ASN GW Workshop

TM

ASN Gateway Session

TM

Agenda

TM

Motorola WiMAX ASN Gateway

Redback

Foundry

Motorola

Motorola’s ASN-GW is comprised of three functional elements :•CAPC (roughly equivalent to the ASN-DP function) •Ethernet Switch, and•Router/FA function (ASN-EP functionality with FA functionality introduced in WMX2.0).

Motorola's ASN Gateway acts as a central point in the ASN network, providing connectivity to:

• The WiMAX Access Points and• To one or more CSNs, over a WiMAX NWG defined interface (R3)

TM

Hardware for Wateen ASN-GW

TM

Redback: SmartEdge 1200

The Router/FA performs functions generally consistent with the ASN-Gateway Enforcement Point, as defined by the WiMAX forum Network Working Group.

In particular the Router/FA provides the following important functions:

• BRAS operation for stationary WiMAX subscribers• IP traffic routing• Subscriber authentication• Policy management• QoS capacities at the subscriber level•…etc

•The SmartEdge 1200 chassis has 14 slots with 2 slots dedicated to the controller cards and 12 slots available for a flexible combination of traffic cards.

•256,000 simultaneous sessions (Based on XCRP4)

TM

Smart Edge Router

Contexts

Ports/Bindings

Dynamic Clips

TM

Contexts(1)

Subscriber A (Voice & Data)

Subscriber B (Data) Internet

IMSCable/Circuit Cable/Circuit

Cable/Circuit

Cable/CircuitCable/Circuit

Port

PortPort

Port

Port

Router A

Router B

TM

Contexts(2)



IMSInterface

Interface

Interface

Interface

Smart Edge Router

Cable/Circuit

Cable/Circuit

Port

Port

Port

Port

Cable/Circuit

Cable/Circuit

Port

Interface

Context A

Context B

A context is a true router inside the Smart EdgeA context is a true router inside the Smart Edge

TM

Contexts(3)



IMSInterface

Interface

Interface

Interface

Smart Edge Router

Cable/Circuit

Cable/Circuit

Port

Port

Port

Port

Cable/Circuit

Cable/Circuit

Port

Interface

Context A

Context B

A context contains its own routing info, addresses, A context contains its own routing info, addresses, VPNs etc.VPNs etc.

Binding

TM

10

Configuration modes in Smart Edge CLI

Connected

Operator Monitoring

Enable

Administrator Monitoring

Global config

Config

Context Qos Port

InterfaceRouter

Protocol

• Pretty similar to Cisco with the exception of Context mode

Connected

User Exec Mode

Enable

Privilege Exec Mode

Global Config mode

Config t

InterfaceRouter

Protocol….

• Smart Edge • Cisco

TM

Interface



IMSInterface

Interface

Interface

Interface

Smart Edge Router

Port/ Cct

Interface

Context A

Context B

Interface: a logical IP entity residing in the contextInterface: a logical IP entity residing in the context(not the same as port or circuit) (not the same as port or circuit)

Binding

Port/ Cct

Port/ Circuit

Port/ Cct

Port/ Cct

TM

Port



IMSInterface

Interface

Interface

Interface

Smart Edge Router

Port/ Cct

Interface

Context A

Context B

Port or Circuit: a physical entity handling encapsulation Port or Circuit: a physical entity handling encapsulation and bits on the wire and bits on the wire

Binding

Port/ Cct

Port/ Circuit

Port/ Cct

Port/ Cct

TM

Concept of Binding



IMSInterface

Interface

Interface

Interface

Smart Edge Router

Port/ Cct

Interface

Context A

Context B

Binding: A virtual ‘patch-cable’ connecting the port to Binding: A virtual ‘patch-cable’ connecting the port to the interface in the context.the interface in the context.

Binding

Port/ Cct

Port/ Circuit

Port/ Cct

Port/ Cct

TM

Type of Binding

• Static (Hard-Wired to the higher-layer protocols)–Ignore negotiation room (Management and backbone)

• Dynamic (Based on session information)–On interfaces to subscribers–DHCP Clips based on the MAC address

TM

Static Bind

InterfaceInterface

Smart Edge Router

Port: port eth 1/1

Context users

Static binding: Statically associating a Circuit/PortStatic binding: Statically associating a Circuit/PortTo an interface in a contextTo an interface in a context

Context users! interface test ip address 1.1.1.1/24! port eth 2/7 bind interface test users!

TM

Mult-bind Concept

InterfaceInterface

Smart Edge Router

Port: port eth 1/1

Context A

Multi-bind: Binding multiple circuits (subscribers) on Multi-bind: Binding multiple circuits (subscribers) on the same interfacethe same interface

Context users! interface test multi-bind ip address 1.1.1.1/24! port eth 2/7 bind interface test users! port eth 2/8 bind interface test users!

