ASR 9000 как высокопроизводительный BNG: функционал и сценарии применения

  • Published on
    24-Jun-2015

  • View
    1.910

  • Download
    10

Embed Size (px)

Transcript

  • 1. ASR 9000 BNG: -

2. BNG ASR 9000OSS / NMS AAA Policy SLA MPLSL2 Ethernet H-QoSMulticast/ P2P, P2MP, MP2MPL2PE MoFRR Security ASR 9000IP, IP-VPN, Any-2-AnyL3PELSMUserVidMon IOS XRRedirectionPPP Sessions PTA/LACCGv6GE 10GEIPoE SessionsIP/DHCP Video Caching 40GE 100GESystem Security & Management & L2VPN &Routing & Lawful Intercept OAM MPLS 3. BNG EVC EFP Ethernet Flow PointEVC Ethernet Virtual CircuitN:1 VLANsAmbiguousIP / PPPoEVLANS (1:1) L3 subI/FMultipoint EVC+ EFP InterfacesRoutingEoMPLS PW+ L3 Interfaces BridgingVPLSEoMPLS PW+ BNG InterfacesP2P EVCVLANxlate EoMPLS PW1:1, 2:2 1:2 BridgingMultipoint EVC LC P2P EVCEFPs:VLAN (802.1q/802.1ad) EFPs: VLAN (802.1q/QinQ) 4. PPP IP PTA$IPLayer2$Connected$ L3 fwd L3 fwd internetinternet.1Q,QnQ.1ad.1Q,QnQ.1ad IPIP Native IP,IPPPPVRF Lite .1Q QnQNative IP,MPLSEth PPPoE PhyVRF Lite.1Q QnQ EthMPLS VPNs MPLSPhy MPLS VPNS LAC$IPLayer2$Connected$ L2 brdgRetailer(X(VRF( .1Q,QnQ.1ad () .1Q,QnQ.1ad IP L2TP over: L3 fwd IP PPPNative IP,Retailer(X(VRF( L2TPPPP IP/UDPVRF Lite PPPoE MPLS VPNs .1Q,QnQ.1ad.1Q QnQ EthPhyIP VRF Lite IP MPLS VPNs .1Q QnQIP VRF Lite L3 fwdEth MPLS VPNsPhyRetailer(X(VRF( .1Q,QnQ.1ad PTA$ 5. FTTX GPONBNG/BRAS Home MSAN ASR 9000 ASR 9000 VDSL : BNG Aggregation BNG (MPLS) Video Services routerVideo Services Router Video IP TV FTTX GPON MSAN BNG Home ASR 9000ASR 9000 VDSLBNG BNG Aggregation BNG (MPLS) Triple-Play (CDS)Video Caching 6. Native IP, VRF PPPoELite internet MPLSMPLS VPNsIP wholesale (IP PPP)Retailer X VRF VRF Lite MPLS VPNs IPoEAccess InterfaceL2TP wholesale ( PPP)Physical PortRetailer X VRF L2TP : IP, VRF Lite MPLS VPNs 7. 8. BNG G0/1.10 3 G0/1.10 John : John, Mike Mike Ted. Ted John Mike John -, Ted - MikeVoIP Ted G0/1.10 10.1.1.10 John 10.1.1.20 Mike IP : 10.1.1.30 Ted IP10.1.1.10 John John10.1.1.20 Mike ( Mike10.1.1.30 Ted ) Ted G0/1.10Mike John VoIP MikeMike TedG0/1.10 9. pull push(, (, ) ) Subscriber Policy LayerSubscriber Policy LayerDHCP Web AAA AAA DHCP Web Policy AAAServer Portal Server ServerServer Portal Server Server Guest GuestPortal Portal Open Garden Walled Garden Open Garden 10. Subscriber Policy LayerAAA Policy WebDHCP Server Server Portal Server Internet/CoreGuest VideoPortalAudioServersOpen GardenWalled Garden RADIUS Policy PULL RADIUS (Change of Authorization, RFC Policy 3576). PUSH 11. First Sign of Life (FSOL) FSOLPPP IP DHCP DiscoverPPPoE Call Request(PADx) DHCP Discover Session-start event MAC BNG DHCP Proxy DHCP proxy = DHCP relay : PADR 1. DHCP bindings2. DHCP Session-start event Unclassified