Click here to load reader
Upload
zubairishfaq483
View
161
Download
3
Tags:
Embed Size (px)
DESCRIPTION
ASN GW Workshop
Citation preview
TM
ASN Gateway Session
TM
Agenda
TM
Motorola WiMAX ASN Gateway
Redback
Foundry
Motorola
Motorola’s ASN-GW is comprised of three functional elements :•CAPC (roughly equivalent to the ASN-DP function) •Ethernet Switch, and•Router/FA function (ASN-EP functionality with FA functionality introduced in WMX2.0).
Motorola's ASN Gateway acts as a central point in the ASN network, providing connectivity to:
• The WiMAX Access Points and• To one or more CSNs, over a WiMAX NWG defined interface (R3)
TM
Hardware for Wateen ASN-GW
TM
Redback: SmartEdge 1200
The Router/FA performs functions generally consistent with the ASN-Gateway Enforcement Point, as defined by the WiMAX forum Network Working Group.
In particular the Router/FA provides the following important functions:
• BRAS operation for stationary WiMAX subscribers• IP traffic routing• Subscriber authentication• Policy management• QoS capacities at the subscriber level•…etc
•The SmartEdge 1200 chassis has 14 slots with 2 slots dedicated to the controller cards and 12 slots available for a flexible combination of traffic cards.
•256,000 simultaneous sessions (Based on XCRP4)
TM
Smart Edge Router
Contexts
Ports/Bindings
Dynamic Clips
TM
Contexts(1)
Subscriber A (Voice & Data)
Subscriber B (Data) Internet
IMSCable/Circuit Cable/Circuit
Cable/Circuit
Cable/CircuitCable/Circuit
Port
PortPort
Port
Port
Router A
Router B
TM
Contexts(2)
Subscriber A (Voice & Data)
Subscriber B (Data) Internet
IMSInterface
Interface
Interface
Interface
Smart Edge Router
Cable/Circuit
Cable/Circuit
Port
Port
Port
Port
Cable/Circuit
Cable/Circuit
Port
Interface
Context A
Context B
A context is a true router inside the Smart EdgeA context is a true router inside the Smart Edge
TM
Contexts(3)
Subscriber A (Voice & Data)
Subscriber B (Data) Internet
IMSInterface
Interface
Interface
Interface
Smart Edge Router
Cable/Circuit
Cable/Circuit
Port
Port
Port
Port
Cable/Circuit
Cable/Circuit
Port
Interface
Context A
Context B
A context contains its own routing info, addresses, A context contains its own routing info, addresses, VPNs etc.VPNs etc.
Binding
TM
10
Configuration modes in Smart Edge CLI
Connected
Operator Monitoring
Enable
Administrator Monitoring
Global config
Config
Context Qos Port
InterfaceRouter
Protocol
• Pretty similar to Cisco with the exception of Context mode
Connected
User Exec Mode
Enable
Privilege Exec Mode
Global Config mode
Config t
InterfaceRouter
Protocol….
• Smart Edge • Cisco
TM
Interface
Subscriber A (Voice & Data)
Subscriber B (Data) Internet
IMSInterface
Interface
Interface
Interface
Smart Edge Router
Port/ Cct
Interface
Context A
Context B
Interface: a logical IP entity residing in the contextInterface: a logical IP entity residing in the context(not the same as port or circuit) (not the same as port or circuit)
Binding
Port/ Cct
Port/ Circuit
Port/ Cct
Port/ Cct
TM
Port
Subscriber A (Voice & Data)
Subscriber B (Data) Internet
IMSInterface
Interface
Interface
Interface
Smart Edge Router
Port/ Cct
Interface
Context A
Context B
Port or Circuit: a physical entity handling encapsulation Port or Circuit: a physical entity handling encapsulation and bits on the wire and bits on the wire
Binding
Port/ Cct
Port/ Circuit
Port/ Cct
Port/ Cct
TM
Concept of Binding
Subscriber A (Voice & Data)
Subscriber B (Data) Internet
IMSInterface
Interface
Interface
Interface
Smart Edge Router
Port/ Cct
Interface
Context A
Context B
Binding: A virtual ‘patch-cable’ connecting the port to Binding: A virtual ‘patch-cable’ connecting the port to the interface in the context.the interface in the context.
