Sanog5 Ananth Broadband

Broadband Networks Overview
and Best Practices
Ananth Nagarajan
Feb 2005, SANOG V, Dhaka, Bangladesh
Copyright 2003 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
Agenda
Subscriber Management BRAS Basics
Subscriber Management Applications
www.juniper.net
Subscriber Management
BRAS Basics
www.juniper.net
BRAS Overview
BRAS Broadband Remote Access Server
First network element that provides IP services to
subscribers
BRAS means Subscriber Management

Subscriber provisioned in the OSS database

Useronline, in session
Fully dynamic per user
Each individual user is authenticated
IP address assignment
Policies (next-hop, rate-limit, TOS, etc.)
QoS traffic classes/queues
Accounting
www.juniper.net
Typical BRAS Network (DSL)

DSL today
means ATM
PC client with
Popular
AccessDSLModels DSLAM (Digital Subscriber Line Access MUX)
PCI-based
DSL lines aggregation and
Client
(PPPoE, PPPoA)
modem
termination
Runs network
PPPoA
Access
(B-ETH)
L2 Bridge
Uplink (today) is DS3/OC-3/OC-12
L2 Switch
L2 switch
PPPoA
AAL5 to a DSL Connected
PC
DSL
modem
BRAS
1483-R
Modem runs 1483-B
ATM
AAL5 Home Gateway
(LAN
DSL
interfaces)
Runs PPPoE
Connected
to DSL-modem
PPPoE
DSLAM
1483-B
DSL-modem runs 1483-B
AAL5
Home GW
Radius
DSL
L2 Access
IP Edge
IP Core
DHCP
www.juniper.net
BRAS
DSL
today means ATM
L2 termination
L3 forwarding
Popular
Accessand
Models
Radius client for user
Client
(PPPoE, PPPoA)
authentication, accounting, IP
Access
network (B-ETH)
address assignment
DHCP server/proxy/client for IP
address assignment
PC
PPPoA
AAL5
DSL
1483-R
Radius AAL5
Proxy/Server
DSL
L2 Access
IP Edge
BRAS
IP Core
ATM
Authenticates user against DB

Returns parameters applied to
PPPoE
the users
IP interfaceDSLAM
(IP
1483-B
address, AAL5
DNS, VR, policies)
DSLattributes or VSA
in standard
Home GW
Collects accounting data
Router
Radius
DHCP
www.juniper.net
DSL today means ATM

Popular Access Models
Client (PPPoE, PPPoA)
Access network (B-ETH)
PPPoA
AAL5
DSL
PC
Router
Home GW
PPP
1483-R
AAL5
DSL
BRAS
IP Core
ATM
PPPoE
1483-B
AAL5
DSL
L2 Access
IP Edge
Radius
PPP
DSLAM
Radius
DHCP
www.juniper.net
BRAS Service Activation

Internet
1
7
4
2
1. User initiates PPP session

and provides
identification and
password
2. Services Router detects
PPP initiation and
formulates RADIUS
query
3. RADIUS queries directory
to validate user-id and
password. If valid,
RADIUS also queries the
directory for the users
RADIUS profile
3
6
RADIUS
Server
Repository
Service Provider Back-office
4. The RADIUS profile is

returned to the Services
Router to configure the
connection
Registration
Rating &
Billing
Server
5. Services Router configures

the connection
6. The RADIUS server starts
an accounting usage
record
7. The user can now access
services such as the
Internet
www.juniper.net
BRAS Service Deactivation & Accting

12
Internet
DSLAM
9
11
10
RADIUS
Server
Repository
Registration
Rating &
Billing
Server
8. User terminates PPP session

9. Services Router notifies
RADIUS server of PPP
termination
10. RADIUS creates an
accounting stop record
11. Accounting start and stop

records make up a usage
record for feeding into the
rating and billing server
12. Invoices are generated

and sent to the subscriber
www.juniper.net
BRAS Service Activation w/

Service Portal
Internet
Content
Provider A
1
5
DSLAM
Content
Provider B
4
2
7
3
1. User initiates PPP
session and provides
identification and
password
6
Service
Selection
Portal
Server
RADIUS
Server
2. Services Router detects PPP

initiation and formulates RADIUS
query
3. RADIUS queries directory to validate

userid and password. If valid, RADIUS
queries directory for the RADIUS profile
which will contain an Service Portal profile.
Repository

