before you begin: assign information classification
TRANSCRIPT
2
Carrier Ethernet Aggregation System
Core NetworkIP / MPLS
DPI,SBCDSL Access Node
Distribution Node
Residential BNG
Business MSE
Business
Corporate
Residential
STB
Aggregation Node
Business
Corporate
Business
Corporate
Aggregation Node
Ethernet Access Node
Aggregation NetworkMPLS/IP
Distribution Node
Access EdgeCarrier Ethernet Aggregation
Identity Address Mgmt
Portal Subscriber Database
Monitoring Policy Definition
Billing
Service Exchange
Service Exchange
VoD
Content Network
TV SIP
Carrier Ethernet Aggregation System
VoD
Content Network
TV SIP
3
Video and Multicast
MulticastCAC
Broadcast Source
Policy Server
Available Bandwidth
Check
IPTVChannel Change
Channel Request
Request Denied/Accepted
Available Bandwidth
Check
1
2
34
Broadcast TV
RSVP-CAC
Available Bandwidth
Check
VoD Request
VoD Request
Request Denied/Accepted
VoD Servers
Policy Server
Available Bandwidth
Check
1
2
4 3
Video on Demand
Unmatched, end-to-end connection admission controlmanages network over-subscription to avoid video packet loss
4
Measuring IPTV Quality of Experience
Proactive Measurement Required
Collecting Statistics for Video/IPTV Packet Loss Rate (PLR)
Periodically collect MIB counters/data for each channel/stream
Difficult, time-consuming to detect low levels of packet loss with any statistical significance; Not proactive!
Track RTP Sequence Numbersper IPTV Channel / Stream
Accurate Loss Statistics as it can detect Low Levels of loss on each IPTV stream near instantaneously
Can also be used to measure jitter
Compliments STB quality data(RTCP reports, MPEG PQR, etc)
Loss Recovery/Conceal OptionsRTP Retransmissions
FEC
RTP Stream Monitoring
RTP Stream Alarms
More analysis on demandNetwork can non-intrusively copy streams situational/on-demand
Send stream copy to appliances - local or back in a VOC - for more detailed analysis (MDI, MOS, etc)
Supported on Cisco 7600NAM Release 3.5
5
Cisco VQE — Video Error Repair
Reduces SP OpEx and Customer Churn — Avoids costly help desk callsEnhances Customer Video Experience Quality — Delivers better video
STB
Detects packet
loss
STBDSLAM
Sends
standards-
based message
to VQE
iFrame pb p …. iFrameiFrameiFrame pb p …. iFrameiFrame
VQE
Re-transmits
missing packet
STB
Re-sequences
video streamError repair done in
less than 100 msUses Standard
RTP/RTCP protocol
6
Extensive Cisco Family of IP-STBsDelivering the subscriber experience
Single SD or HD plus PIP decode
IPN 330HDHigh Definition Set-top-box
Single SD or HD plus PIP decode Fanless DVR (80 GB typical) Whole house server
IPN430MCDigital Video Recorder
One set-top for the entire home (3 decoders-in-one)
HD to primary TV Two SD/RF outputs to other TVs Fanless DVR (80 GB typical)
IPN603MCGMulti-stream DVR Gateway
Models with DVB & SCART I/F are also available for Europe
Deliver
Video
7
Service Providers require us to have a deep understanding of the overall value space…
consumers
applications & services
devices
networks & systems
service providers
content providers
9
Cisco ME Series Switches Product Positioning
WiMAX
CPE
AccessResidential
STB
Business
Corporate
Internet
Aggregation Edge
Core
7600
Demarc/CPE
CRS-1
ME3400-24FS
Broadcast Video Content PSTN
ME340024-TS
ME3400G-2CS
ME3400G-2CS
ME3400G-12
10
Multicast features
IGMP Snooping helps enable intelligent management of multicast traffic by examining IGMP
messages.
IGMP Fast Leave provides a fast channel-changing capability for IPTV services.
IGMP filtering provides control of groups each user can access.
IGMP Throttling controls the maximum number of multicast groups each user can access.
IGMP Proxy allows users anywhere on a downstream network to join an upstream sourced multicast group.
13
Added features to SRW products (Service Provider Switches)
STP Root Guard 12
CLI13
FEATURE#
11
10
9
8
7
6
5
4
3
2
1
Q-in-Q (Port based)
MVR
802.1X - Per User (Each New user need to be authenticated)
Multiple MAC Authentications (MAC based 802.1X)
DHCP Guard (included in Snooping) – termed DHCP trusted interface
Dynamic ARP inspection
IP Source Guard
DHCP Snooping
DHCP Relay Option 82 at Layer 2
Firefox Web Browser
Storm Control includes unknown Unicast
14
Added Features description (1)
Storm Control: Protect your organization's LAN from broadcast storms, which can cause network slowdowns if they become severe.
Firefox Web Browser: Cross-platform browser, providing support for various versions of Microsoft Windows, Mac OS X, and Linux. Note that current testing is only performed on Windows platforms
DHCP Relay Option 82: Allow a DHCP Relay Agent to insert circuit specific information into a request that is being forwarded to a DHCP server.
