1

Сиско Системс – представяне

Ясен Спасов

yspasov@cisco.com

2

Carrier Ethernet Aggregation System

Core NetworkIP / MPLS

DPI,SBCDSL Access Node

Distribution Node

Residential BNG

Business MSE

Business

Corporate

Residential

STB

Aggregation Node

Business

Corporate

Business

Corporate

Aggregation Node

Ethernet Access Node

Aggregation NetworkMPLS/IP

Distribution Node

Access EdgeCarrier Ethernet Aggregation

Identity Address Mgmt

Portal Subscriber Database

Monitoring Policy Definition

Billing

Service Exchange

Service Exchange

VoD

Content Network

TV SIP

Carrier Ethernet Aggregation System

VoD

Content Network

TV SIP

3

Video and Multicast

MulticastCAC

Broadcast Source

Policy Server

Available Bandwidth

Check

IPTVChannel Change

Channel Request

Request Denied/Accepted

Available Bandwidth

Check

1

2

34

Broadcast TV

RSVP-CAC

Available Bandwidth

Check

VoD Request

VoD Request

Request Denied/Accepted

VoD Servers

Policy Server

Available Bandwidth

Check

1

2

4 3

Video on Demand

Unmatched, end-to-end connection admission controlmanages network over-subscription to avoid video packet loss

4

Measuring IPTV Quality of Experience

Proactive Measurement Required

Collecting Statistics for Video/IPTV Packet Loss Rate (PLR)

Periodically collect MIB counters/data for each channel/stream

Difficult, time-consuming to detect low levels of packet loss with any statistical significance; Not proactive!

Track RTP Sequence Numbersper IPTV Channel / Stream

Accurate Loss Statistics as it can detect Low Levels of loss on each IPTV stream near instantaneously

Can also be used to measure jitter

Compliments STB quality data(RTCP reports, MPEG PQR, etc)

Loss Recovery/Conceal OptionsRTP Retransmissions

FEC

RTP Stream Monitoring

RTP Stream Alarms

More analysis on demandNetwork can non-intrusively copy streams situational/on-demand

Send stream copy to appliances - local or back in a VOC - for more detailed analysis (MDI, MOS, etc)

Supported on Cisco 7600NAM Release 3.5

5

Cisco VQE — Video Error Repair

Reduces SP OpEx and Customer Churn — Avoids costly help desk callsEnhances Customer Video Experience Quality — Delivers better video

STB

Detects packet

loss

STBDSLAM

Sends

standards-

based message

to VQE

iFrame pb p …. iFrameiFrameiFrame pb p …. iFrameiFrame

VQE

Re-transmits

missing packet

STB

Re-sequences

video streamError repair done in

less than 100 msUses Standard

RTP/RTCP protocol

6

Extensive Cisco Family of IP-STBsDelivering the subscriber experience

Single SD or HD plus PIP decode

IPN 330HDHigh Definition Set-top-box

Single SD or HD plus PIP decode Fanless DVR (80 GB typical) Whole house server

IPN430MCDigital Video Recorder

One set-top for the entire home (3 decoders-in-one)

HD to primary TV Two SD/RF outputs to other TVs Fanless DVR (80 GB typical)

IPN603MCGMulti-stream DVR Gateway

Models with DVB & SCART I/F are also available for Europe

Deliver

Video

7

Service Providers require us to have a deep understanding of the overall value space…

consumers

applications & services

devices

networks & systems

service providers

content providers

8WWW.LINKSYS.COM

Metro Ethernet Switches

9

Cisco ME Series Switches Product Positioning

WiMAX

CPE

AccessResidential

STB

Business

Corporate

Internet

Aggregation Edge

Core

7600

Demarc/CPE

CRS-1

ME3400-24FS

Broadcast Video Content PSTN

ME340024-TS

ME3400G-2CS

ME3400G-2CS

ME3400G-12

10

Multicast features

IGMP Snooping helps enable intelligent management of multicast traffic by examining IGMP

messages.

