Triple play services in the networks of regional Internet providers
to increase profitability and maintain competitiveness, regional ISPs need to provide services «Triple play». This means that their network must support not only traditional Internet access and peer-to-peer services, but also real-time services such as telephony and television. In addition, the provision of services to organizations to connect local networks of geographically dispersed offices can be profitable. The ready-made solution described below ensures the operation of these services. It offers a new model for traditional services - instead of the Now common PPPoE tunnel mechanism, it is recommended to use The ipoe (IP over Ethernet) mechanism, also called CLIPS (Clientless IP Subscribers), free of many disadvantages.
the functions of the edge router and the user traffic-aware device (BRAS aka BNG) are combined in one Ericsson SmartEdge SE-100 device. On the one hand, the device is connected to at least two higher-level Internet providers and a switch that is part of the network backbone. BRAS interacts with two DHCP servers: one for real-time services, the other for Internet access. The last DHCP server works together with RADIUS server and billing system. The backbone of the network is formed by several high-speed switches of the 3rd level connected in a ring. Access switches, which represent their client ports, connect to each other to form long chains. These chains in the form of half-rings are connected to the Central ring of the highway.
service provision Scenario for individuals
The proposed solution is capable of implementing both traditional scenarios of providing access to services based on the creation of tunneling PPP sessions (PPTP L2TP PPPoE) and a new IPoE scenario (CLIPS) and improved PPPoE+. In case of using PPP sessions on the user side, software or devices supporting clients of these sessions are required, while there may be problems with simultaneous Internet access and peering between clients. Another disadvantage of such scenarios is the waste of BRAS resources for encapsulation in such sessions. Finally, group mail traffic (multicast multicast) required for IPTV is delivered inefficiently. The IPoE script does not have these disadvantages.
the basic idea of IPOE is to bind the client profile not to its ID and password, but to the port of the access switch to which the client connects. Starting work, the client equipment sends a request to the network to obtain an IP address, the access switch adds to this request information about itself and its port from which the request is received. Next, the request is processed by BRAS, and BRAS interacts not only with the DHCP server that issues the IP address, but also with the RADIUS server and through it with the billing system that stores user profiles with reference to the switch ports. As a result, the user's profile is associated with the IP address given to it, and in the future the user's traffic with reference to the IP address is processed and accounted for in accordance with the paid contract. Peer-to-peer traffic sent with the user from the same IP address does not reach BRAS and does not load IT. IP-phones and IPTV set-top boxes receive addresses from a separate DHCP server serving real-time services. The traffic of these devices also passes by BRAS and does not load IT. The following diagram shows how to establish an IPoE session.
enterprise client connection Script
Corporate customers should preferably be connected in separate VLANs (port-based), which allows for the most flexible provision of specific conditions for the provision and accounting of access, as well as the confidentiality of information and quality of service, as well as the allocation of address space subnets.
both L3 VPN and L2 VPN services can be implemented.
Key technologies used in the solution
to implement the proposed solution, the equipment must support a number of technologies listed and briefly described below.
Redundancy in ring physical topologies, low switching time
in urban networks, it is not economically feasible to lay a dedicated cable to each access switch. All the more unjustified to lay two such cables. On the other hand, the connection of a large number of switches sequentially generating long chains makes the network very unreliable. Cable break, defective switch, or just disconnect its power supply may cause failure of a significant part of the network and prolonged interruption in the provision of services. A good compromise is the serial connection of the switches with the connection to the trunk on both sides of the resulting chain. In such a topology, a single fault or breakage will not result in the failure of a large part of the network. However, with such topologies or do not work at all, or work poorly varieties of the covering tree Protocol (STP, RSTP, MSTP) traditionally used in Ethernet networks with redundant connections. A good replacement for STP in ring topologies is the Ethernet Automatic Protection Switching (EAPS) protocols RFC 3619, in particular the Ethernet Ring Redundancy Protocol(ERP). Unlike STP, this Protocol does not have a limit on the number of switches in the ring-forming chain, in addition, the recovery time for failure or breakage is relatively small (less than 200 milliseconds) and does not depend on the length of the chain. This recovery time is acceptable for the smooth operation of real-time services such as IPTV and VoIP. In addition to the ring topology, the Protocol works with topologies consisting of a Central ring and semi-rings attached to it. The only drawback of ERRP over traditional STP is the need to manually configure the switches according to the physical topology.
DHCP relay, DHCP information option 82, DHCP snooping, IP source guard
in order to use THE ipoe authorization and accounting mechanism, it is critical to monitor the user in the binding to the switch port. The same binding is needed when implementing PPPoE+. This binding is possible through the sharing of technologies DHCP relay, DHCP information option 82, DHCP snooping, IP source guard. DHCP relay technology allows you to intercept DHCP user requests and forward them to a DHCP server located on a remote network. DHCP information option 82 is the ability to insert information about the switch and its port to which the user is connected into such intercepted and forwarded requests. This information will allow the DHCP server to assign a specific IP address assigned to each user. Further, this address can be used to account for the transmitted traffic and speed limit in accordance with the contact. DHCP snooping allows the switch to view DHCP server responses to clients, receive and remember information about which IP address is given to which client. Further, such information can be used for the operation of the IP source guard technology, this technology will allow you to block the user if his IP address with which he tries to work is different from the DHCP server issued to him. This eliminates attempts to bind to someone else's contract.