DHCP Snooping: A security feature that filters untrusted DHCP messages. Protects clients on the network from peering up with an unauthorized DHCP server. Eliminates rogues as behaving as a DHCP Server.
15
Added Features description (2)
IP Source Guard: Provides per-port IP traffic filtering of the assigned source IP addresses at wire speed. It dynamically maintains per-port VLAN ACLs based on IP-to-MAC-to-switch port bindings. Prevents IP address Spoofing.
Dynamic ARP inspection: Prevent man-in-the-middle attacks by not relaying invalid or gratuitous Address Resolution Protocol (ARP). Stops man-in-the-middle attacks
DHCP Guard (DHCP trusted interface): Protects clients on the network from peering up with an unauthorized DHCP server.
(Multiple) MAC Authentications: Means of authenticating without the user login required by the web-based and 802.1X methods.
16
Added Features description (3)
802.1X - User: A per-user (per session) access control protocol. Each user connected to a switch port goes through the 802.1x authentication process before being allowed to send data.
MVR: Multicast VLAN Registration. Reduces duplication of multicast traffic across multiple VLANs in Layer2 ring networks by centralizing the distribution of multicast traffic in a single video VLAN.
Q-in-Q: Tunneling an 802.1q packet inside another 802.1q packet to distinguish different customer’s VLANs. SPs might use Q-in-Q if they are providing Metro Ethernet service to multiple customers for high speed metropolitan-area network (MAN) connectivity.
17
Added Features description (4)
STP Root Guard: Allows a device to participate in STP (Spanning Tree Protocol) as long as the device does not try to become the root.
CLI: Command Line Interface. A means of communication between a program and its user, based on textual input and output. Commands are input with the help of a keyboard or similar device and are interpreted and executed by the program. The user sees the command line on the monitor and a prompt that is waiting to accept instructions from the user.
18
Metro Access Security Mechanisms: Subscriber Security
One of the biggest concerns in using a shared Ethernet Access device for multiple customers is how to prevent one customer from affecting another customer
DHCP SnoopingDHCP Rogue Server
DHCP Snooping + IP Source GuardIP Address Spoofing
DHCP Snooping + Dynamic ARP InspectionARP Spoofing (Man-in-the-Middle)
Private VLAN Edge (PVE)Layer 2 Isolation across switches
Use:Security Concern:
19
Subscriber Security
What It Does: Private VLANs partition a regular VLAN
domain into subdomains, consisting of a pair of VLANs: a primary VLAN and a secondary VLAN
Two types of Secondary VLANs: Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level – Supported with SPS switches
Community VLANs—Ports within a community VLAN can communicate with each other but cannot communicate with ports in other communities at the Layer 2 level – only supported with Cisco Catalyst switches
Benefit: In addition to addressing service
provider VLAN ID scalability and IP address management issues, the Private VLAN feature offers Layer 2 separation across switches
Private VLAN
PrimaryVLAN
PrimaryVLAN
Domain
Subdomain Subdomain
SecondaryCommunity VLAN
SecondaryIsolated VLAN
20
Switch Security
What It Does:
Rate limiters can limit traffic per VLAN, port or user to mitigate the impact of packet-blasting worms and limit amount of traffic a user can send onto the network
Can rate limit using either traffic policing or shaping functions
Benefit:
Prevents a malicious user from flooding the network with traffic, affecting other users and the management of the network itself
80 Mbps “Overage”
100 Mbps Port with 20 Mbps
Allowance
Management
Traffic Given
Highest Priority
Rate Limiting
SiSiSiSiSiSi
21
Switch Security
What It Does: SSH is a protocol that can provide a secure
connections to a remote device for management
Data is sent through an encrypted tunnel (DES or 3DES) to secure transmission and integrity of data
Authenticates users and ensures secure file transfer and copying
To use this feature, you must install the cryptographic (encrypted) software image on your switch
Benefit: Both sides of tunnel are authenticated so that man-
in-the-middle attacks are prevented and critical management information is not compromised
Provides improved security as compared to Telnet sessions by providing strong encryption when a device is authenticated
Protects passwords and configuration information
Privacy (Using SSH for
Encryption)
telnet foo.bar.orgusername: danpassword:
NetworkAdmin
Secure Shell (SSH)
telnet edge switchusername: @#r);password: %a)t#>
Hacker
22
Network Security
What It Does:
ACLs filter traffic as it passes through a router or switch and permit or deny packets crossing specified interfaces or VLANs
An ACL is a sequential collection of permit and deny conditions (ACEs) that apply to packets
