IP/MPLS
Backbone

Recovery by VRRP & IGP


< PE Fail >

VRRP Master

16

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

Resiliency Mechanism for Unicast


RG

AN

AS

DS

PE

Enable
VRRP I/F tracking

IP/MPLS
Backbone

Recovery by VRRP & IGP


< Link Fail >

RG

AN

VRRP Master

AS

DS

PE

Disable
VRRP I/F tracking

VRRP Master
IP/MPLS
Backbone

Recovery by IGP
< Link Fail >

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

17

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

Resiliency Mechanism for Multicast


RG

AN

AS

DS

PE

DR

RG

AN

AS

DS

PE

EAPS

IP/MPLS
Backbone

PIM Hello

Blocked Port

IP/MPLS
Backbone

Become Active

Recovery by EAPS & IGP


< DS Fail >

RG

AN

AS

DS

PE

DR

RG

AN

DR

AS

DS

PE

IP/MPLS
Backbone
Multicast

Recovery by IGP

< Normal >

RG

AN

IP/MPLS
Backbone

< Link Fail >

AS

DS

PE

DR

RG

AN

DR

AS

DS

PE

Become Active

Recovery by EAPS (50ms)


< Link Fail >

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

IP/MPLS
Backbone

IP/MPLS
Backbone

Recovery by IGP
< PE Fail >

DR

18

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

Resiliency Mechanism for Multicast


DR

RG

AN

AS

DS

PE

IP/MPLS
Backbone

Recovery by IGP
< Link Fail >

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

19

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

5. Scalability

Maximum number of MPLS L3 VPN = 1K (per PE router)


Maximum number of Point-to-Point MPLS L2 VPN (VPWS) = 8K (per PE router)
Maximum number of Point-to-Multipoint MPLS L2 VPN (VPLS) = 1K (per PE router)

Scalability Factor for Enterprise


Maximum number of MAC addresses

AS (BD 8806)

DS (BD 10808)

BRAS/PE (E320)

16K

224K

96K

Maximum number of IP routes


Maximum number of 802.1Q (VLAN) Circuits per Port

1M
4K

4K

Maximum number of 802.1ad (QinQ) Circuits per Port

4K (16K per chassis)


16K (96K per chassis)

Maximum number of Logical Interfaces

96K

Maximum number of MPLS LSPs (LDP/RSVP-TE)

10K

Scalability Factor of MPLS L3VPN for Enterprise


Maximum number of VRF instances
Maximum number of IP routes per VRF

Scalability Factor of MPLS L2VPN for Enterprise

BRAS/PE (E320)
1K
500K

BRAS/PE (E320)

Maximum number of VPWS instances

8K

Maximum number of VPLS instances

1K

Maximum number of MAC addresses per VSI

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

Totally 64K

20

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

L2 Scalability

Residential TPS Service

Broadcast Domain is reduced by Per-AN VLAN (QinQ)


MAC Learning at DS: 224K MAC addresses supported by DS (Extreme BD10K) >> 15K subscriber x 4
services = 60K

Enterprise VPN service

Per-Enterprise VLAN must be provisioned through Ethernet backhaul network (Potential scaling issue)
802.1Q provides 4K distinct VLANs and 802.1ad provides 16M distinct VLANs

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

21

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

6.1 QoS for Residential TPS Service

4 service classes
Internet bandwidth control for
both upstream and downstream
direction per residential
subscriber by RG & BRAS
Voice, IPTV and VoD traffic are
always higher priority than
Internet

BRAS

Voice to All users

HIGH

IPTV (multicast)
VoD to All users
A
Per-Residential
shaping

SPQ

Internet to User-A

LOW

Internet to User-B
Internet to User-C

Per-Residential Upstream Shaping

RG

802.1p

802.1p

Per-Residential Downstream Shaping

DS

AS

AN

802.1p

BRAS/PE

802.1p

IP/MPLS
Backbone

MPLS QoS/IP DiffServ

RG ~ AN

AN ~ AS

AS ~ DS

DS ~ BRAS/PE

BRAS/PE ~ P

802.1p

802.1p

802.1p

802.1p

MPLS QoS (E-LSP) / IP DiffServ

Voice

COS 5

COS 5

COS 5

COS 5

EXP 5

IPTV

COS 3

COS 3

COS 3

COS 3

DSCP AF3

VoD

COS 2

COS 2

COS 2

COS 2

EXP 2

Internet

COS 0

COS 0

COS 0

COS 0

EXP 0

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

22

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

6.2 QoS for Business VPN Service

PE

4 service classes
Bandwidth control for both upstream and
downstream direction per enterprise subscriber by
PE
PE supports hierarchical shaper

