Professional Documents
Culture Documents
Ananth Nagarajan
Feb 2005, SANOG V, Dhaka, Bangladesh
www.juniper.net
Agenda
Subscriber Management BRAS Basics
Subscriber Management Applications
www.juniper.net
Subscriber Management
BRAS Basics
www.juniper.net
BRAS Overview
BRAS Broadband Remote Access Server
First network element that provides IP services to
subscribers
www.juniper.net
L2 Bridge
Uplink (today) is DS3/OC-3/OC-12
L2 Switch
L2 switch
PPPoA
AAL5 to a DSL Connected
PC
DSL
modem
BRAS
1483-R
Modem runs 1483-B
ATM
AAL5 Home Gateway
(LAN
DSL
interfaces)
Runs PPPoE
Connected
to DSL-modem
PPPoE
DSLAM
1483-B
DSL-modem runs 1483-B
AAL5
Home GW
Radius
DSL
L2 Access
IP Edge
IP Core
DHCP
www.juniper.net
BRAS
DSL
today means ATM
L2 termination
L3 forwarding
Popular
Accessand
Models
Radius client for user
Client
(PPPoE, PPPoA)
authentication, accounting, IP
Access
network (B-ETH)
address assignment
DHCP server/proxy/client for IP
address assignment
PC
PPPoA
AAL5
DSL
1483-R
Radius AAL5
Proxy/Server
DSL
L2 Access
IP Edge
BRAS
IP Core
ATM
Router
Radius
DHCP
www.juniper.net
PPPoA
AAL5
DSL
PC
Router
Home GW
PPP
1483-R
AAL5
DSL
BRAS
IP Core
ATM
PPPoE
1483-B
AAL5
DSL
L2 Access
IP Edge
Radius
PPP
DSLAM
Radius
DHCP
www.juniper.net
1
7
4
2
3
6
RADIUS
Server
Repository
Registration
Rating &
Billing
Server
www.juniper.net
Internet
DSLAM
9
11
10
RADIUS
Server
Repository
Registration
Rating &
Billing
Server
www.juniper.net
Internet
Content
Provider A
1
5
DSLAM
Content
Provider B
4
2
7
3
1. User initiates PPP
session and provides
identification and
password
6
Service
Selection
Portal
Server
RADIUS
Server
Repository
Registration
Rating &
Billing
Server
www.juniper.net
10
Internet
Content
Provider A
DSLAM
1
SSP
4
Content
Provider B
5
3
1. Subscriber accesses the
Service Selection Portal
URL with a web browser
2. SSP server queries repository Service
Selection
for list of services available to
Portal
subscriber using LDAP. Each
Server
service and its corresponding
COPS commands are cached.
3. SSP server builds a web page with
the relevant service choices and
returns this to the subscriber
6
RADIUS
Server
Repository
Registration
Rating &
Billing
Server
www.juniper.net
11
BRAS
Building Blocks
Retail, wholesale
Business/consumer
services
Value-added
Services
Subscriber Management
Per subscriber
queuing, low
latency, traffic
shaping
Integrated edge
router and
subscriber
management
BGP, MPLS, virtual
routers
Corporate VPN
High subscriber
aggregation and
density, fault tolerant,
wire-speed redundancy
Quality of Service
Network
Awareness
Network
Services
Network Scalability
www.juniper.net
12
Subscriber Management
Applications
www.juniper.net
13
L2 Access
Service Provider Edge must:
Dial-up
DSL
Cable
GSM/GPRS
LMDS
WLAN
802.11
IP Backbone
Ethernet
(VLAN)
Service Provider
Edge Router
Leased Line
IP or L2
www.juniper.net
14
Storage
Network
B-RAS
Gaming
Network
PPPoE/DSL
DSLAM
Video
Services
PPP/DSL
DSLAM
RADIUS
Policies
DHCP
www.juniper.net
15
ISP
B-RAS
PPPoE
Corporate
VPN
DSLAM
Content
Provider
PPP
DSLAM
RADIUS
Policies
DHCP
www.juniper.net
16
PC
PPPoE
IP Core
LAC
PPPoA
L2TP Tunnels
Access
DSLAM
ISP
1
BRAS
LNS
ISP 2
Home GW
Radius
DHCP
www.juniper.net
17
IP Edge
PC
PPPoA
Access
Provider
LAC
IP Core
LNS
L2TP Tunnels
PPPoE
Access LAC
Provider
BRAS
Home GW
Radius
DHCP
www.juniper.net
18
PC
PPPoA
LAC
LTS
L2TPLNS
Tunnels
LNS
PPPoE
LAC
LNS
LAC
ISP X
BRAS
Home GW
Radius
DHCP
www.juniper.net
19
L2TP dial-out
Network-initiated L2TP tunnel to NB-RAS
NB-RAS
LAC
L2TP
IP Edge
ML-PPP
over L2TP
L2TP
Dial-out
LNS
IP Core
MPLS-VPN Core
BRAS
Radius
www.juniper.net
20
Outsourced Access
(using Virtual Routers)
Each Virtual Router (VR) contains a separate instance of
the IP stack and IP applications (e.g. route table, routing
protocols, route policies, SNMP)
Each subscriber IP interface is associated with the VR of
the corresponding Retail ISP
Access
IP/PPP
ADM
ISP 1
IP Edge
VR
SONET
ISP 2
ETH
IP/Frame Relay
www.juniper.net
21
Microsoft is pushing for L2TP/IPSec for remote VPN Access; integral part of Windows
A simple machine-level certificate (no need for a user certificate, no need for strong
identity proof, no need for revocation procedures)
This solution works for ANY access network, including IP backhaul via another ISP
IP over PPP/L2TP (name/pwd)
LAC
L2TP/IPSec Tunnel
PC
Access
BRAS
LNS/
VR
A A
IPSec LNSVPN VPN
VR
Transport
Access
VR
VPNVPN
B B
Home GW
Radius
Radius
www.juniper.net
22
Laptop PC
PPPoE
Client
PPPoE
Wireless
Access
Point
Laptop PC
PDA
Broadband
Aggregation
Router
R
Va ad
lid ius
ati
on
Service Provider
Network
L2TP
PDA
HotSpot Location
Radius
Server
Broadband
Aggregation
Router
ISP
or Content Provider
www.juniper.net
23
Client configuration (ok for Windows laptops; less clear for MacOS/Linux):
A simple machine-level certificate (no need for a user certificate, nor a certificate directly issued by
VPN/ISP organization, no need for strong identity proof, no need for revocation procedures)
DNS hostname or IP address of IPSec endpoint. If BRAS terminating IPSec is the local edge, then use
a virtual address identical for all edge BRAS. Hide it behind a DNS name.