IGMP Fast Leave provides a fast channel-changing capability for IPTV services.

IGMP filtering provides control of groups each user can access.

IGMP Throttling controls the maximum number of multicast groups each user can access.

IGMP Proxy allows users anywhere on a downstream network to join an upstream sourced multicast group.

11WWW.LINKSYS.COM

Linksys SP Switches

12

ID Design

SPS208G

SPS224G4

SPS2024

13

Added features to SRW products (Service Provider Switches)

STP Root Guard 12

CLI13

FEATURE#

11

10

9

8

7

6

5

4

3

2

1

Q-in-Q (Port based)

MVR

802.1X - Per User (Each New user need to be authenticated)

Multiple MAC Authentications (MAC based 802.1X)

DHCP Guard (included in Snooping) – termed DHCP trusted interface

Dynamic ARP inspection

IP Source Guard

DHCP Snooping

DHCP Relay Option 82 at Layer 2

Firefox Web Browser

Storm Control includes unknown Unicast

14

Added Features description (1)

Storm Control: Protect your organization's LAN from broadcast storms, which can cause network slowdowns if they become severe.

Firefox Web Browser: Cross-platform browser, providing support for various versions of Microsoft Windows, Mac OS X, and Linux. Note that current testing is only performed on Windows platforms

DHCP Relay Option 82: Allow a DHCP Relay Agent to insert circuit specific information into a request that is being forwarded to a DHCP server.

DHCP Snooping: A security feature that filters untrusted DHCP messages. Protects clients on the network from peering up with an unauthorized DHCP server. Eliminates rogues as behaving as a DHCP Server.

15

Added Features description (2)

IP Source Guard: Provides per-port IP traffic filtering of the assigned source IP addresses at wire speed. It dynamically maintains per-port VLAN ACLs based on IP-to-MAC-to-switch port bindings. Prevents IP address Spoofing.

Dynamic ARP inspection: Prevent man-in-the-middle attacks by not relaying invalid or gratuitous Address Resolution Protocol (ARP). Stops man-in-the-middle attacks

DHCP Guard (DHCP trusted interface): Protects clients on the network from peering up with an unauthorized DHCP server.

(Multiple) MAC Authentications: Means of authenticating without the user login required by the web-based and 802.1X methods.

16

Added Features description (3)

802.1X - User: A per-user (per session) access control protocol. Each user connected to a switch port goes through the 802.1x authentication process before being allowed to send data.

MVR: Multicast VLAN Registration. Reduces duplication of multicast traffic across multiple VLANs in Layer2 ring networks by centralizing the distribution of multicast traffic in a single video VLAN.

Q-in-Q: Tunneling an 802.1q packet inside another 802.1q packet to distinguish different customer’s VLANs. SPs might use Q-in-Q if they are providing Metro Ethernet service to multiple customers for high speed metropolitan-area network (MAN) connectivity.

17

Added Features description (4)

STP Root Guard: Allows a device to participate in STP (Spanning Tree Protocol) as long as the device does not try to become the root.

CLI: Command Line Interface. A means of communication between a program and its user, based on textual input and output. Commands are input with the help of a keyboard or similar device and are interpreted and executed by the program. The user sees the command line on the monitor and a prompt that is waiting to accept instructions from the user.

18

Metro Access Security Mechanisms: Subscriber Security

One of the biggest concerns in using a shared Ethernet Access device for multiple customers is how to prevent one customer from affecting another customer

DHCP SnoopingDHCP Rogue Server

DHCP Snooping + IP Source GuardIP Address Spoofing

DHCP Snooping + Dynamic ARP InspectionARP Spoofing (Man-in-the-Middle)

Private VLAN Edge (PVE)Layer 2 Isolation across switches

Use:Security Concern:

19

Subscriber Security

What It Does: Private VLANs partition a regular VLAN

domain into subdomains, consisting of a pair of VLANs: a primary VLAN and a secondary VLAN

Two types of Secondary VLANs: Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level – Supported with SPS switches

