Nokia Siemens Networks Resilient IP network architectures Enabling multiplay services with ResIP-certified solutions White Paper 2 Contents 2 Executive summary 3 Introduction 4 Living up to expectations for multiplay services 5 Subscriber management and provisioning 6 Setting the QoS standard for multiplay 7 Securing multiplay services 8 Implementing scalable network topologies 9 Designing the core 11 Conclusion Resilient IP network architectures Executive summary Modern-day broadband networks deliver multiplay video, voice, music, gaming, and other services. Some are already interactive; many are converging further. But all are pushing networks’ availability and real-time capabilities to their limits. This has service providers struggling to strike a balance among their biggest business concerns - capacity, scalability, customer satisfaction, and cost. The Nokia Siemens Networks ResIP Center addresses these bottom-line realities by combining best-of-breed products, both homegrown and sourced from partners, to engineer solutions that ensure interoperability, scale to fit, and mitigate deployment risk. They enable providers to bring multiplay services to market that much faster and treat customers to a more gratifying experience. And with the support of professional network audit, design, planning, and implementation services, providers can tailor ResIPcertified solutions to suit their networks and multiplay offerings. This paper looks closer at the ResIP design guidelines that enable multiplay delivery, and how certified solutions benefit service providers. 3 Introduction In today’s broadband market, service providers differentiate their brands by offering compelling packages aimed to grow market share, revenue, and margins. These multiplay services encompass: • Voice over IP (VoIP) with full public network interconnectivity • IPTV and premium entertainment services (Pay TV) • Data for Internet access, quality assurance, and virtual private network (VPN) services • Interactive gaming • Video conferencing With Digital Subscriber Line (DSL) setups migrating to aggregation based on Multiprotocol Label Switching (MPLS) and Virtual Private LAN Services (VPLS) to support higher bit rates and richer services, architectural issues are becoming a prime concern: Where should critical subscriber management features, policy enforcement points, and IP routing intelligence reside? Experts in the ResIP Center have developed, validated, optimized, and certified IP solutions to help service providers make the right decisions. Tests at the ResIP Center have confirmed that: • Given the right quality of service (QoS) architecture, high-priority video and premium data traffic flows smoothly despite congestion. And with the benefit of hierarchical scheduling, bandwidth may be prioritized among one subscriber’s • • • • • applications and distributed among different types of subscribers. An easy-to-use system for managing subscribers and operating, maintaining, and scaling the network drives down operational expenditure (OPEX). Service providers enjoy carriergrade Ethernet’s built-in benefits with higher bandwidth at lower cost, and the flexibility achieved by decoupling the dedicated Customer Virtual Local Area Network (C-VLAN) and QoS (IEEE 802.1p). Each C-VLAN isolates that subscriber’s traffic to improve security, ease of operation, and troubleshooting. Using a Broadband Services Router (BSR) as a single service delivery point across multiple access technologies streamlines and simplifies operations. The Bidirectional Forwarding Detection (BFD) protocol, combined with VPLS and MPLS, enables multiplay services to detect link failures and recover quickly. Access and backbone recovery technologies satisfy video services’ stringent demands. Video services’ bandwidth needs can be met with MPLS autobandwidth and traffic engineering capabilities. The ResIP Center puts these findings into practice with solutions designed to ramp up multiplay services and provide an assured user experience. Featuring products that have proven their merits in many and very different architectures, these solutions: • Minimize deployment risk and facilitate growth: Verified and integrated to scale to up to 50 million users, these solutions resolve heterogeneous networks’ interoperability issues. • Ensure quality QoS: Certified multiplay solutions’ de facto QoS standard turns the quality issue into a competitive advantage, helping to boost customer satisfaction and reduce churn. • Cut costs and accommodate change: Engineered for OPEX and CAPEX (capital expenditure) savings, this future-proof network design delivers utmost value. Another major concern is the question of centralized vs. distributed and single edge vs. multi-edge architecture. Some like the single edge because one network element sees all traffic, making services and policies easier to manage. Others prefer multi-edge architecture because it is more distributed and flexible, enabling different services to be inserted from different points in the network. The ResIP Center has a carrier-grade solution based on a proven concept, underpinned by engineering