Upload
hoangtnt-nguyen
View
18
Download
5
Embed Size (px)
DESCRIPTION
mane
Citation preview
Phng n u ni gia h thng IPTV HE ca VTC v mng MANE VNPT DakLak - DLK
S u niHnh 1 m t s u ni gia VTC Headend v mng MANE ca VNPT DLK qua PE Router ca VTN. Router VTC u ni vi Router PE VTN v Router PE VTNu ni vi PE MANE bng:
2 cng GE quang chy theo c ch Link Aggregation 802.3adHoc:
1 cng 10GE quang
MANE
VTCPE
PE
PE
VTN
Hnh 1: S u ni gia VTC Headend v MANE DLK
Kt ni cung cp dch v IPTV trong mng MANE chia lm hai phn chnh:
Kt ni n h thng Headend. Kt ni n cc DSLAM, t cung cp dch v cho thu bao ADSL2+.
Kt ni gia IPTV Headend v PE-MANERouter VTC u ni vi PE-MANE c m t trong Hnh 2.
VTN PE MANE
Multicast sub -interface
Unicast sub -interface VTC
Multicast sub -interface
Unicast sub -interface
Hnh 2: Kt ni gia VTC Headend v PE VTN
Trong m hnh ny, PE-VTN c vai tr to mt bridge domain: gm 2 interface kt ni ti VTC v PE-MANE, h tr IGMP v QoS, khng tham gia vo phn nh tuyn Multicast v Unicast.
Kt ni vt l t h thng Router VTC n PE MANE c nhim v nh sau:
ng kt ni Multicast: chy giao thc PIM-SM v static route nh tuyn cc lung multicast (knh LiveTV v cc lung iu khin) vo bng nh tuyn global ca PE-MANE.
ng kt ni Unicast: to kt ni L2VPN t Router VTC n IPDSLAM v STB ca khch hng.
Lm gateway cho cc STB ca khch hng.
Kt ni gia MANE v thu bao ADSL2+ s dng dch v IPTVTon b kt ni t uPE Router n STB ca khch hng l kt ni Layer 2. Nhim v ca uPE router bao gm:
Chy giao thc nh tuyn multicast PIM-SM.
To kt ni L2-VPN t DSLAM ln router VTC
Hnh 3: Kt ni t uPE ca MANE n thu bao ADSL2+ s dng dch v IPTV
Do kt ni t uPE n tn cc STB l Bridge. Do vy VNPT DLK phi c bin php gii quyt tnh trng thng nhau gia cc DSLAM trong mt Bridge domain. C th la chn 1 trong 2 bin php sau:
1. S dng VLAN ring cho mi DSLAM.2. Cu hnh chn L2 trn switch Access v switch Aggregate (v d: dng Private VLAN
hoc L2 ACL)
uPE
Modem STB
IGMP SnoopingQoS CoS
Traffic shaping
IGMP SnoopingQoS CoS
PVC0: Routed/NATPVC1: Bridged
Multicast routingL2VPN
(PIM-SM)
Modem STB
Chi tit u ni Quy hoch a ch IP c thc hin bi VTC.
VTN PE MANE
Multicast sub -interface
Unicast sub -interface VTC
Multicast sub -interface
Unicast sub -interface
Hnh 3: Kt ni VTC, PE VTN, PE MANE
Kt ni Multicast
Kt ni VTC Router PE-VTN PE-MANE
a ch kt ni 10.144.0.1/30 Bridge interface Bridge interface 10.144.0.2/30
nh Tuyn Static route Static route
Cu hnh chi tit:
4.1. VTC Digicom:1. Cu hnh a ch kt ni: -Interface kt ni VTN: to 2 sub interface + Multicast IP address 10.144.0.1/30 (VLAN multicast VLAN 99)+ Vod sub-interface: VLAN VoD (VLAN 2450)2. nh tuyn Unicast:Cu hnh PE chy giao thc nh tuyn Static route n cc cc router trong mng MANE.3. nh tuyn MulticastCu hnh VTC Router chy giao thc nh tuyn multicast PIM-SM vi cc thng s sau:
Static RP address 10.254.21.1
PIM interface Interface kt ni ti VTN, cng ni vi Streaming server.