S-VLAN
1001

V
T
M
I

Per-Enterprise
Hierarchical shaping
(PIR/CIR)
3

RT Voice
RT Video
Mission Critical
Best Effort

S-VLAN
1400

S-VLAN
1500

AN

RG

DS

AS

BRAS/PE

IP/MPLS
Backbone

Per-Enterprise Downstream Shaping


Per-Enterprise Upstream Shaping

802.1p

802.1p

802.1p

802.1p

MPLS QoS

RG ~ AN

AN ~ AS

AS ~ DS

PE ~ P

802.1p

802.1p

802.1p

MPLS QoS (E-LSP)

Voice

COS 5

COS 5

COS 5

EXP 5

VoD

COS 2

COS 2

COS 2

EXP 2

Mission Critical

COS 1

COS 1

COS 1

EXP 1

Internet

COS 0

COS 0

COS 0

EXP 0

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

23

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

7. Multicast
Tower A

RG
AN

AS

NOC-1

DR

DS

BRAS/PE

Tower B

RG
AN

AS

NOC-2
Tower C

RG
AN

IGMP Proxy

IP/MPLS
Backbone

IGMP
Snooping

AS

IGMP
Snooping

DS

BRAS/PE

IGMP
Snooping

IGMP Static
Join

All IPTV channels


IGMP Report (CH1)
IPTV CH1

All IPTV channels (multicast streams) are always reach to the core-facing port of DS for fast channel
zapping by IGMP Static Join function of BRAS/PE

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

24

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

8.1 Security: Attack and Defensive Features/Actions


Attack

Defensive Features/Actions

NE

MAC attacks

Limit number of MAC address per port, Allow only static MAC address

AN, AS

VLAN hopping

Disable auto trunking on user-facing port, Do not use VLAN1 for anything

AN, AS, DS

Private DHCP server

Filter DHCP message using wire-speed ACLs, Private VLAN

AN, AS, DS

Source MAC address


spoofing

Limit number of MAC address per port, Allow only static MAC address

AN, AS

Abnormal Source MAC


attacks (all 0s all Fs, )

Filter abnormal source MAC address using wire-speed ACLs

AN, AS, DS

ARP attacks

AN, AS, DS: Storm control, Rate-limit of ARP protocol type


BRAS/PE: CPU rate-limit, IP Source Guard

AN, AS, DS, BRAS/PE

Storm attacks

Storm control for broadcast & unknown-unicast packet

AN, AS, DS

System attacks

CPU rate-limit & filtering, Prioritize control traffic (telnet, SNMP is high)

AN, AS, DS, BRAS/PE

DHCP attacks

Limit number of MAC address per port, Check Integrity of DHCP message

AN, BRAS/PE

Poison ARP tables

Dynamic ARP inspection using DHCP snoop binding table

BRAS/PE

DDoS of TCP SYN flooding

AN, AS, DS: Rate-limit of TCP SYN


BRAS/PE: IP Source Guard

AN, AS, DS, BRAS/PE

Smurf attacks

Disable direct broadcast

BRAS/PE

IGMP attacks

Enable IGMP Join Filter, Limit number of IGMP Join message

AN, AS

Multicast stream attacks

Filter multicast address (except IGMP message) on user-facing port

AN, AS

PIM attacks

Filter PIM neighbor (Allow only registered PIM neighbor)

BRAS/PE

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

25

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

8.1 Attack and Defensive Features/Actions


Attack

Defensive Features/Actions

NE

Attack with the spoofed


source IP address

IP Source Guard, RPF (Reverse Path Filtering)