Community VLANs—Ports within a community VLAN can communicate with each other but cannot communicate with ports in other communities at the Layer 2 level – only supported with Cisco Catalyst switches

Benefit: In addition to addressing service

provider VLAN ID scalability and IP address management issues, the Private VLAN feature offers Layer 2 separation across switches

Private VLAN

PrimaryVLAN

PrimaryVLAN

Domain

Subdomain Subdomain

SecondaryCommunity VLAN

SecondaryIsolated VLAN

20

Switch Security

What It Does:

Rate limiters can limit traffic per VLAN, port or user to mitigate the impact of packet-blasting worms and limit amount of traffic a user can send onto the network

Can rate limit using either traffic policing or shaping functions

Benefit:

Prevents a malicious user from flooding the network with traffic, affecting other users and the management of the network itself

80 Mbps “Overage”

100 Mbps Port with 20 Mbps

Allowance

Management

Traffic Given

Highest Priority

Rate Limiting

SiSiSiSiSiSi

21

Switch Security

What It Does: SSH is a protocol that can provide a secure

connections to a remote device for management

Data is sent through an encrypted tunnel (DES or 3DES) to secure transmission and integrity of data

Authenticates users and ensures secure file transfer and copying

To use this feature, you must install the cryptographic (encrypted) software image on your switch

Benefit: Both sides of tunnel are authenticated so that man-

in-the-middle attacks are prevented and critical management information is not compromised

Provides improved security as compared to Telnet sessions by providing strong encryption when a device is authenticated

Protects passwords and configuration information

Privacy (Using SSH for

Encryption)

telnet foo.bar.orgusername: danpassword:

NetworkAdmin

Secure Shell (SSH)

telnet edge switchusername: @#r);password: %a)t#>

Hacker

22

Network Security

What It Does:

ACLs filter traffic as it passes through a router or switch and permit or deny packets crossing specified interfaces or VLANs

An ACL is a sequential collection of permit and deny conditions (ACEs) that apply to packets

IP ACLs filter IPv4 traffic, including TCP, User Datagram Protocol (UDP), Internet Group Management Protocol (IGMP), and Internet Control Message Protocol (ICMP)

Ethernet (MAC) ACLs are used to filter non-IP traffic

Port, VLAN and Router ACLs are supported

Benefit:

Restrict network use by certain users or devices

Administrators can selectively apply extended ACLs based on the time of day and week for added flexibility and/or automation

Access Control Lists (ACLs)

23

Service Control Engine

24

Deployment / Application Lifecycle

Phases of a Service Control deployment:

• Objectives: Monitor traffic distribution & usage patterns

• Network topology: Receive only Usa

ge

An

aly

sis

• Objectives: Improve network experience & reduce operational expense

• Network topology: Active mode Glo

bal

Tra

ffic

Op

tim

izati

on

• Objectives: Service creation, subscriber differentiation billing and value-added services

• Integrated into back office (AAA, billing, Policy-Server)S

ub

scri

ber

Serv

ice

Cre

ati

on

DHCP

Portal

AAA

Policy

Subs Profile

1

2

3

25

Su

bsc

rib

er

Ap

plic

ati

on

Block

Redirect

Set QoS

Mark

Process of Service Control

Intelligent inspection and control of IP packets … Classify to end-user application. Determine application semantics

… Map to subscriber identity, policy and state

… Select action based on network condition – time of day, congestion, other concurrent activities

… Take action

Net

wo

rk C

on

dit

ion

26

Solution Overview

NetworkNetworkService ControlService ControlEngineEngine

SubscribersSubscribers

SubscriberManager

AAADHCPRadius

Billing

ReportingTool

EngageConsole

ServicePortal

CollectionManager Policy

Server

Modular solution: Includes SCE devices, management tools and integration APIs

27

- 2 x 10/100/1000 FE- 2 x 10/100/1000 FEMgmt. Interface

-Receive-only

- Inline

- Cascade

- Receive-only

- Inline

Network configuration

80,00040,000 Max Subscriber-Contexts

2M (1M bi-directional)2M (1M bi-directional)Max. Flows

1.5GB 768MBProcessor Memory

- 4-GBE (fiber SX/LX)