Binding
Port/ Cct
Port/ Circuit
Port/ Cct
Port/ Cct
TM
Type of Binding
• Static (Hard-Wired to the higher-layer protocols)–Ignore negotiation room (Management and backbone)
• Dynamic (Based on session information)–On interfaces to subscribers–DHCP Clips based on the MAC address
TM
Static Bind
InterfaceInterface
Smart Edge Router
Port: port eth 1/1
Context users
Static binding: Statically associating a Circuit/PortStatic binding: Statically associating a Circuit/PortTo an interface in a contextTo an interface in a context
Context users! interface test ip address 1.1.1.1/24! port eth 2/7 bind interface test users!
TM
Mult-bind Concept
InterfaceInterface
Smart Edge Router
Port: port eth 1/1
Context A
Multi-bind: Binding multiple circuits (subscribers) on Multi-bind: Binding multiple circuits (subscribers) on the same interfacethe same interface
Context users! interface test multi-bind ip address 1.1.1.1/24! port eth 2/7 bind interface test users! port eth 2/8 bind interface test users!
Port: port eth 1/2
TM
SER Configuration for CLIPS
ToBS
CLIPS
Interface
Interface
Smart Edge Router
Port 2/3
Context local
Context Clips
Port 2/6
DHCP Server
NetOP PM AAA
WIMAX BSWIMAX
CPE
Applications server
Port 2/4
192.168.1.1/24
192.168.1.10/24
192.168.0.1/30192.168.0.2/30
192.168.3.1/24
192.168.0.15/24
10.10.100.1to10.10.100.10Mask:255.255.255.0GW:10.10.100.1
10.10.100.1/24192.168.1.1/24 Secondary
TM
Basic SER Configuration for CLIPS (DHCP traffic flow)
ToBS
CLIPS
Interface
Interface
Smart Edge Router
Port 2/3
Context local
Context clips
Port 2/6
DHCP Server
NetOP PM AAA
WIMAX BSWIMAX
CPE
Applications server
Port 2/4
192.168.1.10/24
192.168.0.1/30192.168.0.2/30
192.168.3.1/24
192.168.3.2/24
1. DHCP DISCOVER 1. DHCP DISCOVER (MAC)(MAC)
192.168.1.1/242. Radius 2. Radius
auth for MACauth for MAC
3. Radius Accept 3. Radius Accept (Context, QoS)(Context, QoS)
2. DHCP DISC to 2. DHCP DISC to Waiting roomWaiting room
5. DHCP DISC5. DHCP DISCto DHCP serverto DHCP serverGIA: 10.10.100.1GIA: 10.10.100.1
4. DHCP DISC to 4. DHCP DISC to CLIPS contextCLIPS context
10.10.100.1to10.10.100.10Mask:255.255.255.0GW:10.10.100.1
10.10.100.1/24192.168.1.1/24 Secondary
TM
Basic SER Configuration for CLIPS (DHCP traffic flow)
ToBS
CLIPS
Interface
Interface
Smart Edge Router
Port 2/3
Context local
Context clips
Port 2/6
DHCP Server
NetOP PM AAA
WIMAX BSWIMAX
CPE
Applications server
Port 2/4
10.10.100.1/24192.168.1.1/24 Secondary
192.168.1.10/24
10.10.100.1to10.10.100.10Mask:255.255.255.0GW:10.10.100.1
192.168.0.1/30192.168.0.2/30
192.168.3.1/24
192.168.0.15/24
192.168.1.1/24
6. DHCP Offer6. DHCP Offer
7. DHCP Offer7. DHCP OfferUsing secondary Using secondary
IPIP
8. DHCP Offer8. DHCP Offer
TM
Basic SER Configuration for CLIPS (DHCP traffic flow)
ToBS
CLIPS
Interface
Interface
Smart Edge Router
Port 2/3
Context local
Context clips
Port 2/6
DHCP Server
NetOP PM AAA
WIMAX BSWIMAX
CPE
Applications server
Port 2/4
192.168.1.10/24
192.168.0.1/30192.168.0.2/30
192.168.3.1/24
192.168.3.2/24
192.168.2.1/24
9. DHCP Request9. DHCP Request10.10.100.1to10.10.100.10Mask:255.255.255.0GW:10.10.100.1
10.10.100.1/24192.168.1.1/24 Secondary
TM
Basic SER Configuration for CLIPS (DHCP traffic flow)
ToBS
CLIPS
Interface
Interface
Smart Edge Router
Port 2/3
Context local
Context clips
Port 2/6
DHCP Server
NetOP PM AAA
WIMAX BSWIMAX
CPE
Applications server
Port 2/4
192.168.1.10/24