4. The RADIUS profile is returned to
the Services Router to configure the
connection.
5. Services Router Configures the
connection to allow access to
Service Portal only (or Service
Portal+Internet Only)
Registration
Rating &
Billing
Server
6. The RADIUS server starts an accounting

usage record for the xDSL BRAS session
7. The user can only access services
granted (in this example - Service
Portal Only)
www.juniper.net
10
BRAS Dynamic Service

Selection w/ Service Portal
Internet
Content
Provider A
DSLAM
1
SSP
4
Content
Provider B
5
3
1. Subscriber accesses the
Service Selection Portal
URL with a web browser
2. SSP server queries repository Service
Selection
for list of services available to
Portal
subscriber using LDAP. Each
Server
service and its corresponding
COPS commands are cached.
3. SSP server builds a web page with
the relevant service choices and
returns this to the subscriber
6
RADIUS
Server
Repository

4. Subscriber selects a service from the portal
by clicking on the service in the browser. In
this example, Content Provider B
5. SSP server uses COPS to configure the
Services Router to allow connection to the
selected service (Content Provider B) with a
given Qos level
Registration
Rating &
Billing
Server
6. SSP server notifies RADIUS

accounting to generate a start
record for the selected service
7. RADIUS writes accounting
start record into the repository
www.juniper.net
11
BRAS
Building Blocks
Retail, wholesale
Business/consumer
services
Value-added
Services
Per subscriber
queuing, low
latency, traffic
shaping
Integrated edge
router and
subscriber
management
BGP, MPLS, virtual
routers
Personal TV, Video on

Demand, VoIP, gaming
Corporate VPN
PPP, PPPoE, IDAS,

Radius, DHCP, COPS
E.g. routing, multicast,

L2TP, policy-enabled
networking, MPLS
traffic engineering,
fine-grained stats
High subscriber
aggregation and
density, fault tolerant,
wire-speed redundancy
Quality of Service
Network
Awareness
Network
Services
Network Scalability
www.juniper.net
12
Applications
www.juniper.net
13
L2 Access
Service Provider Edge must:
Dial-up
Terminates a variety of access methods

and protocols
DSL
Handle both IP and non-IP traffic

Routes packets in wire-speed over a
common IP Transport
Cable
GSM/GPRS
LMDS
WLAN
802.11
IP Backbone
Ethernet
(VLAN)
Service Provider
Edge Router
Leased Line
IP or L2
www.juniper.net
14
BRAS DSL Access

PPP/PPPoE termination and subscriber management using Radius, DHCP and COPS
IP SA validation and policy management
Offerings such as tiered bandwidth, premium/business/consumer services
Storage
Network
B-RAS
Gaming
Network
PPPoE/DSL
DSLAM
Video
Services
PPP/DSL
DSLAM
RADIUS
Policies
DHCP
www.juniper.net
15
BRAS DSL Access

Dynamic Service Selection
SP designs policy-based service offerings, stores them
in directory
Subscriber selects services from a customized portal
Policy Manager
BRAS shares with Policy Manager the user id/domain

Services are instantaneously activated
Flexible accounting models (e.g. per service, per
usage, volume, time, event)
ISP
B-RAS
PPPoE
Corporate
VPN
DSLAM
Content
Provider
PPP
DSLAM
RADIUS
Policies
DHCP
www.juniper.net
16
BRAS Access Wholesale LAC
Physical link termination (LAC)

Tunnel assignment through Radius or local domain-map
PPP-session forwarded to LNS in L2TP tunnel/session
Hand-off PPP session to retail ISP
L2 Access
IP Edge LNS
PC
PPPoE
IP Core
LAC
PPPoA
L2TP Tunnels
Access
DSLAM
ISP
1
BRAS
LNS
ISP 2
Home GW
Radius
DHCP
www.juniper.net
17
L2TP Tunnel Termination LNS