SCE2020- 2-GBE (fiber SX/LX)

SCE1010

Interfaces

Service Control Platforms

28

Network Insertion Point

Typical insertion point—Broadband Edge/Aggregation

Directly after subscriber-aggregator (B-RAS/CMTS, Retail-LNS)

Aggregation point further down the network edge

Support for inline (active) and receive-only (monitoring) configurations

Issues to consider:

Traffic visibility (engine must see all traffic it needs to control)

Network interfaces

IP/Tunneling environment

Network redundancy

Split-flow

29

Inline — single SCE platform inline (default)

Monopath – using both links on an SCE2020

Receive-only — single SCE platform receive-only

Optical splitters or Port-Span

Inline-cascade — two cascaded SCE platforms inline

Receive-only-cascade — two cascaded SCE platforms receive-only

Multi-Gig Cluster (MGSCP)

MPLS-VPN Configurations

Value Added Services Configurations

SCE API Interconnects (SM – PRPC, ISG/PS – SCMP)

SCA-BB Topology Configurations

30

Inline and Receive-Only Configurations

Receive-only configurationGIG-E: Using Optical Splitters/Port-Span

FE: Port-Span

Traffic monitoring only

Inline configuration

Engine installed in data-path

Monitor and control traffic

o.splitter o.splitter

Subscribers Network

31

Transparent Topologies

Two monopath

Single SCE2000 on 2 links

Bypass config: Fail closed

Asymmetric 1+1

Active/Active; SCE on each link

SCE2000 cascade resolves asymmetric routing

Bypass config: Fail open

S1N1 S2N2

SCE2000

Subscribers Network

Active Link

Active Link

Master

Slave

Active Link

Active Link

S1N1 S2N2

SCE2000

S1N1 S2N2

Subscribers Network

SCE2000

32

Active/Standby Schemes

1+0 (SCE1000, SCE2000)Active/Standby; SCE on active link

On failure network uses alternate path

No service redundancy

Bypass config: Fail opened

1+1 (SCE1000, SCE2000)Active/Standby; SCE on each link

On failure network uses alternate path

Standby SCE resumes service

Bypass config: Fail opened

Standby Link

Standby Link

Active Link

33

SCE2000 Cascade for High Availability

Resolves split flow between two links

SCE2000 cascade feature ensures flow consistency

Slave forwards all traffic to Master for processing

Master updates Slave with subscriber policy/state information

Roles change on failure of primary path

Master

Slave

Active Link

Active Link

34

Multi-Gig Cluster Solution

Split flows between more than two GBE links

SCE(s) are hair pinned to redundant 6500/7600 matching EtherChannels on 6500/7600 ensure traffic of single subscriber flows to same SCE

Can use PBR as well

Support for N+1 configuration through EC failover

BRASs/CMTSs

Core Routers

SCE 2000s

7600/6500

7600/6500

35

New 10Gig DPI: SCE8000

chassis hosting the SPA modules and DPI modules

4-slot chassis :

Slots #1 & #2 : DPI Modules/Blades

Slot #3 : 10G SPA jacket card

Slot #4 : Internal Optical Bypass

Internal Optical Bypass (Optional)

Two DPI Modules (2nd is optional)

SPA Jacket Card With 4 x 10Gig SPAs

36

IP DNA Video DNA Home Net DNA

Integrated End-End PlatformOrder-to-Bill

HomeHomeNetworkNetwork

&&DevicesDevices

BSS BSS //OSSOSS

VideoVideoHEHE

Carrier IP Network Carrier IP Network

VideoVideoControlControl

Cisco + Scientific AtlantaDelivering Glass-to-Glass Integrated IPTV Solutions

Video

Experience

Preserve

SYSTEM INTEGRATION