DAI technology protects the network from ARP spoofing when the user in the correct Ethernet frame and IP packet, because with fixed IP and MAC addresses, sends to the network «poisoned» ARP Protocol packet, which contains other addresses. The DAI function checks the correspondence of addresses in transport packets with addresses within ARP requests. If the user substitutes addresses that do not match their real addresses, the packet will be dropped.
Super VLAN allows you to terminate a group of user VLANs on a single IP interface and implements the «VLAN ideology per user» at the access level and «VLAN per service» at the operator network level. Users can send traffic to a switch that acts as a gateway on their IP subnet, but cannot send traffic directly to each other. ARP Proxy allows users to send each other traffic when the Super VLAN mechanism is enabled. It is important that the traffic is not sent directly, but through the gateway. This makes it possible to analyze traffic on the gateway and apply different policies to it. In other words, it is possible to control the peering between users.
Protection of network resources from hacker DOS attacks and virus activity
to prevent the loading of network resources and interruption of services due to virus activity or hacker DOS attacks are very useful mechanisms to suppress all types of storms (broadcast multicast and unicast-broadcast, group and directed mailing). At the same time, it is desirable that there is a possibility of both simply limiting the bandwidth of these types of traffic, and temporarily automatically disconnecting the port when such traffic exceeds the established threshold of bandwidth occupation. to reduce the impact of some hacker attacks, it is useful to have a limit on the number of MAC addresses in the source field coming through a single switch port. to reduce the impact of some hacker attacks, it is useful to have a limit on the number of MAC addresses in the source field coming through a single switch port.
quality of service
support for quality of service (QoS) mechanisms used by equipment is critical for real-time services. Such mechanisms include the possibility of flexible classification of traffic received from users and from external sources, its marking in accordance with the classification performed and prioritization following such marking. In order to be able to select the most appropriate prioritization mechanism for a particular case, the switches in use must have at least four outbound queues and the ability to select different traffic policies from those queues.
Technologies to support IPTV
for the implementation of the television transmission service (IPTV) network equipment must support a large set of technologies related to the support of group mailings (multicast). Aggregation switches must support the multicast dynamic routing protocols PIM-DM, PIM-SM, and IGMP client registration Protocol. It is important that with IGMP version 3 support it is possible to get IPTV service with better consumer properties and less load on the network. Access switches must support IGMP snooping. Also very useful is the support of MVR technology that allows you to transfer only one copy of the stream for users included in different VLANs. Thanks to that network resources can be released, as well as IPTV begins to work together with the ideology of the VLAN user VLAN to the service.
QinQ and Selective QinQ Technologies
initially, QinQ technology was invented in order to allow connecting a complex VLAN structure from one office of the client company to the same VLAN in another office of this company through the resources of the provider's network. To implement such a scenario on the provider switch port, 802.1 Q tag is added to all traffic received from the corporate network in addition to the 802.1 Q tag already there and describing the internal corporate VLANs. Such an embodiment is now referred to as QinQ with reference to the port (port-based). A more complex option, called Selective QinQ, involves the addition of an additional 802.1 Q tag, not depending on the port, but on groups of existing user VLANs and groups of their tag numbers. This implements the ideology of VLAN per user. Also, an additional 802.1 Q tag can be added depending on the Protocol of the transmitted traffic. At the same time, the ideology of VLAN for the service is implemented. For example, all IP telephony traffic from all users can be allocated to a separate VLAN.
Dual Homing & laquo;Double bind»
a minimum of two higher-level Internet service providers are required to provide customers with a reliable Internet connection. This requires interaction with them using the BGP Protocol and configuring their Autonomous system. Protocol support requires BGP on the border routers. Also, to improve the reliability can be used not one device and the edge router BRAS, and several, reserving each other.
default gateway Reservation, VRRP Protocol
Most client software and hardware can work with a single default gateway address. This creates a problem for reliability in case of failure of a physical device having that address. To solve this problem, the VRRP Protocol (Virtual Router Redundancy Protocol) was created. This Protocol allows two or more physical devices to process requests to a specific IP address. At any given time, requests are processed by one of them. In the event of a failure of this device, the rest discover it and the processing of requests continues by one of the remaining devices. In addition to reserving the default gateway, VRRP can be useful for reserving other services.
the built-in diagnostic tools in the switches are very useful for reducing operating costs and speeding up Troubleshooting. These include means of transmitting information about errors and malfunctions using SNMP and syslog protocols, means of measuring parameters of passing traffic and loading resources using RMON, means of network topology analysis using LLDP Protocol. Remote diagnostics of individual ports and the 802.3 ah Ethernet OAM cables attached to them can be particularly useful.
equipment Used and its advantages
in the described solution, it is proposed to use qsw-8200 switches to create an aggregation ring, QSW-2800 switches for direct connection of users. As a BRAS and the edge router, you can use the products of Ericsson - Redback, for example, the Junior model Redback SE-100. This modern equipment has all the necessary properties to build this solution. The following describes the properties of all this equipment and its advantages.