Port: port eth 1/2

TM

SER Configuration for CLIPS

ToBS

CLIPS

Interface

Interface

Smart Edge Router

Port 2/3

Context local

Context Clips

Port 2/6

DHCP Server

NetOP PM AAA

WIMAX BSWIMAX

CPE

Applications server

Port 2/4

192.168.1.1/24

192.168.1.10/24

192.168.0.1/30192.168.0.2/30

192.168.3.1/24

192.168.0.15/24

10.10.100.1to10.10.100.10Mask:255.255.255.0GW:10.10.100.1

10.10.100.1/24192.168.1.1/24 Secondary

TM

Basic SER Configuration for CLIPS (DHCP traffic flow)

ToBS

CLIPS

Interface

Interface

Smart Edge Router

Port 2/3

Context local

Context clips

Port 2/6

DHCP Server

NetOP PM AAA

WIMAX BSWIMAX

CPE

Applications server

Port 2/4

192.168.1.10/24

192.168.0.1/30192.168.0.2/30

192.168.3.1/24

192.168.3.2/24

1. DHCP DISCOVER 1. DHCP DISCOVER (MAC)(MAC)

192.168.1.1/242. Radius 2. Radius

auth for MACauth for MAC

3. Radius Accept 3. Radius Accept (Context, QoS)(Context, QoS)

2. DHCP DISC to 2. DHCP DISC to Waiting roomWaiting room

5. DHCP DISC5. DHCP DISCto DHCP serverto DHCP serverGIA: 10.10.100.1GIA: 10.10.100.1

4. DHCP DISC to 4. DHCP DISC to CLIPS contextCLIPS context

10.10.100.1to10.10.100.10Mask:255.255.255.0GW:10.10.100.1

10.10.100.1/24192.168.1.1/24 Secondary

TM


ToBS

CLIPS

Interface

Interface

Smart Edge Router

Port 2/3

Context local

Context clips

Port 2/6

DHCP Server

NetOP PM AAA

WIMAX BSWIMAX

CPE

Applications server

Port 2/4

10.10.100.1/24192.168.1.1/24 Secondary

192.168.1.10/24

10.10.100.1to10.10.100.10Mask:255.255.255.0GW:10.10.100.1

192.168.0.1/30192.168.0.2/30

192.168.3.1/24

192.168.0.15/24

192.168.1.1/24

6. DHCP Offer6. DHCP Offer

7. DHCP Offer7. DHCP OfferUsing secondary Using secondary

IPIP

8. DHCP Offer8. DHCP Offer

TM


ToBS

CLIPS

Interface

Interface

Smart Edge Router

Port 2/3

Context local

Context clips

Port 2/6

DHCP Server

NetOP PM AAA

WIMAX BSWIMAX

CPE

Applications server

Port 2/4

192.168.1.10/24

192.168.0.1/30192.168.0.2/30

192.168.3.1/24

192.168.3.2/24

192.168.2.1/24

9. DHCP Request9. DHCP Request10.10.100.1to10.10.100.10Mask:255.255.255.0GW:10.10.100.1

10.10.100.1/24192.168.1.1/24 Secondary

TM


ToBS

CLIPS

Interface

Interface

Smart Edge Router

Port 2/3

Context local

Context clips

Port 2/6

DHCP Server

NetOP PM AAA

WIMAX BSWIMAX

CPE

Applications server

Port 2/4

192.168.1.10/24

192.168.0.1/30192.168.0.2/30

192.168.3.1/24

192.168.0.15/24

192.168.1.1/24

9. DHCP ACK9. DHCP ACK

10.10.100.1to10.10.100.10Mask:255.255.255.0GW:10.10.100.1

10.10.100.1/24192.168.1.1/24 Secondary

TM

Binding and Dynamic CLIPs

Interface Interface

Context A

- - CLIPS uses MAC address as username for AAA authCLIPS uses MAC address as username for AAA auth- Dynamic CLIPS uses external AAA to learn the subscriber context information Dynamic CLIPS uses external AAA to learn the subscriber context information and dynamically bind the subscriber to the CLIPS interfaceand dynamically bind the subscriber to the CLIPS interface- A subscriber is bound to a clips interface means that all traffic coming from that A subscriber is bound to a clips interface means that all traffic coming from that subscriber MAC address is handled by that interface subscriber MAC address is handled by that interface