192.168.0.1/30192.168.0.2/30
192.168.3.1/24
192.168.0.15/24
192.168.1.1/24
9. DHCP ACK9. DHCP ACK
10.10.100.1to10.10.100.10Mask:255.255.255.0GW:10.10.100.1
10.10.100.1/24192.168.1.1/24 Secondary
TM
Binding and Dynamic CLIPs
Interface Interface
Context A
- - CLIPS uses MAC address as username for AAA authCLIPS uses MAC address as username for AAA auth- Dynamic CLIPS uses external AAA to learn the subscriber context information Dynamic CLIPS uses external AAA to learn the subscriber context information and dynamically bind the subscriber to the CLIPS interfaceand dynamically bind the subscriber to the CLIPS interface- A subscriber is bound to a clips interface means that all traffic coming from that A subscriber is bound to a clips interface means that all traffic coming from that subscriber MAC address is handled by that interface subscriber MAC address is handled by that interface
CLIPs Negotiation room
Waiting room
Clips port/cct
Radius Subscriber records
DHCP records
RadiusAccounting
1. DHCP DISC MAC 00:0E:22:0B:26:71
2. Request for MAC auth
3. Reply: bind to Context A
4. Binding
5. Request IP addr
6. Return offer
7. Return DHCP Offer
8. Accounting for MAC at context A
TM
Basic SER Configuration for CLIPS (DHCP traffic flow)
context local! interface AP_MGT multibind ip address 192.168.1.1/24 dhcp proxy 65535!
aaa authentication subscriber global aaa accounting subscriber radiusaaa reauthorization bulk globalradius accounting server 192.168.0.2 key secretkey!radius server 192.168.0.2 key secretkey
- Access the local context
- Add an interface leading to the RAN side-Add an IP address for the interface, this IP address should be the default gateway of the DAP.-- Add an interface leading to the NetOp PM RADIUS server.-Add an IP address for the interface.
- Enable AAA authentication.- Enable AAA accounting in RADIUS.- Enable reauthorization.
- Configure the RADIUS accounting server
- Configure the RADIUS authentication server
Local context configuration
TM
Basic SER Configuration for CLIPS (DHCP traffic flow)
context Res_CLIPS! interface ToApplications ip address 192.168.3.1/24!interface CLIPS multibind ip address 10.10.100.1/24 ip address 192.168.1.1/24 secondary dhcp proxy 65535
aaa authentication subscriber global !! dhcp relay server 192.168.0.15!
- Access the clips context
- Add an interface leading to DHCP and applications servers side- Add an IP address for the interface.
- Add an interface to which dynamic CLIPS subscribers arebound, that provides IP addresses for subscribers.- Enable the interface to act as a proxy between subscribersand the DHCP relay agent; - Set the number of IP addresses allowed on theinterface to the maximum (65,535).
- Enable AAA authentication.
- Identify the location of the external DHCP relay server towhich the SE relays requests.
clips context configuration
TM
Basic SER Configuration for CLIPS (DHCP traffic flow)
aaa global authentication subscriber radius context localaaa global accounting subscriber radius context localaaa global accounting reauthorization subscriber radius
context local
aaa global accounting event dhcp
aaa global accounting event reauthorization!service multiple-contexts!
- Configure AAA globally to use the RADIUS servers configured in the local context.- Also configure AAA globally to use the RADIUS servers configured in the local context for reauthorization accounting.