MAC MAC + PPP session IDData Traffic MAC ( DHCP ), CoA CLI idle-timeout 12. VLAN S-VLAN S-VLANC-VLAN VLAN 1:1 PPPoE IPoE VLAN - First Sign of Life (PPPoE PADI, DHCP Discover) 1: interface Bundle-Ether100.10 encapsulation dot1q 100 second-dot1q any 2: interface Bundle-Ether100.10 encapsulation dot1ad 100 dot1q 300-475 13. : : , : PPP: CHAP/PAP Transparent Auto Logon (TAL): , ,: MAC/IP address, DHCP Option 82, DHCPOption60, C-VLAN/S-VLAN, PPPoE Tags... Web Logon , 14. Transparent Auto Logon 1: username:aaa attribute format USERNAME_FORMAT format-string %s:%s:%s@bng.cisco.com remote-id circuit-id vendor-class-id 2: username, 20 authorize aaa list default format USERNAME_FORMAT password username:DHCP Option 82DHCP Option 60PPPoE Tags (PPPoE Intermediate Agent)Phy-slotPhy-subslotPhy-portOuter-vlan-idInner-vlan-id 15. double dip AAA AAA user profile: user profile:, , . 2- Access Access-Accept: 1- Request Access-Accept: VRF Access Request RADIUS VSA X VRF , 16. Web Logon: HTTP redirect Web Logon Internet ClientPortalWebSiteHTTP TCP SYN HTTP TCP SYN ACK HTTP TCP ACKHTTP GETHTTP 302 (redirect URL) HTTP session establishmentWeb Logon BNG TCP HTTP - HTTP BNG HTTP 302 (Redirect), URL HTTP 17. () IP PPP RADIUS PoD (Packet Of Disconnect) Policy Web Logoff Webogoff PortalManager RADIUS PoDWeb L RADIUS CoA Account-Logoff PPP IP PPP PPPoX DHCP DHCP DHCP lease expiryppp disconnect; ppp keepalives or L2TPDHCP Release hellos failure 18. IPoE IPoE DHCP discover DHCP Lease: CoA Account-Logoff, PoD, CLI, , IP ( Lease Time) 1Client DHCP Server DHCP Lease Time;Lease Time DHCP Response (Offer/ACK) DHCPLease Time = 10 minutes ()DHCP DHCP renew exchange(s) DHCP Response (Offer/ACK) DHCP 2 Lease TimeLease Time = 10 minutesLease Time = 40 minutesDHCP Lease DHCP Proxy BNGProxyDHCP renew exchange(s) Lease Time 19. () associated unnumbered interface MTU PPP ( NCP/LCP, )Keepalives: PPP Keepalives Timeouts: Idle ( , ) Absolute ( PPP)QoS: MQC: HQoS, pQoSIGMP/QoS correlation ( PPP) Traffic Conditioning Access Loop overhead ( PPP) Security:Per User ACLs uRPF IP (PPP addr-pool, DHCP class)HTTP Redirection Traffic Forwarding ACL Based Forwarding (ABF) ControlVRF mappingL2TP mapping (PPP only)Multicast replication in session (PPP only)PostPaid Traffic Accounting InterimBroadcast 20. () AAA Server1 Premium HSI RADIUS Access-request 2 Username: Premium_HSI Password: BNG 3RADIUS Access-acceptVendor Specific RADIUS , 4 BNG BNG dynamic-template type { ppp | ipsubscriber | service } BNG 21. - Control PolicyControl policy-map 1 1 1class type control 2event ....... execution policy> , 2 + ....... : { Session-start: (PPPoE IPoE)}( ) Session-activate: LCP (PPPoE) : Authentication/Authorization failure: do-all