LNS == BRAS == subscriber management
LNS == ILEC managed service or ISP
Terminate L2TP tunnel/session and PPP session
BRAS as usual, e.g.
Authenticate user
Apply IP services
IP Edge
PC
PPPoA
Access
Provider
LAC
IP Core
LNS
L2TP Tunnels
PPPoE
Access LAC
Provider
BRAS
Home GW
Radius
DHCP
www.juniper.net
18
L2TP Tunnel Switching LTS
Scaling L2TP tunnels
LNS LAC Combination
Switch session across tunnels (could be in different VRs)
Tunnel assignment through Radius or local domain-map

Tunnel Switch
PC
PPPoA
LAC
LTS
L2TPLNS
Tunnels
LNS
PPPoE
LAC
LNS
LAC
ISP X
BRAS
Home GW
Radius
DHCP
www.juniper.net
19
ML-PPP over L2TP

L2TP
Dial
out
ML-PPP over L2TP
Dial-up PPP (modem, ISDN) sessions forwarded to BRAS using L2TP
ISDN -> 2nd B-channel: ML-PPP bundle is terminated at the LNS
L2TP dial-out
Network-initiated L2TP tunnel to NB-RAS
NB-RAS
LAC
L2TP
IP Edge
ML-PPP
over L2TP
L2TP
Dial-out
LNS
IP Core
MPLS-VPN Core
BRAS
Radius
www.juniper.net
20
Outsourced Access
(using Virtual Routers)
Each Virtual Router (VR) contains a separate instance of
the IP stack and IP applications (e.g. route table, routing
protocols, route policies, SNMP)
Each subscriber IP interface is associated with the VR of
the corresponding Retail ISP
Access
IP/PPP
ADM
ISP 1
IP Edge
VR
SONET
ISP 2
ETH
IP/Frame Relay
www.juniper.net
21
Secure Remote Access
Microsoft is pushing for L2TP/IPSec for remote VPN Access; integral part of Windows
BRAS acts as a VPN server, terminating L2TP/IPSec
A simple machine-level certificate (no need for a user certificate, no need for strong
identity proof, no need for revocation procedures)
This solution works for ANY access network, including IP backhaul via another ISP
IP over PPP/L2TP (name/pwd)
LAC
IPSec/IKE (machine certificates)

Local access (PPP,
DHCP, whatever)
L2TP/IPSec Tunnel
PC
Access
BRAS
LNS/
VR
A A
IPSec LNSVPN VPN
VR
Transport
Access
VR
VPNVPN
B B
Home GW
Radius
Radius
www.juniper.net
22
DSL Service Integration (with PPPoE)

Users simply treated like ordinary DSL subscribers
No special features required for W-LAN network operation
PPPoE client software required on users PCs (not a typical assumption,
cf. business users & PDAs are usually DHCP-based)
Laptop PC
PPPoE
Client
PPPoE
Wireless
Access
Point
Laptop PC
PDA
Broadband
Aggregation
Router
R
Va ad
lid ius
ati
on
Service Provider
Network
L2TP
PDA
HotSpot Location
Radius
Server
Wholesale model provided through L2TP

(as with DSL & Metro Ethernet)
Broadband
Aggregation
Router
ISP
or Content Provider
www.juniper.net
23
PPP/L2TP/IPSec down to the BRAS
A BRAS could act as a VPN server, terminating L2TP/IPSec
Client configuration (ok for Windows laptops; less clear for MacOS/Linux):
A simple machine-level certificate (no need for a user certificate, nor a certificate directly issued by
VPN/ISP organization, no need for strong identity proof, no need for revocation procedures)
DNS hostname or IP address of IPSec endpoint. If BRAS terminating IPSec is the local edge, then use
a virtual address identical for all edge BRAS. Hide it behind a DNS name.
Then configure a secured VPN remote access via Microsoft wizards. Reasonably user-friendly.
This solution works for ANY access network, including IP backhaul via another ISP
IP over PPP/L2TP (name/pwd)
Radius
RADIUS
Server(s)
IPSec/IKE (machine certificates)

Local access (PPP,
DHCP, whatever)
Radius
client
Laptop PC
Local
Network
PDA
PDA
Remote
VPN
PPP
Access
Device
Laptop PC
Internet
Access
BRAS
IP Network
www.juniper.net
24
Video Over IP
TV Servers
TV Servers
Services Router
IP Based Subscriber Management
Policy is enforced for each subscriber flow
Rate shaping, rate limiting, filters, queuing
Subscriber applications are treated according to policy
TV Servers
I.E. Napster downloads wont degrade home VPN connection
Extends subscriber based services across existing cable networks
Flexible billing models
Advanced IP Services
User-based bandwidth management
www.juniper.net
25
Video Services
Multicast Video Services
IP TV
NVOD (Near Video on Demand)
PC TV
Unicast Video Services