4.2. PE - VTN:To bridge domain gm 2 interface kt ni ti VTC v PE-MANECho php giao thc IGMP hot ng trn 2 interface nyH tr QoS cho lu lng t VTC xung MANE
4.3. PE MANE1. Cu hnh a ch kt ni: -Interface kt ni VTN: to 2 sub interface + Multicast IP address 10.144.0.2/30 (VLAN multicast VLAN 99)+ Vod sub-interface: VLAN VoD (VLAN 2450)2. nh tuyn Unicast:Cu hnh PE chy giao thc nh tuyn Static route n cc Subnet VTC headend:
- 10.254.21.1/32- 10.255.144.0/24, 10.255.145/24, 10.255.146.0/24- Import static route vo nh tuyn IS-IS cc router trong mng MANE bit c
cc subnet ny3. nh tuyn Multicast
Trn mi PE thuc MANE, Cu hnh PE chy giao thc nh tuyn multicast PIM-SM vi cc thng s sau:
- Static RP address 10.254.21.1- PIM interface: Muticast sub-interface ni PE-VTN
4. Cu hnh cho VoDTo kt ni L2VPN t Unicast Sub-interface ti DSLAM kt ni vo uPE
Kt ni t uPE n thu bao ADSL2+ s dng dch v IPTV
Hnh 4: Kt ni t uPE n thu bao ADSL2+
1. nh tuyn MulticastTrn mi uPE thuc MANE, Cu hnh uPE chy giao thc nh tuyn multicast PIM-SM vi cc thng s sau:
- Static RP address 10.254.21.1- PIM interface: interface ni PE
2. Cu hnh cho VoD
uPE
Modem STB
IGMP SnoopingQoS CoS
Traffic shaping
IGMP SnoopingQoS CoS
PVC0: Routed/NATPVC1: Bridged
Multicast routingL2VPN
(PIM-SM)
Modem STB
To kt ni L2VPN t IPDSLAM-interface ti PE - VTN
3. Cu hnh modem chy 2 PVCa. PVC 0: ch Routed/NAT, cung cp dch v Internet.b. PVC 1: ch Brigde, cung cp dch v IPTV.
4. Cu hnh DSLAM 1 v 2: Khai bo cc knh iu khin: a ch 225.21.2.1 225.21.2.5 Khai bo cc knh multicast: a ch 225.21.3.1 225.21.3.5
Kt qu d kin1. My tnh (gi lp STB) nhn c a ch IP cp bi h thng Headend:
a. Cm my tnh vo cng LAN ca Modemb. Cu hnh my tnh nhn a ch IP ngc. Sau 1 thi gian, my tnh c cp a ch 10.144.32.x/24. Trn DHCP server c
log v vic cp pht cu hnh ny.2. My tnh (gi lp STB) nhn c lung Multicast pht t h thng Headend:
a. Thc hin test 1 (nh trn)b. Trn my tnh, bt Wireshark theo di lung multicastc. S dng phn mm VLC nhn lung Multicast 225.21.3.1 port 1234d. My tnh hin th knh Live tng ng vi a ch Multicast trn.e. Cu hnh VLC nhn lung 225.21.3.2 port 1234f. My tnh hin th knh Live tng ng vi a ch Multicast trng. Dng Wireshark hin th lu lng tng ng vi 2 knh, kim tra thi gian
chuyn knhh. Kim tra DSCP trn gi tin UDPi. Kim tra cht lng knh bng mt
Cht lng dch vMng MANE phn phi dch v IPTV phi m bo cc yu cu v cht lng dch v:
Tr end-to-end < 50 ms Jitter < 9ms (vi buffer size l 15 KByte) T l mt gi: 0.05% cho knh HD v 0.4% cho knh SD v VOD T l mt gi khi chuyn knh: 0% (cho c HD v SD)
Do vy, lu lng t h thng IPTV Headend cn c mng phn phi dch v (PE-VTN v VNPT DLK) phn loi v u tin ln lt theo th t t cao n thp nh sau:
1. Network Control (u tin cao nht)2. Live TV3. VoD4. Cc lu lng khc (u tin thp nht)
Cc lu lng trn c Router ca VTC nh du vo trng DSCP nh trong Bng 1:
Bng 1: Gi tr DSCP nh du cho tng loi lu lng
Th t u tin
Loi lu lng Tn trng DSCP Gi tr DSCP
1 Network Control Network control 1100002 Live TV EF (Expedited Forwarding) 101110
3 VoDAF41 (Assured Forwarding, Drop Probability low)
100010
4 Cc lu lng khc BE (Best Effort) 000000
Router PE-VTN v mng MANE ca VNPT DLK c nhim v c trng DSCP v chuyn tip lu lng IPTV trong mng phn phi theo ng th t u tin nh trn.