rules and test results, for each of these approaches. Resilient IP network architectures 4 Living up to expectations for multiplay services Rolling out new services entails technology risks. The ResIP Center’s design guidelines aim to minimize these risks by: Simplifying service and network provisioning: Adding new customers, bandwidth and services, changing preferences, moving to new network addresses – all this involves amending subscriber policies and reconfiguring networks. The trick is to minimize manual interaction and the number of elements affected by such changes – especially in large broadband networks serving millions of subscribers. New services must be interfaced with back-end subscriber, service, and billing systems. With one delivery point in the network, services can be rolled out without reengineering the access domain. Designed for multi-technology, multi-domain, and multi-vendor networks, NetAct Transport is a single system that manages all Nokia Siemens Networks transport and packet products, as well as key partner products. Resilient IP network architectures Ensuring quality: QoS is critical to video and voice services. IPTV and the like must rival or surpass cable and satellite quality. Users do not take kindly to voice services plagued by jitter, delay, and loss. Video services are even more sensitive. Lost packets cause annoying on-screen glitches; delays during video conference calls throws the synchronization off. Nokia Siemens Networks has verified a QoS mechanism that identifies different traffic types and manages each type across multiple links and according to its requirements. Preventing attacks to maintain trust: Subscribers trust conventional voice services because TDM assured the integrity of calls. Service providers must maintain this confidence while migrating to multiplay services over broadband access networks. A ResIPcertified network leverages access control, stateful firewalls, subscriber traffic isolation, and other security features to safeguard network assets and the user experience. Scaling for growth and change: Video requires far more bandwidth than VoIP and Web access: A standard-definition TV stream consumes 2 to 4 Mbps, and the same program in HD format 8 to 19 Mbps, depending on encoding and compression. A well-engineered network keeps pace with growing bandwidth demand by design. Moreover, it provides an efficient platform for launching new services and updating subscriptions on the fly. Having deployed many of the world’s largest broadband networks, Nokia Siemens Networks has the experience and design skills necessary to scale networks cost-efficiently for voice, video, and data services. Ensuring always-on availability for premium services: Users expect broadband networks to deliver premium services on par with those of conventional voice and video systems. Networks must be resilient enough to continue delivering quality service even when failures occur. This mandates sub-second fault recovery. Nokia Siemens Networks incorporates multiple features and safeguards that cushion subscribers against faults and service interruptions. 5 Subscriber management and provisioning The network edge is critical for multiplay services. Edge infrastructures that constrain services curb revenues and margins. The remedy for these constrictions is to combine feature-rich subscriber management capabilities with effortless provisioning. Network provisioning The design principle for ResIP multiplay access and edge domains is deceptively simple: Commission the network once – and for all – so that adding new subscribers and launching new services requires fewest elements to be reconfigured. The DSLAM (DSL Access Multiplexer) can be provisioned in bulk to switch the incoming DSL line or VC (virtual circuit) and traffic to a C-VLAN. The DSLAM, or aggregation switch, can also add an outer tag (S-VLAN) to make the aggregation network more scalable. The carrier-grade Ethernet aggregation network uses VLPS instances, allocated per DLSAM. Configured upon deployment, they need not be changed later. The BNG (Border Network Gateway) automatically detects new customer VLANs and user sessions. This is all it takes to connect new customers once the DSLAM and DSL modem are in place. Subscriber auto-detection The BNG router senses C-VLANs, S-VLANs (Service VLAN), and Pointto-Point Protocol over Ethernet (PPPoE) and Dynamic Host Configuration Protocol (DHCP) / Internet Protocol Over Ethernet (IPoE) sessions automatically. The system generates new interfaces dynamically, with interface layers constructed according to the incoming packet’s encapsulation. Static interfaces allocate system resources even when dormant. Autodetection-driven dynamic interfaces exploit resources on demand, based on the incoming packet’s content. They are also deleted dynamically, without human intervention, to free up resources. Service provisioning Auto-detection plus auto-configuration equals zero-touch provisioning. Verified for Ethernet aggregation networks, these carrier-grade zero-touch and bulk provisioning capabilities make the ResIP-certified multiplay concept special. They