CLIPs Negotiation room

Waiting room

Clips port/cct

Radius Subscriber records

DHCP records

RadiusAccounting

1. DHCP DISC MAC 00:0E:22:0B:26:71

2. Request for MAC auth

3. Reply: bind to Context A

4. Binding

5. Request IP addr

6. Return offer

7. Return DHCP Offer

8. Accounting for MAC at context A

TM


context local! interface AP_MGT multibind ip address 192.168.1.1/24 dhcp proxy 65535!

aaa authentication subscriber global aaa accounting subscriber radiusaaa reauthorization bulk globalradius accounting server 192.168.0.2 key secretkey!radius server 192.168.0.2 key secretkey

- Access the local context

- Add an interface leading to the RAN side-Add an IP address for the interface, this IP address should be the default gateway of the DAP.-- Add an interface leading to the NetOp PM RADIUS server.-Add an IP address for the interface.

- Enable AAA authentication.- Enable AAA accounting in RADIUS.- Enable reauthorization.

- Configure the RADIUS accounting server

- Configure the RADIUS authentication server

Local context configuration

TM


context Res_CLIPS! interface ToApplications ip address 192.168.3.1/24!interface CLIPS multibind ip address 10.10.100.1/24 ip address 192.168.1.1/24 secondary dhcp proxy 65535

aaa authentication subscriber global !! dhcp relay server 192.168.0.15!

- Access the clips context

- Add an interface leading to DHCP and applications servers side- Add an IP address for the interface.

- Add an interface to which dynamic CLIPS subscribers arebound, that provides IP addresses for subscribers.- Enable the interface to act as a proxy between subscribersand the DHCP relay agent; - Set the number of IP addresses allowed on theinterface to the maximum (65,535).

- Enable AAA authentication.

- Identify the location of the external DHCP relay server towhich the SE relays requests.

clips context configuration

TM


aaa global authentication subscriber radius context localaaa global accounting subscriber radius context localaaa global accounting reauthorization subscriber radius

context local

aaa global accounting event dhcp

aaa global accounting event reauthorization!service multiple-contexts!

- Configure AAA globally to use the RADIUS servers configured in the local context.- Also configure AAA globally to use the RADIUS servers configured in the local context for reauthorization accounting.

- Enable notifying the NetOp PM system of the IP addresses thathave been assigned to a subscriber session via CLIPS using DHCP.

- Enable notifying the NetOp PM system of reauthorization events.

- Configure the node to allow the creation of multiple contexts.

Global configuration

TM


qos policy bronze_qos_metering_policy metering rate 128 burst 100000!qos policy bronze_qos_policing_policy policing rate 128 burst 100000!snmp serversnmp view npm_view sysDescr includedsnmp view npm_view sysName includedsnmp view npm_view vacmMIBObjects includedsnmp view npm_view ifType includedsnmp view npm_view ifName includedsnmp view npm_view ifHighSpeed includedsnmp view npm_view rbnSubsClearSessionId includedsnmp view npm_view rbnSubsBounceSessionId includedsnmp view npm_view rbnSubsReauthRadiusID includedsnmp view npm_view rbnSubsReauthSessionId includedsnmp view npm_view rbnSubsClearReason includedsnmp view npm_view rbnSubsActiveCircuitDescr includedsnmp view npm_view rbnSubsActiveResend includedsnmp view npm_view rbnSubsActiveAddr includedsnmp view npm_view rbnSubsOctetsSent includedsnmp view npm_view rbnSubsOctetsReceived includedsnmp community npm_community all-contexts view npm_view read-write

Define a metering policy that restricts the bandwidth of traffic being sent to the subscriber circuit to a specific tier.

Define a policing policy that restricts the bandwidth of traffic being received from the subscriber circuit to a specific tier.

Required. Allow the Smart Edge to accept SNMP bounce, reauth, and clear messages from the NetOp PM system.

- Create a community string to permit access to Management -Information Base (MIB) objects. - Use the all-contexts keyword to trigger the automatic generation of community names for all managed contexts.- Allow the community read-write access to the MIB objects.


TM


port ethernet 2/3 no shutdown bind interface AP_MGT local service clips dhcp ignore-relay context local!port ethernet 2/4 no shutdown bind interface To_CSN_VLAN local service clips dhcp ignore-relay context local!

-Configure an Ethernet port leading to the RAN network

- Also configure the port to be operational, and bind it to theToBS interface in the local context, with interface binding.

-Configure an Ethernet port leading to the NetOP PM server- Also configure the port to be operational, and bind it to theserver interface in the local context, with interface binding.

-Configure an Ethernet port leading to the DHCP/APP servers- Also configure the port to be operational, and bind it to theToApplications interface in the clips context, with interface binding.