BRAS/PE

Route information spoofing


Misdirecting traffic

MD5 authentication for IP routing/MPLS signaling protocol


GTSM (Generalized TTL Security Mechanism)
Route filtering: Martian filter, Bogon list, RFC 1918/3330 address

BRAS/PE

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

26

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

8.2 Security: Data Plane


RG

AN

AS

DS

BRAS/PE

IP/MPLS
Backbone

User Isolation (Prohibit direction connection between users)


/Service Isolation
Protect MAC Spoofing
Protect MAC Attack
Storm Control
Protect IGMP Attack
Filter Multicast stream from Abnormal source
Protect ARP Attack
Protect DHCP Attack
IP Source Guard/DHCP Security
Resource (# of Routes/MACs) Limitation/
Rate-Limit of Protocol Update per VRF
Filter Martian-addresses, RFC 1918 addresses, Bogon prefixes
Filter Directed Broadcast
Rate Limit ICMP echo & TCP SYN (to CPU & Transit)
Reject other ICMP packets (ex. ICMP Redirect),
IP with Option, Malicious Fragment packets
Unicast RPF Loose mode
Filter well-known attack traffic (worms/viruses)
Control CPU Traffic

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

27

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

8.3 Security: Control Plane & Management Plane


RG

AN

AS

DS

BRAS/PE

IP/MPLS
Backbone

MD5 Authentication for IP Routing/MPLS Signaling


Generalized TTL Security Mechanism (GTSM)
SNMPv3
SSH (Secure Shell)/SCP (Secure Copy Protocol)
TACACS+
Control # of concurrent SSH connection
Control rate of SSH connection

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

28

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

9. Easy Touch Provisioning Tool: SSG (Service Selection Gateway) for TPS Users
BACK OFFICE
OSS/BSS

AAA

15 RADIUS: Authentication Result


16 RADIUS: Type of Service for Subscriber

14 RADIUS: Request Authentication


(ID/PW)

SERVICE
INTELLIGENCE
CONTROL PLANE

LDAP: Service adds

LDAP
10 LDAP Search: MAC ID/PW
11 LDAP Result: NULL return

13 CORBA: ID/PW information

Web Portal

17 CORBA: Authentication Result

Policy Server
DHCP

12 HTTP/HTTPS: ID/PW by subscriber


19 HTTP/HTTPS: Authentication Result &
Show Subscriber Homepage
18 COPS: Service Policy

TRANSPORT
PLANE

RG

7 COPS: Interface Event


8 COPS: Address Event
9 COPS: Default Policy

1 DHCP DISCOVER
2 DHCP OFFER
3 DHCP REQUEST
4 DHCP ACK
5 Client Table is created

AS

AN
RG
DS
AN

RG

RG

BRAS/SSG

IP/MPLS
Backbone

AS
AN

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

6 SI is created

29

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

Easy Touch Provisioning Tool: VLAN Connection Management for Enterprise

Connection Manager helps reduce overall administration and management costs by providing automated resource
management and rapid profile-based provisioning capabilities that speed deployment and time to market of Metro
Ethernet technologies
It provides 802.1Q VLAN, 802.1ad QinQ provisioning methods for AN, AS and DS

Connection Manager for Enterprise


A QinQ assignment of user-facing port for Enterprise user
B VLAN ID assignment of access-facing port for Enterprise user

IP/MPLS
Backbone

RG/CE
Site-1, VPN-A

AS

AN

DS

BRAS/PE

PE

CE

Site-2, VPN-A
CE

RG/CE
Site-1, VPN-B
Per Enterprise VLAN

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

Per Enterprise MPLS VPN (L2/L3)

Site-2, VPN-B

30

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

10. Element & Network Management System

Network management systems make use of a wide range of tools, applications, interfaces and devices to assist the network
operators work in monitoring and maintaining the network. A standard model is defined by the ITU-T for all management
systems, called FCAPS

Fault management
Configuration management
Accounting management
Performance management
Security management

FCAPS

Fault

Configuration

Accounting

Performance

Security

NMS

Element & Network


management
RG EMS

DHCP

AN EMS

AS/DS EMS

Northbound
(SNMP, XML)