IP ACLs filter IPv4 traffic, including TCP, User Datagram Protocol (UDP), Internet Group Management Protocol (IGMP), and Internet Control Message Protocol (ICMP)
Ethernet (MAC) ACLs are used to filter non-IP traffic
Port, VLAN and Router ACLs are supported
Benefit:
Restrict network use by certain users or devices
Administrators can selectively apply extended ACLs based on the time of day and week for added flexibility and/or automation
Access Control Lists (ACLs)
24
Deployment / Application Lifecycle
Phases of a Service Control deployment:
• Objectives: Monitor traffic distribution & usage patterns
• Network topology: Receive only Usa
ge
An
aly
sis
• Objectives: Improve network experience & reduce operational expense
• Network topology: Active mode Glo
bal
Tra
ffic
Op
tim
izati
on
• Objectives: Service creation, subscriber differentiation billing and value-added services
• Integrated into back office (AAA, billing, Policy-Server)S
ub
scri
ber
Serv
ice
Cre
ati
on
DHCP
Portal
AAA
Policy
Subs Profile
1
2
3
25
Su
bsc
rib
er
Ap
plic
ati
on
Block
Redirect
Set QoS
Mark
Process of Service Control
Intelligent inspection and control of IP packets … Classify to end-user application. Determine application semantics
… Map to subscriber identity, policy and state
… Select action based on network condition – time of day, congestion, other concurrent activities
… Take action
Net
wo
rk C
on
dit
ion
26
Solution Overview
NetworkNetworkService ControlService ControlEngineEngine
SubscribersSubscribers
SubscriberManager
AAADHCPRadius
Billing
ReportingTool
EngageConsole
ServicePortal
CollectionManager Policy
Server
Modular solution: Includes SCE devices, management tools and integration APIs
27
- 2 x 10/100/1000 FE- 2 x 10/100/1000 FEMgmt. Interface
-Receive-only
- Inline
- Cascade
- Receive-only
- Inline
Network configuration
80,00040,000 Max Subscriber-Contexts
2M (1M bi-directional)2M (1M bi-directional)Max. Flows
1.5GB 768MBProcessor Memory
- 4-GBE (fiber SX/LX)
SCE2020- 2-GBE (fiber SX/LX)
SCE1010
Interfaces
Service Control Platforms
28
Network Insertion Point
Typical insertion point—Broadband Edge/Aggregation
Directly after subscriber-aggregator (B-RAS/CMTS, Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider:
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
IP/Tunneling environment
Network redundancy
Split-flow
29
Inline — single SCE platform inline (default)
Monopath – using both links on an SCE2020
Receive-only — single SCE platform receive-only
Optical splitters or Port-Span
Inline-cascade — two cascaded SCE platforms inline
Receive-only-cascade — two cascaded SCE platforms receive-only
Multi-Gig Cluster (MGSCP)
MPLS-VPN Configurations
Value Added Services Configurations
SCE API Interconnects (SM – PRPC, ISG/PS – SCMP)
SCA-BB Topology Configurations
30
Inline and Receive-Only Configurations
Receive-only configurationGIG-E: Using Optical Splitters/Port-Span
FE: Port-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
o.splitter o.splitter
Subscribers Network
31
Transparent Topologies
Two monopath
Single SCE2000 on 2 links
Bypass config: Fail closed
Asymmetric 1+1
Active/Active; SCE on each link
SCE2000 cascade resolves asymmetric routing
Bypass config: Fail open
S1N1 S2N2
SCE2000
Subscribers Network
Active Link
Active Link
Master
Slave
Active Link
Active Link
S1N1 S2N2
SCE2000
S1N1 S2N2
Subscribers Network
SCE2000
32
Active/Standby Schemes
1+0 (SCE1000, SCE2000)Active/Standby; SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config: Fail opened
1+1 (SCE1000, SCE2000)Active/Standby; SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config: Fail opened
Standby Link
Standby Link
Active Link
33
SCE2000 Cascade for High Availability
Resolves split flow between two links
SCE2000 cascade feature ensures flow consistency
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy/state information
Roles change on failure of primary path
Master
Slave
Active Link
Active Link
34
Multi-Gig Cluster Solution
Split flows between more than two GBE links
SCE(s) are hair pinned to redundant 6500/7600 matching EtherChannels on 6500/7600 ensure traffic of single subscriber flows to same SCE
Can use PBR as well
Support for N+1 configuration through EC failover
BRASs/CMTSs
Core Routers
SCE 2000s
7600/6500
7600/6500
35
New 10Gig DPI: SCE8000
chassis hosting the SPA modules and DPI modules
4-slot chassis :
Slots #1 & #2 : DPI Modules/Blades
Slot #3 : 10G SPA jacket card
Slot #4 : Internal Optical Bypass
Internal Optical Bypass (Optional)
Two DPI Modules (2nd is optional)
SPA Jacket Card With 4 x 10Gig SPAs
36
IP DNA Video DNA Home Net DNA
Integrated End-End PlatformOrder-to-Bill
HomeHomeNetworkNetwork
&&DevicesDevices
BSS BSS //OSSOSS
VideoVideoHEHE
Carrier IP Network Carrier IP Network
VideoVideoControlControl
Cisco + Scientific AtlantaDelivering Glass-to-Glass Integrated IPTV Solutions
Video
Experience
Preserve
SYSTEM INTEGRATION