do-until-failure Authentication/Authorization no response: do-until-successRadius : Service-stop: CoA Account-Logon: CoA Account Logon Activate: Account-Logoff: CoA Account Logoff Deactivate: Timed-policy-expiry: Authenticate/Authorize : (PPP CHAP/TAL) Set-timer/Stop-timer: / Disconnect: 22. QoS 23. H-QoS 4 QoS Per Subscriber QoSPolicy 8 Strict Priority Subscriber 1PQ1VoIP BWInternet Premium WRED BWInternet Best Effort 2R3C policers, 4- H-QOSSubscriber 2PQ1VoIPPQ2Video Priority BWInternet Best Effort priority propagation 24. 4- QoS N:1 VLAN L1=Port L2=VLAN L3=PPP/IP L4=Class (single/dual tag)Session PerPer subscriber: subscriber:3 x Strict Priority Q Shaper, BW, (level 1,2,3) + BRR5x WFQs RADIUSdynamic-templatePer VLAN: Multicasttype ipsubscriber IPoE-with-QoS Shaper, BWservice-policy [ input | output ] BRR CLI CLI 25. 4- QoS 1:1 VLAN L1=Port L2= L3=PPP/IP L4=Class S-VLAN Session . . . .PerPer subscriber:subscriber:3x Strict Priority Q Shaper, BW, level 1,2,3Per VLAN:BRR5x WFQsShaper, BWBRR RADIUS CLIdynamic-templateMulticasttype ipsubscriber IPoE-with-QoS service-policy [ input | output ] CLI 26. QoS - pQoSMQC policyPolicy Manager CoA request AVPair:command:account-update AVPair:ip:qos-policy-out=add-class(sub, (), ) MQC MQC / MQC actions class-map BNG RADIUS RADIUS CoA Account Update RADIUS Access-Accept 27. IOS XR Dynamic MQC policy merge 4.3.1 AAA RADIUS policy-map VOICE class VOICEpolicy-map MERGEDRADIUS Access-AcceptVOICEpriority 1 class VOICE police 8kpriority 1 RADIUS CoA Requestpolice 8kVIDEO policy-map VIDEOclass VIDEO priority 2+class VIDEOpriority 2 AvPair:subscriber:sa= police 256k police 256k class HSI AvPair:subscriber:sa=VOICE policy-map HSI shape 1Mclass HSIclass-defaultHSIshape 1M 28. IOS XR Service Accounting 4.3.1 accounting service AAA policy-map VOICE class VOICEVOICEpriority 1 policy-map MERGEDclass VOICE police 8kpriority 1 accounting service police 8k Radius AccounSng policy-map VIDEOclass VIDEO service=VOICE VIDEO class VIDEO priority 2+ priority 2police 256k bytes in/out packet in/out police 256k class HSIRadius AccounSng shape 1Mservice=VIDEO accounting service bytes in/out policy-map HSIclass-defaultpacket in/out HSIclass HSI Radius AccounSng shape 1M service=HSI bytes in/out VOICE packet in/out VIDEOHSI 29. 30. Unicast Reverse Path Forwarding (uRPF) IP Source Address ( ) IP DA IP SA , , IP PPPoE Sessions: MAC + PPP Session ID + IPIP Sessions: MAC + IP dynamic-template type { ppp | ipsubscriber |service } ipv4 verify unicast source reachable-via rx ACL ACL L3 Only 31. ARP SecurityARP Poisoning Protection ARP Cache (Gateway) IP=21.0.0.1MAC=C Badboy Valid IP assigned via ARP , DHCP binding table DHCP IP=21.0.0.2 MAC=A ARP BNG IP=21.0.0.3 MAC=B