auto-detect the encapsulation protocol (DHCP/IPoE) on an Ethernet VLAN, and then authenticate the session via RADIUS. Option 82 and the DSL line identifier or the physical device’s MAC address can be forwarded to the RADIUS server for DHCP authentication. This means the same PPP (Point-To-Point Protocol) subscriber management capability can cover DHCP subscriber access. These automated mechanisms: • Create the C-VLAN and an IP interface for the session • Sense new sessions (PPP or DHCP/IPoE) • Assign the service profile via the BNG or RADIUS All functions are triggered regardless of protocol type, thereby streamlining operations and cutting costs. Also, these routers are built for flexibility. Their many subscriber management features support access methods, authentication, and policy management options that best suit service providers’ operating and market needs. Layer-2 Control for even better provisioning The DSL Forum’s recommendations identify queuing and scheduling mechanisms to avoid congestion in the access network while handling multiple flows with distinct QoS requirements. To this end, the BNG needs to ‘know’ the access network’s topology, the various links in use, and their respective rates. Some of these data such as the DSL sync rate are dynamic, which a provisioning or inventory management system is unable to provide. Other data such as a DSLAM uplink’s capacity fluctuate less frequently, but the BNG still has to get an accurate picture of the uplink’s capacity.The Access Network Control Protocol (ANCP) inserts an interface between the DSLAM and BNG to communicate the DSL rate, support operations, admin and maintenance, and extend subscriber-aware multicast forwarding data to the DSLAM. Resilient IP network architectures 6 Setting the QoS standard for multiplay Today’s networks must support all services, from best-effort to premium, with the appropriate QoS because: • Subscribers expect providers to live up to their bandwidth commitments and want their fair share of available bandwidth. • Providers wish to offer different service levels to tap new revenue streams, for example, by prioritzing business subscribers over residential users, and missioncritical applications over best-effort data. Nokia Siemens Networks engineers core and edge networks to support a mix of services, up to 50 percent of which constitute high-priority, real-time traffic. This guarantees sufficient network resources are available at any single point of failure. Access High-bandwidth applications can easily clog the access network. It takes superior traffic management to guarantee true QoS and cost-effective provisioning. The access network must run at peak rates while ensuring bursty applications do not adversely affect the quality of delay-sensitive premium services. All nodes in Nokia Siemens Networks’ access and aggregation architectures support traffic prioritized by multi-field classification, policing and shaping, and bandwidth as specified by the user-defined service level agreement (SLA). Traffic may be classed and mapped to prioritized groups according to the ingress port, the VLAN tag, Ethernet priority, the IP Type of Service (TOS) and Differentiated Services Code Point (DSCP) field, and the target IP address. Resilient IP network architectures The bit indicating drop precedence is also marked in the frame, and colorcoded accordingly. Customerconfigurable parameters – the Committed Information Rate (CIR), Excess Information Rate (EIR), Committed Burst Rate (CBR), and Excess Burst Rate (EBR) - serve to police and shape traffic and ensure each flow gets the right bandwidth, priority, and SLA. IP edge Functions at the edge support IP services by authenticating users and distributing videos and broadcast TV. There are two basic IP edge designs: • In a single edge, the same IP edge router delivers all services within the same user session. Services are scheduled hierarchically, with the appropriate QoS being assigned to each. A single edge is usually paired with a C-VLAN in the access network. Delivering all services from one point in the network has its benefits: Service-based accounting and policy enforcement are much easier to implement. • In a multiple edge, different edge routers deliver different services, for example, one device provides Internet access and the other IPTV. A multiple edge is paired with S-VLANs in the access networks. This requires less complex and costly edge devices, and makes topologies more flexible. Bandwidthhungry applications may be ported to the access network to offload traffic from the core. Nokia Siemens Networks put both designs through a battery of tests and developed rigorous engineering rules and design guidelines for each. IP core Core routers offer a rich feature set that supports differentiated service classes for IP and MPLS traffic. Applying a set of primitives to different protocols, they use traffic policing, drop priorities, queuing, and scheduling mechanisms to achieve the appropriate QoS. The traffic type rather than the subscriber determines priorities in the IP core. Multiplay requires this differentiation so that each