- Enable notifying the NetOp PM system of the IP addresses thathave been assigned to a subscriber session via CLIPS using DHCP.
- Enable notifying the NetOp PM system of reauthorization events.
- Configure the node to allow the creation of multiple contexts.
Global configuration
TM
Basic SER Configuration for CLIPS (DHCP traffic flow)
qos policy bronze_qos_metering_policy metering rate 128 burst 100000!qos policy bronze_qos_policing_policy policing rate 128 burst 100000!snmp serversnmp view npm_view sysDescr includedsnmp view npm_view sysName includedsnmp view npm_view vacmMIBObjects includedsnmp view npm_view ifType includedsnmp view npm_view ifName includedsnmp view npm_view ifHighSpeed includedsnmp view npm_view rbnSubsClearSessionId includedsnmp view npm_view rbnSubsBounceSessionId includedsnmp view npm_view rbnSubsReauthRadiusID includedsnmp view npm_view rbnSubsReauthSessionId includedsnmp view npm_view rbnSubsClearReason includedsnmp view npm_view rbnSubsActiveCircuitDescr includedsnmp view npm_view rbnSubsActiveResend includedsnmp view npm_view rbnSubsActiveAddr includedsnmp view npm_view rbnSubsOctetsSent includedsnmp view npm_view rbnSubsOctetsReceived includedsnmp community npm_community all-contexts view npm_view read-write
Define a metering policy that restricts the bandwidth of traffic being sent to the subscriber circuit to a specific tier.
Define a policing policy that restricts the bandwidth of traffic being received from the subscriber circuit to a specific tier.
Required. Allow the Smart Edge to accept SNMP bounce, reauth, and clear messages from the NetOp PM system.
- Create a community string to permit access to Management -Information Base (MIB) objects. - Use the all-contexts keyword to trigger the automatic generation of community names for all managed contexts.- Allow the community read-write access to the MIB objects.
Global configuration
TM
Basic SER Configuration for CLIPS (DHCP traffic flow)
port ethernet 2/3 no shutdown bind interface AP_MGT local service clips dhcp ignore-relay context local!port ethernet 2/4 no shutdown bind interface To_CSN_VLAN local service clips dhcp ignore-relay context local!
-Configure an Ethernet port leading to the RAN network
- Also configure the port to be operational, and bind it to theToBS interface in the local context, with interface binding.
-Configure an Ethernet port leading to the NetOP PM server- Also configure the port to be operational, and bind it to theserver interface in the local context, with interface binding.
-Configure an Ethernet port leading to the DHCP/APP servers- Also configure the port to be operational, and bind it to theToApplications interface in the clips context, with interface binding.
Global configuration
TM
TROUBLESHOOTING
• Show command–Show config–Show port counters–Show chassis–Show port–Show bind–Show radius server–Show radius stats
• Debug command–No debug all–Debug aaa all–Debug dhcp-relay all–Debug clips all
• Terminal monitor
• Logging console
TM
QoS set up in the SE-100
• Subscriber will be associated with a specific QoS–The QoS settings are configured in the SE–The AAA server will associate a user based on MAC with specific settings.
• QoS Policing Policy can classify, mark, rate-limiting or perform all actions on incoming packets
• QoS Metering Policy can perform the same operation on outgoing packets in the Egress Circuit.
qos Silver_QOS_metering metering rate 512 burst 64000
qos policy Silver_QOS_policing policing rate 512 burst 64000
TM
NetOP Policy ManagerNetOP Policy Manager
TM
NetOP Policy ManagerService and Subscriber Management
NetOp Policy Manager
Broadband Subscriber
Service Portal
SmartEdge Service Gateway
BSS/OSS
RADIUS or Billing Server
Policy Refresh
Accounting
Net Op PM acts as primary AAA for the Network and it is a key element in the QoS enforcement
This equipment is responsible of:
Control enforcing policies for:
Metering policies (Time-based, duration, Volume-based, Class-based)
Securing policies ( Forward policies, Policy ACL)
All this policies are controlled by the Net Op PM and enforced by the Redback Router to CLIPS features
Maintaining a persistent store of each subscriber’s services and the policies to be applied for the services.
