Metro Ethernet networks are built on a three-level scheme and include equipment Access Layer (Access Layer), the level of Aggregation (Aggregation Layer) and the core Level of the network (Backbone layer). In rare cases, the intermediate aggregation (distribution or distribution) level is singled out.
The proposed version of the organization of communication level access-access network C topology "ring" with dedicated connections to the aggregation nodes.
This solution uses the connection of access layer switches to dual aggregation nodes, otherwise known as Dual Homing nodes. In this arrangement of access and aggregation nodes, maximum stability and redundancy is achieved. In case of breakage of the link between any access nodes, full topological connectivity at the access level is provided. The same is provided in case of power loss on the access node. For additional network stability and redundancy, an additional 10GE physical connection between aggregation switches is provided. This is required for load balancing between aggregation nodes and redundancy protocols. At the network core level, it is proposed to use aggregating 10GE switches to distribute BRAS traffic, as well as to connect to dedicated interfaces of data center equipment, IPTV transport, and service infrastructure.
To prevent the formation of second-level loops (Layer 2) and quick recovery in the event of a failure in the access network is proposed to use:
fast convergence Protocol;
scalability due to the possibility of inclusion of additional access nodes in the network (semiring) of object access.
a smaller number of interfaces on the nodes aggregation. The number of required interfaces can be estimated based on 1 access network requires 2 ports on aggregation nodes;
a smaller number of FOCL is required.
The shortcomings of the decision:
more complex access network architecture;
in case of connection to one aggregation node of several access networks, the aggregation nodes need to support the functional of isolation of switching domains of the second level of the OSI model.
service model Description
Public services include the following:
broadband (Broadband) - providing high-Speed Internet access;
IPTV - providing access to watching various TV channels based on IP Multicast;
In the framework of this paper considers only models of service provision based on the architecture IPoE.
provision of broadband services
This solution proposes to consider a model based on IPoE mechanisms (IP over Ethernet), IP-session without the use of additional encapsulation. Also, one of the main advantages of the IPoE model is that the client profile is not bound to an ID and password, but to the port of the access switch to which the client connects. DHCP Snooping Option82 is used to authorize the user. Option 82 is an extension of DHCP. The switch adds an Option 82 request to DHCP, the option contains two fields: Circuit ID-VLAN and the port number of the switch to which the DHCP request came. Remote ID – some identifier of the switch (Mac address of the switch, its hostname or any arbitrary value). The addition of Option 82 allows the DHCP server and Billing system to accurately identify the device (subscriber) to provide services to it.
The following types of network devices participate in the IPoE session setup process:
Subscriber equipment requests IP address via DHCP.
the access Switch adds option 82 to DHCP packets and monitors the subscriber port against arbitrary IP address assignment, ARP spoofing, and illegitimate DHCP servers.
Node aggregation and the BRAS performing the function of a DHCP relay. In this case, the aggregation node performs the routing function.
IPoE BRAS performing session CLIPS-control of issuing IP addresses to the subscriber and assigning a profile to the user.
DHCP server issuing IP address to BRAS
the RADIUS server that controls the session parameters, as well as engaged in interaction with billing
In this solution, the broadband access network service is provided using a dedicated IP network for a group of users in a single VLAN. There is one VLAN on the access switch to provide broadband services.
The service gateway for broadband service users is called the BNG (Broadband Network Gateway) or BRAS (Broadband Remote Access Server) to which the user equipment is connected at the second level of the OSI model.
IP Source Guard functionality is used to protect against IP address spoofing. This function creates an access list on the interface to which the DHCP client is connected. This entry allows only traffic with IP and MAC addresses that have been committed by the DHCP server for this DHCP client. For example, if the device has a MAC address 00:26:12:01:01:01 on port 10, the dynamically received address is 192.168.100.100, then for this port only traffic with the given source MAC address and source IP address will be passed. If an attacker wants to change it manually, for example, to the IP address of the gateway 192.168.100.254, such traffic will be dropped.
Media content for the IPTV service is provided in a separate VLAN, so to provide the service on the switch, the MVR (Multicast VLAN Registration) functionality is used, that is, the subscriber VLAN is associated with the Multicast VLAN, after which the incoming igmp report service packets necessary to provide the service (igmp-join, igmp-leave) are moved by the switch from the subscriber VLAN to the multicast VLAN. In turn, the Multicast traffic requested by the subscriber is transmitted to the subscriber's VLAN. Thus, there is no need to place on the subscriber's side intelligent equipment that supports the 802.1 q standard.
The list of channels available for the subscriber according to its tariff is formed by means of static IGMP profiles. Profiles can be multiple (same as tariffs, tariff = profile) profile is applied per port and allows you to sign only paid channels. The number of channels viewed at the same time is limited on each subscriber port to prevent overloading of the subscriber port and large load of uplink ports. Fast-leave functionality is also used to reduce the load when switching between channels on the switch.
The switch does not broadcast unknown multicast traffic. The list of multicast groups and users (ports) requesting this group is formed by IGMP snooping v2 functionality. On the switch, the list is stored as a table and can be viewed by the administrator, which facilitates monitoring and diagnostics. IGMP snooping not only generates a list of allowed multicast groups to be broadcast to the ports where the broadcast takes place, but also performs a security function, prohibiting the transmission of IGMP report between untrusted, subscriber ports. Trusted ports (mroute) are usually UPLINK ports and can be assigned automatically upon receipt (general query packet) as well as manually. Assigning mroute ports manually, it is worth remembering that in ring topologies there are two of them, respectively IGMP report will go to both, loading the operator network with unnecessary service IGMP traffic. Automatic assignment of mroute ports reduces the load on the network because GENERAL QUERY only comes on one port. But for a ring topology, when you rebuild the ring, the switch will take time to retrain the mroute port dynamically. This will entail a simple IPTV broadcast.
To receive the service on a personal computer, the operator must provide the user with a list of Multicast channels and ports. The user needs to install the software (VLC player, IPTV player, etc.).
To ensure QoS, towards the subscriber, the traffic from BRAS should come to the switch already marked with the corresponding priority. To ensure QoS from the subscriber to the BRAS side, marking this class of traffic with the appropriate priority occurs on the access port.
Multicast traffic of BTV service through access networks is transmitted in a single virtual network for all users using MVR (Multicast VLAN Registration) technology.
Subscriber equipment for public services may include several devices: computer/laptop, video Devices (Video STB). If the subscriber uses only one subscriber device (for example, a computer), it can connect directly to the Ethernet port of the access node. If there are several subscriber devices, they are connected to the subscriber switch (bridged CPE) or router (routed CPE), which is connected to the Ethernet port of the access node. The number of CPE provide a" hybrid" device, acting as a L3 device for broadband services, and as a L2 device for IPTV.
In the proposed solution, the subscriber does not need special settings to access the basic Internet service. For STB IPTV services preferably made at the factory of the manufacturer of the starting configuration script with the call to the server of the operator for the configuration file (a function of Zero-Config).