BRAS EMS

Southbound
(SNMP)

TFTP/FTP

BRAS

RG/CPE

IP/MPLS Core

Network elements

RG/CPE

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

AN

AS

DS

Internet

31

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

EMS/NMS Features
General managements

Fault

Configuration

Performance/Statistics Reports

Security

Topology map

Fault detection

Resource initialization

Data collection

User access right checking

Command history

Alarm generation

Provisioning

Data reporting

Access logging

Alarm handling

Backup and restore

Data analysis

Security alarm reporting

Error logging

Remote configuration

Alarm history

Data backup

Automated software installation

2
Topology map
- Network topology map
- Elements status view

Detail view for selected


elements/networks

- Link/Port status view

1
Elements lists
- Elements lists view

- Elements searching
- Diagnostics for elements

3
Alarm statistics summary
- Alarm count per fault category
- Alarm Color per fault category

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

Alarm status / history

32

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

EMS/NMS Functionality Summary


Features

Sub features
Monitoring condition

System General
Information

Descriptions
Monitoring time, retry count, retry timeout
Monitoring condition and threshold control based on system performance

Topology MAP

Map service based on topology

Utility

Ping, Trace, Telnet

Alarm history

Alarm history by regional, elements and ports

Tool-tip

display detail information when you move the mouse across a element or port

Element information

CPU, MEMORY, DISK, temperature, element boot time, OS version, number of interface

Interface information

Interface ID, Interface Operation/Admin status

Performance reports

Top N performance by daily, weekly and monthly

System resource

CPU utilization, MEMORY usage, DISK usage, Response time


Interface input/output throughput (BPS, PPS)

Performance
Traffic performance

Interface input/output utilization rate


Interface input/output error rate
Interface input/output discard rate

Configuration

Elements status

Status of the registered elements

Elements configuration

Node and port configuration such as VLAN, QoS, ACL, Multicast, etc

Port (physical/logical) Up/Down


status

Port status

Port (physical/logical) Up/Down


control

Port remote control by EMS/NMS system

Element/Link management

Element or Link management (add/modify/delete)

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

33

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

EMS/NMS Functionality Summary


Features

Fault

Statistics Report

Security
Backup and Restore of
Data

Sub features
SNMP Trap
Alarm notify
Alarm history
Alarm severity management
Syslog management
Alarm analysis report for each
elements
Alarm analysis report for the each
interfaces
Alarm threshold
Report file format
Elements or Port inventory report

Descriptions
SNMP TRAP, syslog, CLI
web event , e-mail, sms
Alarm history search
Critical, Major, Minor, Warning, Normal
syslog collect, syslog history search

Analysis of the alarm count, alarm duration and alarm type for each elements
Analysis of the alarm count, alarm duration and alarm type for each interfaces

Traffic statistics

Alarm threshold setting


Statistics report of Microsofts excel or word format
inventory including alarm or log history of Elements or Port
Performance reports for traffic utilization, Resource usage, alarm, response time, etc (daily,
weekly, monthly)
Traffic analysis report per period, application

Account management

Account management, User id support access right control

Backup and restore

Configuration backup / recovery of all the element


Automatic and scheduled backup

Elements performance report

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

34

Netmanias Technical Document: Backhaul Network Design for TPS & VPN Service

End of Document

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

35

Netmanias Research and Consulting Scope


99

00

01

02

03

04

05

06

07

08

09

10

11

12

13

eMBMS/Mobile IPTV
CDN/Mobile CDN
Transparent Caching
BSS/OSS

Services

Cable TPS
Voice/Video Quality
IMS
Policy Control/PCRF
IPTV/TPS
LTE

Mobile
Network

Mobile WiMAX
Carrier WiFi
LTE Backaul
Data Center Migration
Carrier Ethernet
FTTH

Wireline
Network

Data Center
Metro Ethernet
MPLS
IP Routing

Visit http://www.netmanias.com to view and download more technical documents.

Copyright 2002-2013 NMC Consulting Group. All rights reserved.

36

You might also like