traffic type is mapped to the scheduling and QoS mechanisms required to meet the various services’ QoS needs. Insights from the ResIP Center The ResIP Center tested these principles, parameters, and policies and found that: • Prioritization mechanisms work well in the access network (IEEE 802.1p bits or DSCP), the IP edge (hierarchical scheduling), the IP core (DSCP), and in combination with link aggregation (IEEE 802.3ad). • Different traffic types in the same queue can be prioritized using Weighted Random Early Detection (WRED). • Heavy traffic loads do not adversely affect prioritization mechanisms. • Video applications are very sensitive to packet loss. • Voice quality remains consistent even in the event of significant packet loss (10%), especially when the effects are masked using packet loss concealment. The performance remains the same with codecs other than G.711. 7 Securing multiplay services Network security technologies protect computing and information assets, preventing attacks from inside and outside the IP network on any connected element. Some target specific applications (e-mail) or computing platforms (server farms); others infrastructure (routers). Carriergrade routers and effective means such as packet filtering, traffic policing, and encryption to control every session mitigate these vulnerabilities. Implementing ubiquitous packet filtering and traffic policing The router must support highly scalable filtering capabilities, unicast reverse path forwarding, and highperformance rate limiting for industryleading denial of service (DoS) attack protection. Service providers should activate these functions and use them with filter policies to guard management communications against SYN flood DoS attacks. This protects every node and service throughout the network without compromising performance. Filters that restrict local packets traversing from a physical port to the routing engine protect the router’s control plane. Further ubiquitous security features such as port mirroring, encrypted management session traffic, secure tunneling capabilities, secure remote logins, configurable privilege levels, and user accounts secure the infrastructure. Protecting against DoS attacks Many DoS attacks target a host with a distributed flood of traffic. The countermeasure is to confine such attacks by policing traffic in the core routers. To do this, Internet Control Message Protocol (ICMP) traffic is policed at a level that allows the router to accept ICMP traffic yet diminishes smurf attacks. the DSLAM and BNG, and routing all client (PPPoE/DHCP) traffic through the BNG to precluded direct peer-topeer traffic. PPPoE duplicates protection mechanisms to prevent a client from setting up more than one session using the same MAC address. The ResIP Center has verified that the uRPF features work without affecting routers’ forwarding performance. ResIP-certified multiplay solutions provide high security by enforcing common security policies throughout the network and isolating subscriber traffic streams. Routers also feature unicast reversepath forwarding (uRPF) to pinpoint the source of attacks, reject packets from unexpected sources, and accept traffic only from sources in networks listed in the routing table. Set to an even more rigorous mode for edge deployment, routers accept only traffic from known sources. Preventing spoofing Validating all incoming packets’ source address improves network security. Validation tools for all active clients prevent malicious attackers from forging source address. This is done by inserting a Layer 2 plane between Resilient IP network architectures 8 Implementing scalable network topologies It takes a cost-effective, scalable network topology to deliver high-quality multiplay services to millions of multimedia subscribers and turn a profit. Designed for economy and scalability, ResIP-certified multiplay solutions comprise access, core, and edge router topologies built on the experience gained in countless deployments. Designing the access network Ethernet is the most popular LAN technology. It can serve several purposes – as a pure Layer 2 transport mechanism, a means for offering VPN services, or a broadband technology for delivering multiple services to residential customers. And all-Ethernet access and aggregation infrastructure is the best way to keep CAPEX and OPEX in check while satisfying fastgrowing demand for multiplay services. Given scalability and resilience, Ethernet can make major inroads into the service provider’s domain. Both can be achieved with VPLS, an MPLSbased Ethernet service technology. Enabling clear segmentation at the logical level, it sidesteps the scalability issues of a flat Ethernet network. VPLS also benefits from MPLS features such as enhanced resiliency and traffic engineering. Resilient IP network architectures Connecting the BNG to the IP backbone The edge sites hosting the BNG are dual-homed to the core network, so the BNG’s capabilities are most effective at preventing any single failure. Creating the IP backbone Purpose-built hardware and modular software have boosted routers’ availability. They