Then configure a secured VPN remote access via Microsoft wizards. Reasonably user-friendly.
This solution works for ANY access network, including IP backhaul via another ISP
IP over PPP/L2TP (name/pwd)
Radius
RADIUS
Server(s)
Laptop PC
Local
Network
PDA
PDA
Remote
VPN
PPP
Access
Device
Laptop PC
Internet
Access
BRAS
IP Network
www.juniper.net
24
Video Over IP
TV Servers
TV Servers
Services Router
TV Servers
Advanced IP Services
www.juniper.net
25
Video Services
Multicast Video Services
IP TV
NVOD (Near Video on Demand)
PC TV
www.juniper.net
26
IP Edge
Gigabit Ethernet
Services Router
VLAN 5
VLAN 1
VLAN 6
IP/ETH
PPPoE
Ethernet
Switch
(VLAN tagged)
VLAN 7
VLAN 2
RADIUS
Copyright 2003 Juniper Networks, Inc.
IP Core
ASP A
ASP B
ISP B
Policies
DHCP
www.juniper.net
27
Multicast Services
Current Model for Content Broadcasting: Unicast
Consumes large amounts of Bandwidth and burns server resources
Only available model because network could not cope with
Multicast bandwidth requirements
Consumer PC
Layer 3
Service Delivery Point
FTTB / DSL
Layer 2
Access Network
ATM / FR /
PPP, etc.
OC-12 (MPLS)
IP Core
Ethernet
Edge
Router
PPP, F/R or ATM
Business
Customer
Application
Server
www.juniper.net
28
Multicast Services
Rolling out model for Content Broadcasting: Multicast at the IP Edge
Consumes small amounts of bandwidth and doesnt touch server resources
Available because Services Router is capable of wire-rate Multicast routing
Controlled and Billed on a Per Stream Basis through a Policy Engine
Consumer PC
FTTB / DSL
Layer 3
Service Delivery Point
Layer 2
Access Network
IP Core
IGMP
OC-12 (MPLS)
Services
Router
Edge
Router
DVMRP
Ethernet
IGMP
Policy Engine
Business
Customer
PIM
Video Server
www.juniper.net
29
IP Core Network
DSLAM
STM-1 (IP)
Fast Ethernet
TV
STM-1
ATM
Typical Subscriber
Services Router
GE
Authentication
Authorization Policies
Accounting (COPS)
DHCP
Ethernet
Switch
Video Server
IP HEAD-END
Directory
(LDAP)
www.juniper.net
30
Interactive Gaming
Requirements
Low-latency transmission of control data
Round trip delay <= 200 msec (<=100 preferred) for
Ultima as example
www.juniper.net
31
Game Server
Feeding packets into
the Core
Server Farm
Game
Services
Gigabit
Ethernet
Switch
VLAN Separation
of Service
Router
Core
Network
www.juniper.net
32
Service
Deployment
Broadband
System
Router
Access
Network
Broadband
Users
DSLAM
www.juniper.net
33
Services Sphere
VoD
VoIP
Gaming
Application Storage
Services
ISP 1
PPPoE
1M bW Best Effort QoS
BGP4, OSPF,
IS-IS, MPLS
Multicast
ATM
DSLAM
IP Core
IP/1483 Bridged
ISP 2
ISP N
Access
Copyright 2003 Juniper Networks, Inc.
www.juniper.net
34
LNS
Service
Provider
IP Core
ATM or Ethernet
Layer 2
Access Network
PC with 802.11
W-LAN cards
ISP 1
L2TP
Radius
802.11 Wireless
Access Point
ISP 2
Radius
Radius
www.juniper.net
35
ISP 1
Service
Provider
IP Core
ATM or Ethernet
Layer 2
Access Network
PC with 802.11
W-LAN cards
802.11 Wireless
Access Point
NO PPPoE
Client Software
Radius
Web Login
ISP 2
www.juniper.net
36
802.11 Wireless
Access Point
Service
Provider
IP Core
Radius
Web Login
www.juniper.net
37
ATM or Ethernet
Layer 2
Access Network
PC with 802.11
W-LAN cards
IPSec Client
Software
(Built in to
Win 2000, XP)
802.11 Wireless
Access Point
Broadband
Router
Service
Provider
IP Core
Radius &
X.509 Certification
ISP 1
ISP 2
www.juniper.net
38
Thank You