TM

TROUBLESHOOTING

• Show command–Show config–Show port counters–Show chassis–Show port–Show bind–Show radius server–Show radius stats

• Debug command–No debug all–Debug aaa all–Debug dhcp-relay all–Debug clips all

• Terminal monitor

• Logging console

TM

QoS set up in the SE-100

• Subscriber will be associated with a specific QoS–The QoS settings are configured in the SE–The AAA server will associate a user based on MAC with specific settings.

• QoS Policing Policy can classify, mark, rate-limiting or perform all actions on incoming packets

• QoS Metering Policy can perform the same operation on outgoing packets in the Egress Circuit.

qos Silver_QOS_metering metering rate 512 burst 64000

qos policy Silver_QOS_policing policing rate 512 burst 64000

TM

NetOP Policy ManagerNetOP Policy Manager

TM

NetOP Policy ManagerService and Subscriber Management

NetOp Policy Manager

Broadband Subscriber

Service Portal

SmartEdge Service Gateway

BSS/OSS

RADIUS or Billing Server

Policy Refresh

Accounting

Net Op PM acts as primary AAA for the Network and it is a key element in the QoS enforcement

This equipment is responsible of:

Control enforcing policies for:

Metering policies (Time-based, duration, Volume-based, Class-based)

Securing policies ( Forward policies, Policy ACL)

All this policies are controlled by the Net Op PM and enforced by the Redback Router to CLIPS features

Maintaining a persistent store of each subscriber’s services and the policies to be applied for the services.

Proxying Radius Authorization packets to other RADIUS servers or billing systems

Storing accounting data

Providing centralized authentication

Internet

Service Selection

TM

Netop PM AAA

• AAA Server from Redback• Software running over Solaris 10 OS

– For any doubt about installing Solaris software: http://www.sun.com/software/solaris/howtoguides/installationhowto.jsp

• Partition map recommendations by Redback as follows:

Partition Description Size (GB)

/ Solaris OS and Oracle software 14

/u02 Oracle data files 3

/export/home Home directories and Oracle archive and backup directories 10

Swap Space Solaris virtual memory 1 x RAM Memory

TM

Netop PM Deployment

It comprises the following parts:

• Installing and configuring the Oracle database - Oracle 10g

• Installing and Configuring the NetOP PM software Components- Radius Server (Radiator 3-16)- NetOP PM API- NetOP PM Lightweight Web Portal

• Customizing the NetOP PM for Motorola WIMAX Product requirement (Adding Motorola VSA to the NETOP)

TM

Netop PM Installation (1)

• Install Oracle database:–cd /cdrom/netop_common_X–./netop_install.sh database

• Configure Netop PM Database:–cd /usr/local/npm–./config_db.sh -small (LAB)

• Could be medium or large (Production environments)

• Install Netop PM Database:–cd /usr/local/npm/db/admin–./create_npm_db.sh

TM

Netop PM Installation (2)

• Install the Netop PM components:–cd /mnt/NetOp_commonX –./netop_install.sh npm

• Enable the Netop PM communications:–cd /usr/local/npm–./config_npm.sh

• Install the licenses:–./config_licenses.sh [-file license-file]

TM

Netop PM Components Configuration

• Configure Radius–cd /usr/local/npm–./config_radius.sh

• Start Radius–cd /usr/local/npm/radius–./start_radius.sh

• Configure Netop PM API–cd /usr/local/npm–./deploy_api.sh –nosecure

• Start Netop PM API–cd /usr/local/npm/api–./start_api.sh

TM

Netop PM Components Configuration (2)

• Configure Netop PM Lightweight Web Portal–cd /usr/local/npm–./deploy_portal.sh

• Start Netop PM Lightweight Web Portal–cd /usr/local/npm/portal–./start_portal.sh

• Configure the Netop PM Service Manager–cd /usr/local/npm/service_manager–./start_service_manager.sh

• Start the Netop PM Service Manager–cd /usr/local/npm/service_manager–./start_service_manager.sh

TM

Netop PM Customization for Motorola WIMAX

• Add third party (Motorola) Device Type (NAS Type)

• Add and Register Third Party Devices (NAS Entity)

• Add Supporting Radius Attributes to the dictionary_redback.cfg and to the Database

• Create Service Attribute Variation for WIMAX

• Configure EAP-TTLS Authentication

TM

NetOP PM Creating Service Offerings

Service offerings are the services offered to the subscriber

An access service offering configuration is divided to three parts• Time/Volume Variation Configuration• Bandwidth Variation Configuration• Dynamic IP Address Variation Configuration