Quy hoch a ch IPCc STB thuc thu bao ADSL2+/FTTX u ni vo cng mt Router uPE ca VNPT DLK s c cp a ch trong mt subnet (da trn trng Option 82 trong bn tin DHCP Request gi ln Headend). Di a ch cp cho STB c quy hoch theo Bng 2.
Bng 2: Quy hoch a ch IP cp cho STB
Thit b Subnet a ch Gateway a ch STBPE1 10.144.32.0/19 10.144.32.1 10.144.32.2 10.144.63.254PE2 10.144.64.0/19 10.144.64.1 10.144.64.2 10.144.95.254PE3 10.144.96.0/19 10.144.96.1 10.144.96.2 10.144.127.254PE4 10.144.128.0/19 10.144.128.1 10.144.128.2 10.144.159.254PE5 10.144.160.0/19 10.144.160.1 10.144.160.2 10.144.191.254PE6 10.144.192.0/19 10.144.192.1 10.144.192.2 10.144.223.254PE7 10.144.224.0/19 10.144.224.1 10.144.224.2 10.144.255.254
Ngoi ra, ton b DSLAM cung cp dch v IPTV cn khai bo a ch cc knh Multicast pht ra t h thng VTC Headend.
Bng 3: Di a ch Multicast ca VTC Headend
Lung Multicast a chLung iu khin STB 225.21.2.1 225.21.2.5Knh LiveTV 225.21.3.1 225.21.3.100
239.1.1.1 239.1.1.254
5. An ninh trong h thng mng cung cp dch v IPTVCc thnh phn trong h thng mng cung cp dch v IPTVH thng mng cung cp dch v IPTV chnh l phn mng phn phi kt ni trc tip vi khch hng. Trong Hnh 5, phn mng phn phi chnh l t thit b PE Router n modem ca khch hng.
MANE
Access Switch
PE PE DSLAM ModemVTC Router
Layer 3 Layer 2
Hnh 5: M hnh mng cung cp dch v IPTV
Vn m bo an ninh cho phn mng phn phi l ht sc quan trng.
Cc nguy c tn cngDo phn mng phn phi c nhim v cung cp kt ni Layer 2 (T Modem khch hng n PE Router), cn c cc bin php ngn chn cc tn cng Layer 2. Cc kiu tn cng dng ny l:
Lm trn bng nh tuyn ca Switch: Gi gi tin t rt nhiu Source MAC khc nhau khin Switch khng th hc c tt c cc a ch MAC ny. Khi Switch khng th s dng thng tin trong bng nh tuyn, n bt buc phi qung b gi tin trn tt c cc cng. Do vy, lung lu lng trn Switch b nh hng, gi tin c gi n tt c cc host trn vng mng. Ngoi vic lm tng lu lng trn mng, k tn cng cn c th ly c cc gi tin gi n host khc.
Lp t cc DHCP Server khng hp l: Gi danh server DHCP hp l trn mng LAN cp pht thng tin cu hnh ng cho STB. Thng tin cu hnh ny s nh hng n kh nng kt ni dch v ca STB (V d nh sai a ch Gateway, khng c thng tin v lung Boot, v.v). Bng cch ly a ch ca chnh mnh lm a ch Gateway mc nh, k tn cng cn c th ly c thng tin gi t/n STB.
Gi thng tin ARP gi mo (ARP Spoofing): Gi bn tin ARP (ARP Reply hoc Gratutious ARP) vi a ch MAC ca my thc hin tn cng v a ch IP ca my khc. Khi , ton b lu lng gi ti a ch IP trn s thc s c chuyn n my thc hin tn cng.