enable service providers to upgrade select software without rebooting the entire code, to hot-swap line cards, and to smoothly restart protocols. Any two access areas need to be connected by at least two distinct paths so that no single failure can separate them. Two parallel planes, interconnected locally within the edge and at core router sites, serve to achieve this redundancy. Nonetheless, each site should house two routers to cut maintenance costs and protect against catastrophic events such as building power failures and natural disasters. Single-edge access design with customer VLANs and VPLS Ethernet excels at providing higher bandwidth at lower cost. Simple Layer 2 forwarding in the access network reduces CAPEX. Mass preprovisioning – that is, setting up VLANs port by port up front – makes OPEX more predictable. The same goes for circumventing the complexities of service-based provisioning. Second-mile aggregation requires great scalability. The ResIP Center has verified the benefits of the VLAN scheme for first-mile access: • Layer 2 address tables are much smaller with VPLS. Rather than using one large table for the entire access and aggregation network, they store only the Layer 2 addresses of one access node’s chain. • VPLS bases on MPLS and benefits from its advantages: MPLS’ fast reroute feature accelerates failover, while traffic engineering features enable dedicated bandwidth assignment and management. CPE simplicity C-VLANs make it easy to migrate access networks and multiplay services from ATM to Ethernet without affecting the subscriber’s DSL modem. Mapping the C-VLAN and the customer-provisioned VC’s connectivity from the DSLAM down to the home gateway or customer premises equipment (CPE) is simple. Many service providers have used a single VC model for Internet broadband access. 9 Designing the core The recipe for an IP/MPLS core calls for several ingredients. One is an Interior Gateway Protocol (IGP), for which both the Intermediate System to Intermediate System (IS-IS) and the Open Shortest Path First (OSPF) protocols may be used. IS-IS’s area design is simpler and IPv4 and IPv6 routes are easier to integrate. Both can use the Bidirectional Forwarding Detection Protocol (BFD) to detect failures within tens of milliseconds, even at the Layer 3 level. Handling routes The key to building a scalable network is to keep the IGP small. The Border Gateway Protocol (BGP) carries many prefixes around the ISP backbone so that some engineers see the iBGP (internal BGP) as their networks’ interior routing protocol. • The IGP typically carries backbone point-to-point links and router loopback interface addresses. • The iBGP carries customerassigned address blocks, access network address pools, any other prefixes that need not be carried in the IGP, and some or all of the Internet Route Table. • The eBGP (external BGP) carries prefixes between ISPs and implements routing policy between ISPs. This is a very different model from those used in the Internet’s infancy, where the IGP carried all prefixes in the ISPs backbone, and the BGP merely exchanged prefixes between autonomous systems. In contrast to IGPs, an iBGP offers great scalability courtesy of route reflectors and confederations. This makes it an excellent tool for carrying prefixes across the ISP’s backbone. The single-layer IGP’s biggest benefit is that every router is fully ‘aware’ of the topology, which is a prerequisite for features such as MPLS fast reroute. Industrial-strength BGP implementation The learning curve for implementing the BGP4 protocol is steep. A carriergrade BGP4 implementation requires support for scores of features and extensions. ResIP-certified multiplay solutions rely heavily on a robust BGP implementation because the iBGP and eBGP transport all IP reachability information. Taking a router out of service Both OSPF and IS-IS protocols enable operators to simplify maintenance by declaring an overload condition. In the case of IS-IS, setting the overload bit compels the router to signal this status to neighboring routers so that transit traffic is rerouted to other links without losing packets. Using MPLS in the core When IGP/BGP routes transport all traffic, it always flows via the shortest path between the source and destination. This path is ‘hardwired’ into the design. So, the operator of an IGP network that uses IS-IS or OSPF must identify the worst-case traffic matrix for voice and video, and then configure the network to map to it. Traffic engineering is crucial given the multiplay bandwidth demands. And MPLS-TE is the right choice because it uses network resources more efficiently, especially when traffic patterns change markedly. Routers must support the MPLS feature set, including constraint-based routing, fast reroute, and traffic engineering. MPLS protection mechanisms Failures are inevitable, so links and nodes need the kind of protection afforded optical transmission layers. It may be provided at very low cost using one or a combination of these MPLS mechanisms: MPLS load balancing: Each LSP can be equipped with its own metric. When several LSPs targeting the