Proxying Radius Authorization packets to other RADIUS servers or billing systems
Storing accounting data
Providing centralized authentication
Internet
Service Selection
TM
Netop PM AAA
• AAA Server from Redback• Software running over Solaris 10 OS
– For any doubt about installing Solaris software: http://www.sun.com/software/solaris/howtoguides/installationhowto.jsp
• Partition map recommendations by Redback as follows:
Partition Description Size (GB)
/ Solaris OS and Oracle software 14
/u02 Oracle data files 3
/export/home Home directories and Oracle archive and backup directories 10
Swap Space Solaris virtual memory 1 x RAM Memory
TM
Netop PM Deployment
It comprises the following parts:
• Installing and configuring the Oracle database - Oracle 10g
• Installing and Configuring the NetOP PM software Components- Radius Server (Radiator 3-16)- NetOP PM API- NetOP PM Lightweight Web Portal
• Customizing the NetOP PM for Motorola WIMAX Product requirement (Adding Motorola VSA to the NETOP)
TM
Netop PM Installation (1)
• Install Oracle database:–cd /cdrom/netop_common_X–./netop_install.sh database
• Configure Netop PM Database:–cd /usr/local/npm–./config_db.sh -small (LAB)
• Could be medium or large (Production environments)
• Install Netop PM Database:–cd /usr/local/npm/db/admin–./create_npm_db.sh
TM
Netop PM Installation (2)
• Install the Netop PM components:–cd /mnt/NetOp_commonX –./netop_install.sh npm
• Enable the Netop PM communications:–cd /usr/local/npm–./config_npm.sh
• Install the licenses:–./config_licenses.sh [-file license-file]
TM
Netop PM Components Configuration
• Configure Radius–cd /usr/local/npm–./config_radius.sh
• Start Radius–cd /usr/local/npm/radius–./start_radius.sh
• Configure Netop PM API–cd /usr/local/npm–./deploy_api.sh –nosecure
• Start Netop PM API–cd /usr/local/npm/api–./start_api.sh
TM
Netop PM Components Configuration (2)
• Configure Netop PM Lightweight Web Portal–cd /usr/local/npm–./deploy_portal.sh
• Start Netop PM Lightweight Web Portal–cd /usr/local/npm/portal–./start_portal.sh
• Configure the Netop PM Service Manager–cd /usr/local/npm/service_manager–./start_service_manager.sh
• Start the Netop PM Service Manager–cd /usr/local/npm/service_manager–./start_service_manager.sh
TM
Netop PM Customization for Motorola WIMAX
• Add third party (Motorola) Device Type (NAS Type)
• Add and Register Third Party Devices (NAS Entity)
• Add Supporting Radius Attributes to the dictionary_redback.cfg and to the Database
• Create Service Attribute Variation for WIMAX
• Configure EAP-TTLS Authentication
TM
NetOP PM Creating Service Offerings
Service offerings are the services offered to the subscriber
An access service offering configuration is divided to three parts• Time/Volume Variation Configuration• Bandwidth Variation Configuration• Dynamic IP Address Variation Configuration
The Time/Volume Variation is just parameters to configure, For the Bandwidth Variation Configuration you will need to create and
configure a Bandwidth variation Service attribute For the Dynamic IP Address Variation Configuration you will need to create
and configure a Dynamic IP address Variation Service attribute,
TM
NetOP PM Creating Service Offerings
There are three ways of creating service offerings:
1. Directly in the database using SQLDeveloper (not recommended)
2. Using the SOAP API (for customized portals and automated tasks)
3. Using the NetOp GUI Client (recommended for day-to-day operations)
The NetOp Client Uses the NPM API
Versions for Solaris and Windows
TM
NetOP PM Client
TM
NetOP PM Client
TM
NetOP Provisioning (1): Bandwidth Variation
TM
NetOp Provisioning (3)
TM
NetOp Provisioning (4) :Dynamic IP address variation
TM
NetOp Provisioning (5)
TM
NetOp Provisioning (6)
TM
NetOp Provisioning (7)
TM
NetOp Provisioning (8) :Access Offering
TM
NetOp Provisioning (9)
TM
NetOp Provisioning (11)
TM
NetOp Provisioning (3)
TM
NetOp Provisioning (12)
TM
NetOp Provisioning (13)
TM
NetOp Provisioning (13)
TM
NetOp Provisioning (15)
TM
FoundryFoundry SwitchSwitch
TM
XMR As Aggregation Switch
The Foundry switch performs as a Layer 2 Ethernet switch in the ASN-GW. It aggregates the data traffic from the access points and provides connectivity to the CAP-C and the Router/FA.