Thay i thng tin trong CSDL DHCP Snooping: To host vi a ch MAC gi ging vi a ch MAC ca my khc. Khi host vi MAC gi yu cu DHCP, bng DHCP snooping s b thay i theo. Khi , cc bn tin ARP t my hp l s b chn.
Gi qu nhiu yu cu DHCP (DHCP Starvation): My thc hin tn cng gi yu cu DHCP t cc a ch MAC gi mo khin cho my ch DHCP khng th x l cc yu cu t cc my hp l. Ton b di a ch ca Server b dng ht nn my ch DHCP khng cn a ch cp cho cc my khc.
Tn cng t chi dch v: My tnh trong mng LAN pha thu bao thc hin gi rt nhiu lu lng ln pha Head-end hoc n cc thu bao khc trong mng, lm treo STB hoc t lit Switch L3.
Cc c ch ngn chn tn cngPhn mng phn phi l mng ca VNPT DLK. Do vy, cc c ch ngn chn c VNPT DLK thc hin trn cc thit b mng bao gm:
t ACL lp 2: Ch cho php cc thit b s dng di a ch MAC ca Amino, WNC v cc nh cung cp STB khc (Khi trin khai STB ca hng trn mng) kt ni vi h thng. DSLAM s t ng chn cc gi tin c a ch MAC ngun nm ngoi cc di a ch trn. Nu cn ngn chn cht hn, c th cu hnh DSLAM ch cho php gi c a ch MAC ngun l a ch ca (cc) STB ca khch hng .
Gii hn s lng a ch MAC hc trn cng: hn ch s a ch MAC ti a trong bng nh tuyn cho mt (Hay mt s) cng vt l.
DHCP Snooping: Gim st vic trao i cc bn tin DHCP trn h thng, xy dng CSDL lin kt a ch MAC (ca DHCP Client) v a ch IP (do DHCP Server cp).
Dynamic ARP inspection (DAI): S dng CSDL lin kt ca DHCP snooping ngn chn cc bn tin ARP khng hp l (bn tin c cp a ch MAC/IP khng tn ti trong CSDL).
Private VLAN: m bo cc cng khch hng trn mt hoc nhiu Switch c cu hnh Private VLAN khng kt ni trc tip c vi nhau.
Private VLAN Edge: m bo cc cng khch hng trn mt Switch khng kt ni trc tip c vi nhau.
Cc kiu tn cng v c ch ngn chn c VNPT DLKtrn cc thit b mng c th theo Bng4:
Bng 4: Cc kiu tn cng Layer 2 v c ch ngn chn
STT Kiu tn cng DSLAM v MSAN Switch FTTH Access SwitchPE
Router
1 Lm trn bng nh tuyn ca Switcht Layer 2 ACL (allow STB MAC, deny all)
t Layer 2 ACL (allow STB MAC, deny all) None None
2Lp t cc DHCP Server khng hp l
Port Isolation DHCP Snooping None None
3Gi mo thng tin ARP (ARP Spoofing)
DHCP Snooping & Dynamic ARP Inspection
DHCP Snooping & Dynamic ARP Inspection
None None
4Thay i thng tin trong CSDL DHCP Snooping
t Layer 2 ACL (allow STB MAC, deny all)
t Layer 2 ACL (allow STB MAC, deny all) None None
5Gi qu nhiu yu cu DHCP (DHCP Starvation)
t Layer 2 ACL Gii hn s lng a ch MAC trn cng thu bao & t Layer 2 ACL
None None
6 Tn cng ngang hng Port isolation Private VLAN None None
7 Tn cng t chi dch v
S dng c ch ring ca DSLAM. E.g., Anti-DoS ca Huawei
Gii hn lu lng hng ln None None
Phng n u ni gia h thng IPTV HE ca VTC v mng MANE VNPT DakLak - DLKS u niKt ni gia IPTV Headend v PE-MANEKt ni gia MANE v thu bao ADSL2+ s dng dch v IPTVChi tit u ni Kt ni t uPE n thu bao ADSL2+ s dng dch v IPTVKt qu d kin
Cht lng dch vQuy hoch a ch IP5. An ninh trong h thng mng cung cp dch v IPTVCc thnh phn trong h thng mng cung cp dch v IPTVCc nguy c tn cngCc c ch ngn chn tn cng