VOD (Video on Demand)
Network PVR (Personal Video Recorder)
Streaming Media
Surveillance
Video Teleconferencing
All Require Access and end-to-end QoS and Bandwidth Control
www.juniper.net
26
Video Streaming over Ethernet

Integrated subscriber management for Broadband Ethernet
VLANs (802.1q)
many VLANs and subscribers per chassis
Unique services per VLAN
VLAN to MPLS mapping
Extended LAN services across IP WAN
Individualized service profile per user
VPN membership
Access
QoS
IP Edge
Gigabit Ethernet
Services Router
VLAN 5
VLAN 1
VLAN 6
IP/ETH
PPPoE
Ethernet
Switch
(VLAN tagged)
VLAN 7
VLAN 2
RADIUS
IP Core
ASP A
ASP B
ISP B
Policies
DHCP
www.juniper.net
27
Multicast Services
Current Model for Content Broadcasting: Unicast
Consumes large amounts of Bandwidth and burns server resources
Only available model because network could not cope with
Multicast bandwidth requirements
Consumer PC
Layer 3
Service Delivery Point
FTTB / DSL
Layer 2
Access Network
ATM / FR /
PPP, etc.
OC-12 (MPLS)
IP Core
Ethernet
Edge
Router
PPP, F/R or ATM
Business
Customer
Application
Server
www.juniper.net
28
Multicast Services
Rolling out model for Content Broadcasting: Multicast at the IP Edge
Consumes small amounts of bandwidth and doesnt touch server resources
Available because Services Router is capable of wire-rate Multicast routing
Controlled and Billed on a Per Stream Basis through a Policy Engine
Consumer PC
FTTB / DSL
Layer 3
Service Delivery Point
Layer 2
Access Network
PPP, F/R or ATM
IP Core
IGMP
OC-12 (MPLS)
Services
Router
Edge
Router
DVMRP
Ethernet
IGMP
Policy Engine
Business
Customer
PIM
Video Server
www.juniper.net
29
Deployed IP-TV Networks
IP Core Network
DSLAM
STM-1 (IP)
Fast Ethernet
TV
Set Top Box

+ADSL Modem
STM-1
ATM
Typical Subscriber
Services Router
GE
Authentication
Authorization Policies
Accounting (COPS)
DHCP
Network and Service

Management;
Billing
Ethernet
Switch
Video Server
IP HEAD-END
Directory
(LDAP)
www.juniper.net
30
Interactive Gaming
Requirements
Low-latency transmission of control data
Round trip delay <= 200 msec (<=100 preferred) for
Ultima as example
Support for both text and voice chat

simultaneous/unimpeded by control flow
Strong multicast capability
Emerging need for streaming and broadcast video
Must support both PC based and console based gaming
services
Peer to peer and subscriber to content models both
emerging
www.juniper.net
31
Game Server
Feeding packets into
the Core
Server Farm
Game
Services
Gigabit
Ethernet
Switch
VLAN Separation
of Service
Router
Core
Network
1. VLAN Traffic rate

policed to prevent
interference with other
services
2. Packets Marked at
Ingress (Diff-Serv)
based on port number
3. Placed in low-latency
queue
4. Forwarded onto
bandwidth reserved
MPLS or ATM circuit
www.juniper.net
32
Low Latency Queuing

with
shared bandwidth
Core
Network
1. Broadband connection Traffic

rate policed to prevent
interference with other services
2. Packets Marked at Ingress
(Diff-Serv) based on port
number
3. Placed in low-latency queue
Service
Deployment
Broadband
System
Router
4. Forwarded onto bandwidth

reserved MPLS or ATM circuit
1. Users must log-in

through the Service
Deployment System
before choosing Game
Content
2. Policy Route, IP flow
rate, and low latency
queue is enabled on
the Router through
COPS or SNMP.
Access
Network
Broadband
Users
DSLAM
www.juniper.net
33
Controlled Access for any

device
Support for both PPPoE and IP
appliances in the same household
Ability to apply policies to the PC and the
gaming device independently
Can create guaranteed links between
different home appliances and network
servers
Services Sphere
VoD
VoIP
Gaming
Application Storage
Services
ISP 1
PPPoE
1M bW Best Effort QoS
BGP4, OSPF,
IS-IS, MPLS
Multicast
ATM
DSLAM
IP Core
IP/1483 Bridged
ISP 2
ISP N
1.5M bW Gold QoS
Access
www.juniper.net
34
PPPoE based Hotspot