same destination share the same metric, the MPLS network balances traffic to that destination across these LSPs. Each microflow follows the same physical path. Its two biggest advantages over other mechansims are that: • It addresses primary LSPs only, so all available MPLS features may be used for all LSPs. Some, like autobandwidth, are as yet unavailable for secondary LSPs. • It protects against LSP egress router failure, which none of the other mechanisms can do. MPLS fast reroute: Very fast switch-over to a standby detour path minimizes packet loss when a circuit or node fails, and keeps packets flowing until the original LSP is rerouted or traffic is switched to a secondary LSP, usually within 50 to 100 msec. Resilient IP network architectures 10 MPLS primary/secondary LSPs: The routing engine reroutes a primary LSP to secondary LSPs when a node or link fails. Failover time depends on the number of failed LSPs, the distance an LSP must cover, and if standby LSPs are presignaled. MPLS prioritization IGP/BGP traffic generally has priority over LSP traffic. All traffic must be mapped correctly into queues so that the router’s scheduler can prioritize it. Each packet’s EXP bits must be set accordingly for traffic transported via LSPs. MPLS traffic engineering MPLS outshines any pure IGP/BGP setup’s traffic engineering capability. It finds the shortest path between the source and destination regardless of traffic distribution, and defines forwarding paths so that no link is overloaded by a given traffic matrix. A defined amount of bandwidth is reserved for each link. An LSP may use a link only if it provides enough unreserved bandwidth. This autobandwidth feature helps the network dynamically adapt LSPs and their reservations to traffic matrices. In the event of a bottleneck, the routers automatically reroute some of the affected LSPs over less congested links. DiffServ-aware MPLS-TE provides even greater flexibility by making reservations according to traffic class rather than merely by physical link. Resilient IP network architectures Insights from the ResIP Center The ResIP Center tested MPLS prioritization, auto-bandwidth, and failover capabilities for their multiplay suitability and found that: • Physical failures such as line cuts or router outages • are detected immediately. Both IGP reroutes and BGP updates are quickly done, achieving sub-second failover times. • The BFD detects a Layer 3 failure within 300 milliseconds. • Routers with redundant routing engines restart and switch over smoothly, with just a few milliseconds outage time. • Given fast failure detection, neither an iBGP nor an eBGP significantly increase failover time. • Using the overload bit to remove a router from the network causes no packet loss. 11 Conclusion Next-generation multiplay services raise the bar for network performance. Conventional architecture falls short of providing the necessary bandwidth and availability, not to mention reducing packet loss and cost. This is why Nokia Siemens Networks teamed up with the leading IP vendors Cisco and Juniper to develop a multiplay concept that: • Limits deployment risks • Enhances QoS • Provides a scalbable platform for growth and change Powered by the best products and solutions drawn from homegrown and partners’ portfolios, this multiplay concept has been certified in the Nokia Siemens Networks ResIP Center. Based on IP/MPLS with traffic engineering mechanisms, it offers optimized bandwidth management and far greater reliability throughout the core’s virtual network resources. Featuring a well-designed multi-vendor and multi-technology management entity, it drives down OPEX and spares CAPEX up front. Its QoS architecture identifies various traffic types and manages each according to its requirements across multiple links and network elements. Beyond that, it protects voice and video services against network-based attacks and repels DoS attacks. With professional network audit, design, planning, and implementation support to draw on, service providers can tailor each ResIP-certified multiply solution to suit their needs and business models. Resilient IP network architectures Nokia Siemens Networks P.O. Box 1 FI-02022 NOKIA SIEMENS NETWORKS Finland Visiting address: Karaportti 3, ESPOO, Finland Switchboard +358 71 400 4000 (Finland) Switchboard +49 89 5159 01 (Germany) Order No. C401-00693-WP-201102-1-EN Copyright © 2011 Nokia Siemens Networks. All rights reserved. Nokia is a registered trademark of Nokia Corporation, Siemens is a registered trademark of Siemens AG. The wave logo is a trademark of Nokia Siemens Networks Oy. Other company and product names mentioned in this document may be trademarks of their respective owners, and they are mentioned for identification purposes only. This publication is issued to provide information only and is not to form part of any order or contract. The products and services described herein are subject to availability and change without notice. www.nokiasiemensnetworks.com Every effort is made to ensure that our communications materials have as little impact on the environment as possible
© Copyright 2024