ARP IP-client_a IPoE GatewayMAC=A ARP BNG MAC=C IP=21.0.0.2IP=21.0.0.1/24 BNG, , Goodgirl ARP Valid IP assigned via BNG ARP DHCP DHCP Proxy binding table, ARP IP-client_bARP request/ MAC=BGrat ARP:IP=21.0.0.3 IP=21.0.0.2 -> MAC=B Badboy 32. BNG dDOS : IOS XR Control Plane Protection : CoPP / (DHCP, ARP, PPPoE Control Packets) 33. CoPPDHCPControlPlane LPTS policing ( ) Top Talkers ( Bad Actors) Protocol Policer Exhausted* DHCP CoPP Bad Actors , Goodgirl DHCP Badboy 34. CoPP: PACKET dDOSDROPPED PROTOCOL POLICER PENALTYRED BOX control-plane , BAD ACTOR PROTOCOLPOLICERINTERFACE L2 or L3 Punt Bad ActorPunt PathCLASSIFICATIONPuntsPolicers Analyzer PUNTED (), dDOS protocol policer Bad Actor SYSLOG mac- , TCAM MAC Source Address Bad Actor NPU Bad Actor , Bad Actor (15 ) 35. CGN IPv6 36. BNG CGN ISMInside Outside VRFVRF Interface Public IPv4 Private IPv4 AppSVI ISM AppSVIVLAN BNG CGN ISM Carrier Grade NAT (RFC4787, RFC5382, RFC5508) ISM :20M , 1M /, ~15Gbps 37. IOS XRIPv6 Dual-Stack 4.3.0 v4/v6 Dual Stack QoS, ACL, uRPF, VRF V4 V6 BNG CGN Accounting ISM CGN V4 V6 NAT44 V4 v6 NAT44 V4 Dual-Stack DHCPv6 DHCPv6 Proxy DS-Lite AFTR DHCPv6 RADIUS proxy DS-Lite DHCP v6 NA PDHome V4CGN V4 NAT44 Internet V4/V6 Dual Stack V6Internet V6 38. IOS XR Dual Stack 4.3.0 Dual AAA Stack Address Family (AF) AF1Access RequestAccess Accept accounting start AF1 framed address IP address AF1 Accounting Start AF AF1 framed-address Accounting Interim (Periodic) interim accounting AF2AF1 packet/byte AFIP address AF2 Accounting Interim (Triggered) interim accountingAF1 AF2 framed address AFAF1 packet/byte framed address AF Accounting Interim (Periodic)AF1 AF2 packet/byte interim accounting AF 39. IOS XR IPv6 4.3.0 IPv6 IPv6 DHCPv6 DHCPv6 PDDHCPv6 NA NA PD PDstateless (PPPoE)stateful (PPPoE & IPoE)Link Local DHCPv6 PDSLAACDHCPv6 proxy PD DHCPv6 NA DHCPSLAAC + Stateless DHCPv6 (PPPoE) DHCPv6 RADIUS proxy AAA PD SLAACSLAAC + Stateless DHCPv6 (IPoE) 40. 41. BNG : RSP, , SSO/ISSU : Link Aggregation (LAG) (Stateless) (Stateful) 42. BNGAAA DHCPLAGVPNIP/MPS L2 LAG (Bundle-Ethernet) QoS :interface bundle-ether 1bundle load-balancing hash dst-ip 43. ASR 9000 nV BNG ASR 9000 -BNG Dual Homing FTTX GPON Home MSANBNG Stateful Failover VDSL Active/active LAG Aggregation (MPLS) Core BNG MSAN nxGE - VDSL ASR 9000 BNG 1GE (Home BNG ) Aggregation (MPLS)Core BNG , SpanningTree 44. 45. BNG : ASR 9001, ASR 9006, ASR 9010ASR 9922 (4.3.1) RSP: A9K-RSP440-SE Access Facing (BNG) Typhoon Service Edge : A9K-24X10GE-SE A9K-36X10GE-SE (4.3.1) A9K-MOD80/160-SE : A9K-MPA-2x10GE A9K-MPA-4x10GE A9K-MPA-20x1GECore Facing (Uplink) nV () nV () 46. : 128 000 ( ASR 9001 32 000 ) 64 000 LC : 100-300 : 192 000 ASR 9006/9010 (4.3.1) 47. !