• The XMR4000/XMR8000 supports a large number of MAC addresses which is critical for the Motorola solution.
TM
XMR Sample configuration (1)
Current configuration:!ver V3.7.0bT163module 1 ni-xmr-20-port-1g-coppermodule 2 ni-mlx-20-port-1g-100fx!mirror ethernet 1/20
!no spanning-tree!vlan 10 name ISP1 tagged ethe 1/3 to 1/12 ethe 2/1 to 2/2 ethe 2/19 to 2/20 !vlan 20 name ISP2 tagged ethe 1/3 to 1/12 ethe 2/1 to 2/2 ethe 2/19 to 2/20 !vlan 201 name Access untagged ethe 1/1 to 1/2 ethe 1/17 to 1/20 tagged ethe 1/3 to 1/12 ethe 2/1 to 2/2 ethe 2/19 to 2/20 router-interface ve 201!vlan 1 name DEFAULT-VLAN
no route-onlyclock summer-timeclock timezone gmt GMT+02enable telnet password .....enable super-user-password .....logging consoletelnet serverweb-management httpweb-management httpsweb-management enable vlan 201ip route 0.0.0.0/0 172.16.196.1
TM
XMR Sample configuration (2)
! snmp-server community ..... rwsnmp-server contact Mohammad Rabasnmp-server location Motorolahostname Mada-XMR8000!interface management 1 enable!interface ethernet 1/1 port-name CAPC_Primary_SC enable speed-duplex 100-full!interface ethernet 1/2 port-name CAPC_Secondary_SC enable speed-duplex 100-full…..…...interface ethernet 1/9 port-name HQ_DAP enable speed-duplex 100-full mon ethernet 1/20 both!
interface ve 201 qos-tos ip address 172.16.196.2/22!End
TM
Wholesale Vs Retail ModelWholesale Vs Retail Model
TM
NSP2
NSP1NAP NSP
WiMAX Forum: NAP and NSP
ASN CSN
Wholesale Model: A single NAP shared by multiple NSP’s
NAP
CSN1
CSN2
ASN
Retail Model: A single NSP provides access through single NAP’s
NAP: Network Access Provider
NSP: Network Services Provider
TM
72
Wholesale Model
• Customer is assigned a unique NAI (e.g. username@providersdomain) and password.
• Netop PM adds the NAI information to the AAA server to activate the device.
• User configures the device with NAI and password
• Device executes network entry by finding, registering, and presenting credentials with the nearest AP.
• Wholesaler AP validates device with the ISP AAA server through EAP Proxy in NetopPM
–Auto provisioning of end users devices´ MAC into the system
• Wholesaler B-RAS validates MAC with the Netop PM server for the CLIPS creation process
TM
73
Wholesale model set up (1)
• We will proxy EAP based on the realm attached in the username.
• 3 important tables:–PROXY_CONFIG–RADIUS_PROXY_SERVER–NAS_INFO
• Outer Authentication Proxy–External tunnel will be anonymous
• Inner Authentication Proxy–Internal tunnel that will be proxied based on the PROXY_CONFIG
table
TM
74
Wholesale model set up (2.1)
• Define the realm in PROXY_CONFIG that will be forwarded–Eap outer will not be forwarded (Proxy login NO)–Realm will be forwarded (Proxy login YES)
TM
75
Wholesale model set up (2.2)
• Define the realm in PROXY_CONFIG the service offering associated with the inner authentication realm
TM
76
Wholesale model set up (3)
• Define which AAA server is responsible for that realm in RADIUS_PROXY_SERVER
TM
77
Wholesale model set up (4)
• Also follow the procedure for populating the Radius Server as NAS in the NAS_INFO Table
TM
VLAN-A Feature OverviewVLAN-A Feature Overview
TM
MSS VLAN Assignment
• Example VLAN Configuration Table–Table above shows two entries in the table
–The domain wimax.mot.com has a VLAN ID of 201
–The default “catch all” VLAN ID is 926
• By having only the default “catch all” VLAN ID set equal to the AP VLAN ID, the VLAN A feature can be disabled.