Service
Broadband
Router (BRAS)
LNS
Service
Provider
IP Core
ATM or Ethernet
Layer 2
Access Network
PC with 802.11
W-LAN cards
ISP 1
L2TP
Radius
802.11 Wireless
Access Point
PPPoE Client Software
ISP 2
Radius
No special features required for W-LAN network operation
Radius
- Wireless Ethernet is just another Layer 2 access method
Users simply treated like ordinary DSL or FTTB network subscribers

PPPoE client software required on users PCs
Supports retail and wholesale business models
www.juniper.net
35
DHCP based Hotspot

Service
Edge
Router
ISP 1
Service
Provider
IP Core
ATM or Ethernet
Layer 2
Access Network
PC with 802.11
W-LAN cards
802.11 Wireless
Access Point
NO PPPoE
Client Software
Radius
Web Login
ISP 2
No PPPoE client software required on users PCs

Same as PPP-based service but simpler for users
Requires the use of DHCP Access Server

Provides Web Based Login for Subscribers
www.juniper.net
36
Sponsored HotSpot Model

Edge
Router
ATM or Ethernet
Layer 2
Access Network
PC with 802.11
W-LAN cards
802.11 Wireless
Access Point
Service
Provider
IP Core
Radius
Web Login
Users Web access is redirected to forced web page

Web Page advertises services of the location and
provides a click-through to login to a service provider
Email can also be directed to send a welcome email to
the user.
www.juniper.net
37
Hotspot Service with

IPSec
IPSec used to encrypt

Access Network traffic
ATM or Ethernet
Layer 2
Access Network
PC with 802.11
W-LAN cards
IPSec Client
Software
(Built in to
Win 2000, XP)
802.11 Wireless
Access Point
IPSec or L2TP used to encrypt

Core Network traffic
IDC
Broadband
Router
Service
Provider
IP Core
Radius &
X.509 Certification
ISP 1
ISP 2
IPSec can be combined with the Hotspot service to provide secure,

encrypted traffic across the access network
This overcomes all of the (serious) security issues associated with
W-LAN networks.
www.juniper.net
38
Thank You

Sanog5 Ananth Broadband

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sanog5 Ananth Broadband

Uploaded by

Copyright:

Available Formats

Broadband Networks Overview

and Best Practices

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

BRAS means Subscriber Management

Subscriber provisioned in the OSS database

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

Typical BRAS Network (DSL)

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

Typical BRAS Network (DSL)

Authenticates user against DB

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

Typical BRAS Network (DSL)

DSL today means ATM

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

BRAS Service Activation

1. User initiates PPP session

Service Provider Back-office

4. The RADIUS profile is

Proprietary and Confidential

5. Services Router configures

BRAS Service Deactivation & Accting

Service Provider Back-office

8. User terminates PPP session

11. Accounting start and stop

Proprietary and Confidential

12. Invoices are generated

BRAS Service Activation w/

2. Services Router detects PPP

3. RADIUS queries directory to validate

Service Provider Back-office

Proprietary and Confidential

6. The RADIUS server starts an accounting

BRAS Dynamic Service

Copyright 2003 Juniper Networks, Inc.

Service Provider Back-office

Proprietary and Confidential

6. SSP server notifies RADIUS

Personal TV, Video on

PPP, PPPoE, IDAS,

E.g. routing, multicast,

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

Terminates a variety of access methods

Handle both IP and non-IP traffic

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

BRAS DSL Access

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential

BRAS DSL Access

BRAS shares with Policy Manager the user id/domain

Copyright 2003 Juniper Networks, Inc.

Proprietary and Confidential