QTECH Multiservice switches
QTECH Switches for access and aggregation levels, through the use of the latest standardized protocols and technologies, implement high network security with guaranteed service for all categories of users and different types of services. Including Real-Time services, VPN and others. Ethernet switches QTECH created on a modern hardware platform in full compliance with the requirements of operators for the reliability of the element base, low power consumption, extended temperature range, form factor.
the qsw-2800 and QSW-2850 Switches are designed specifically for multiservice networks, support hundreds of different services at a time, service models PPPoE Plus (for smooth migration from DSL to Metro technologies) and DHCP authorization (IPoE) with reference to the access port. Provide the rate of convergence of less than 20 milliseconds to transfer the provision of telephony services and television, classification and management of the traffic of different services according to the rules of the provider (Selective QinQ & Selective VLAN) technology to protect the confidentiality of the information (IP Source Guard, DAI, Proxy ARP), the means suppressing storms without blocking useful traffic, advanced use of network monitoring tools, including SLA L2 (OAM CFM) QSW-2800 provides an easy connection to corporate clients with the provision of VPN services.
First the functional features of multi-service switches, QTECH:
support for port-based Q-in-Q and Vilan-based
support for selective q-in-Q based acl
Support of the ERRP Protocol (RFC EAPS) to ensure the convergence of at least 200 milliseconds with the function query solicit.
the Ability to filter BPDU ingress and egress
support Multicast & nbsp;
support IGMPv3, fast leave, IGMP-snooping & nbsp;
Support IGMP querier
ability to explicitly specify the port to which querier
possibility of static subscription to multicast group
ability to create allow and deny group lists
ability to limit bandwidth on FE port in 1 kbit/s increments.
Supports at least 4 QoS queues per port
support for various queue management policies (SPQ, WRR).
ability to classify traffic by various characteristics (port, VLAN Id, access lists, 802.1 p bits, etc.)
ability to force traffic marking and re-marking
Tools for network security multi-service switches, QTECH:
ability to configure access sheets for access (protected access)
Support not менее1000 lists (acl) based on IP addresses, TCP/UDP port, Protocol type
Support Ethernet Port security by limiting the number of MAC addresses, a binding MAC-IP addresses
Protection against four types of storms: broadcast, multicast, unicast, unknown unicast
IP Source Guard
ARP proxy Support
Dynamic ARP inspection
Support DHCP snooping
Support DHCP relay
DHCP op Support.82 & nbsp;
PPPoE plus Support (add switch name and port number to PPP request)
Support IGMP flood protection
CPU Protection against network attacks
QTECH multiservice switch management and monitoring Tools:
Radius and Tacacs + authorization protocols Support
support for full-featured remote management (telnet, ssh)
Implementation of full-featured intuitive command-line mode for configuration and monitoring
support for different access levels (privileges)
Supports at least five simultaneous telnet sessions with the ability to manually reset the telnet session
Syslog Support with the ability to transfer information to multiple servers
time synchronization Support (NTP)
Support diagnostics OAM CFM (IEEE802.1ah)
QTECH qsw-8300 Routing switches for the aggregation layer also support important features for this layer:
Super VLAN - allows you to terminate a group of user vilans on a single IP interface, allows you to implement the ideology of & laquo;Vilan per user» at the access level and & laquo;Vilan per service & raquo; at the network operator level & nbsp;
ARP Proxy-allows to prevent mutual visibility of users at the MAC address level. When exchanging between users, all traffic passes through the aggregator and only THE Mac address of the aggregator is seen by users as the destination address, the real MAC addresses for them are hidden.
routing Protocols OSPF and BGP for routing address of the operator (OSPF) and customer address (BGP)
multicast routing Protocol PIM - for multicast routing.
Ericsson Redback SE-100 Functionality
Ericsson Redback SE-100
Not less than 7 MPPS when multiple filter rules and perform services
support for quality of service (QoS), filtering (ACL), and other traffic control rules
Hardware, on channel ASICS
Modular, separate levels of packet management and forwarding, based on two CPUs (600 MHz each) and two reprogrammable multi-core ASICS (32 cores each)
two GE combo ports for traffic and one port for management and service traffic are pre-Installed. Up to 6 GE in extension. Work on "wire speed»
number of supported routes in the IP routing table
1.5 million routes as standard
number of MAC addresses supported
Simultaneously terminated client sessions
Support of MPLS technologies and 160 thousand MAC addresses allow to organize L2 VPN services.
Up to 1000 BGP peers, 1.5 million routes solve the problems of the Border Router, and without loss of performance with the simultaneous use of the device as BRAS and MPLS PE. 24 thousand one-time BRAS sessions. Support DHCP authorization service model (IPOE) Termination of user sessions from MPLS. Modular software architecture and multiprocessor, multi-core hardware platform allow you to perform complex tasks on «wire speeds». One device the size of two unit solves the problems of the ASBR, BRAS and VPN concentrator in the network of the city. external Internet Bandwidth-3 GB/s