VLAN Configuration Table
Index Name Domain Vlan ID
1 Default * 926
2 Motorola wimax.mot.com 201
– Assigned during Network Entry– MSS VLAN ID is a Motorola VSA in the AAA configuration for the user. Ex:
Motorola-Wimax-VLAN-Id=0x0000 – Can be configured in the AAA (EAP-TLS / EAP-TTLS) or via AP configuration at
the PEMS (see “AP->Node Configurations->VLAN Configuration -> IEEE 802.1Q VLAN ID” for the list of VLAN IDs and NSPs).
TM
MSS DHCP and ARP
• MSS VLAN ID same as to AP VLAN ID–AP performs DHCP Relay for the subscriber.
• MSS VLAN ID is not equal AP VLAN ID.–AP performs DHCP broadcast on the VLAN assigned to the subscriber.–ARPs are performed on the VLAN assigned to the subscriber.
• Can support overlapping IP addresses on different VLANs• All bearer traffic is tagged by AP with subscriber VLAN on Uplink• Core network is expected to tag all packets destined to the
subscriber with appropriate VLAN ID on Downlink.
TM
VPN Support in WiMAX SolutionVPN Support in WiMAX Solution
TM
WiMAX Protocol Stack
MAC Layer
Security Sublayer
802.16e Physical Layer
IPv4 Convergence
Sublayer
MAC Common Part Sublayer
IPv6 Convergence
Sublayer
Ethernet Convergence
Sublayer
This is the only CS supported in WMX 1.0, 2.0,2.5, 3.0 Candidates for future releasesCandidates for future releases
TM
So how does Packets get relayed?
Source
Destination
CPE IP
Server IP
Source
Destination
CPE MAC
G/W MAC
Source
Destination
CPE IP
Server IP
802.16e CID
Source
Destination
Host IP
Server IP
Source
Destination
PC MAC
CPE MAC
HostCPE
(NAPT)
AP
SER
TM
So what does that mean?
• The lack of ECS means that:• Ethernet header of packets received by the WiMAX CPE will be stripped off by the
IPv4 CS before segmenting it into WiMAX blocks over the air
• So, Ethernet information such as VLAN tag and 802.1p user priority will be lost
• Only the IPv4 payload will transported over the 802.16e air interface
• L2 VPN’s (MPLS based) rely heavily on Ethernet header information and hence CANNOT be supported in a typical WiMAX deployment
TM
And Customers are interested in Layer 2 and Layer 3 VPN’s
• So what to do?
• Solution is available to the rescue:–L2TPv3 [Layer 2 Tunneling Protocol Version 3]
• WiMAX CPE (B2, JUPITER …etc) and Redback Smart Edge support L2TPv3
• Tunnels are setup between the CPE and SER and Ethernet frames can be transported TRANSPARENTLY over the L2TPV3 Tunnel – LAC –to– LNS model
• We can also do L2TPv3 between CPE’s directly (SER will be merely routing L2TPv3 IP packets) – LAC –to– LAC model
TM
OK, Let’s see how it actually works – L2
Gateway for CPE
Gateway towards tunnel termination
tunnel termination
Physical Loopback
VPLS Bridge Profile
Subscriber Traffic
To VPLS L2 Domain
TM
OK, Let’s see how it actually works – L3
Gateway for CPE
Gateway towards tunnel termination
tunnel termination
Physical Loopback
VPLS Bridge Profile
Subscriber Traffic
CE (behind the CPE) Gateway
TM
Caveats
• Operational overhead for setting up and maintaining L2TPv3 tunnels
• Capacity issues: How many L2TPv3 tunnels can be supported on both the WiMAX CPE and Redback SER
TM
BACKUP SLIDE
TM
EAP Authentication
MSS CAPC
AP AAA
EAP Client EAP Proxy EAP Authenticator <Pass Through> RADIUS Client
EAP Server RADIUS Server
EAP Method
PKMv2 EAP RADIUS
TM
Authentication Flow (EAP)MSS CAPC
AP AAA (NetOp PM
PKMv2 EAP-START M_SEC_INIT_AUTH
M_SEC_EAP-REQ
(EAP Identity Request)
Maximum EAP
sessions
PKMv2 EAP-TRANSFER
PKMv2 EAP-Message
(EAP Identity Response)M_SEC_EAP_RSP
(Identity username@domain) RADIUS Access Request (RFC2865, RFC 2869)
CAPC replicates the EAP Response containing the identity of MSS in the EAP-Message attribute
Pass Through EAP-Message
RADIUS Access Challenge
(M_SEC_EAP_REQ (EAP TTLS START))M_SEC_EAP_REQ
(EAP TTLS START)PKMv2 (EAP TTLS START)
EAP – TTLS Tunnel Establishment (TLS Handshake)Tunnel extended by AP
EAP Message Exchange: EAP – TTLS MS – CHAP – v2 or another methodTunnel extended by AP
RADIUS Access Accept
(EAP Message/EAP Success, VSA's)M_SEC_EAP_COMPLETE
(EAP SUCCESS)PKMv2 (EAP SUCCESS)
TM
NetOP manages Radius Interaction with Service Provider
Access Network Service ProviderDAP CAP-C NetOp PM ISP RADIUSDAP CPE
EAP-TTLS (secure data tunnel)
AccessRequest (Radius)user@isp_realm
EAP-Request (Identity)
EAP-Response (Identity)
EAP REQ passthrough
EAP TTLS:Client Hello
EAP Requestpassthrough
EAP TTLSServer Hello
EAP-RESPPassthrough
Radius-AUTHRequest
EAP REQ ID
EAP-RESP ID
Radius ChallEAP-REQTTLS Start
Radius-AUTHResponse
Radius AUTHResponse
Radius ChallEAP-REQ
TTLS Server Hello
EAP Requestpassthrough
EAP TTLS:Client Key Exchange
Radius-AUTHRequest
Radius AUTHRequest
Radius ChallEAP-REQChange
Cipher Spec
EAP Requestpassthrough
EAP TunnelEstablishment
EAP-RESPPassthrough
Radius AUTHRequest
Username MS-CHAP
usernameMS-CHAP Challenge
Radius Proxy – AUTH Request
Radius Proxy – AUTH ResponseRadius AUTH ACKMS-CHAP success
EAP sucess passthroughMS-CHAPsuccess
EAP REQ passthrough
Authentication Flow (EAP) with RADIUS Proxy
Two use cases:
1. Wholesale
2. If the customer existing AAA does not support EAP
TM
Network Entry Message Flows: Authentication
SM DAP CAPC NetOP PM
PKM-REQInitial EAP
PKM-ResponseEAP ID Req.
PKM-REQAccess Req.
username
EAP TTL Secure Tunnel
Access ChallengePKM-Response
MS-CHAPv2 secure password authentication
PKM-REQAccess Req.
Lookup profile ID
Access AcceptPKM-Response
NetOP PM will store the MAX Address and send MotoWMX VSAs
TM
Network Entry Message Flows: IP Address Assignment
CPE DAP DHCP Server
DHCP Request (Broadcast) DHCP Request
(Unicast)
NetOP PM
RADIUS Access Req
RADIUS Access Accept
DHCP Request (Unicast)
DHCP AckDHCP Ack
DHCP Ack
IP2
Source: IP1 Destination: IP2
IP1
Source: IP2 Destination: IP4 CHAddr: CPE MAC
IP4 IP5
Offered IP addressOffered IP address
VSA = context & QoS
Lookup contextdefinition usingCPE MAC
Lookup IPaddress basedon GIA=IP4
IP3
Source: IP3 Destination: IP5 GIA: IP2
SE 400 Context local SE 400 Context Users
Switch to target contex