The Time/Volume Variation is just parameters to configure, For the Bandwidth Variation Configuration you will need to create and

configure a Bandwidth variation Service attribute For the Dynamic IP Address Variation Configuration you will need to create

and configure a Dynamic IP address Variation Service attribute,

TM

NetOP PM Creating Service Offerings

There are three ways of creating service offerings:

1. Directly in the database using SQLDeveloper (not recommended)

2. Using the SOAP API (for customized portals and automated tasks)

3. Using the NetOp GUI Client (recommended for day-to-day operations)

The NetOp Client Uses the NPM API

Versions for Solaris and Windows

TM

NetOP PM Client

TM

NetOP PM Client

TM

NetOP Provisioning (1): Bandwidth Variation

TM

NetOp Provisioning (3)

TM

NetOp Provisioning (4) :Dynamic IP address variation

TM


TM


TM


TM

NetOp Provisioning (8) :Access Offering

TM


TM


TM


TM


TM


TM


TM


TM

FoundryFoundry SwitchSwitch

TM

XMR As Aggregation Switch

The Foundry switch performs as a Layer 2 Ethernet switch in the ASN-GW. It aggregates the data traffic from the access points and provides connectivity to the CAP-C and the Router/FA.

• The XMR4000/XMR8000 supports a large number of MAC addresses which is critical for the Motorola solution.

TM

XMR Sample configuration (1)

Current configuration:!ver V3.7.0bT163module 1 ni-xmr-20-port-1g-coppermodule 2 ni-mlx-20-port-1g-100fx!mirror ethernet 1/20

!no spanning-tree!vlan 10 name ISP1 tagged ethe 1/3 to 1/12 ethe 2/1 to 2/2 ethe 2/19 to 2/20 !vlan 20 name ISP2 tagged ethe 1/3 to 1/12 ethe 2/1 to 2/2 ethe 2/19 to 2/20 !vlan 201 name Access untagged ethe 1/1 to 1/2 ethe 1/17 to 1/20 tagged ethe 1/3 to 1/12 ethe 2/1 to 2/2 ethe 2/19 to 2/20 router-interface ve 201!vlan 1 name DEFAULT-VLAN

no route-onlyclock summer-timeclock timezone gmt GMT+02enable telnet password .....enable super-user-password .....logging consoletelnet serverweb-management httpweb-management httpsweb-management enable vlan 201ip route 0.0.0.0/0 172.16.196.1

TM

XMR Sample configuration (2)

! snmp-server community ..... rwsnmp-server contact Mohammad Rabasnmp-server location Motorolahostname Mada-XMR8000!interface management 1 enable!interface ethernet 1/1 port-name CAPC_Primary_SC enable speed-duplex 100-full!interface ethernet 1/2 port-name CAPC_Secondary_SC enable speed-duplex 100-full…..…...interface ethernet 1/9 port-name HQ_DAP enable speed-duplex 100-full mon ethernet 1/20 both!

interface ve 201 qos-tos ip address 172.16.196.2/22!End

TM

Wholesale Vs Retail ModelWholesale Vs Retail Model

TM

NSP2

NSP1NAP NSP

WiMAX Forum: NAP and NSP

ASN CSN

Wholesale Model: A single NAP shared by multiple NSP’s

NAP

CSN1

CSN2

ASN

Retail Model: A single NSP provides access through single NAP’s

NAP: Network Access Provider

NSP: Network Services Provider

TM

72

Wholesale Model

• Customer is assigned a unique NAI (e.g. username@providersdomain) and password.

• Netop PM adds the NAI information to the AAA server to activate the device.

• User configures the device with NAI and password

• Device executes network entry by finding, registering, and presenting credentials with the nearest AP.

• Wholesaler AP validates device with the ISP AAA server through EAP Proxy in NetopPM

–Auto provisioning of end users devices´ MAC into the system

• Wholesaler B-RAS validates MAC with the Netop PM server for the CLIPS creation process

TM

73

Wholesale model set up (1)

• We will proxy EAP based on the realm attached in the username.

• 3 important tables:–PROXY_CONFIG–RADIUS_PROXY_SERVER–NAS_INFO

• Outer Authentication Proxy–External tunnel will be anonymous

• Inner Authentication Proxy–Internal tunnel that will be proxied based on the PROXY_CONFIG

table

TM

74

Wholesale model set up (2.1)

• Define the realm in PROXY_CONFIG that will be forwarded–Eap outer will not be forwarded (Proxy login NO)–Realm will be forwarded (Proxy login YES)

TM

75

Wholesale model set up (2.2)

• Define the realm in PROXY_CONFIG the service offering associated with the inner authentication realm

TM

76


• Define which AAA server is responsible for that realm in RADIUS_PROXY_SERVER

TM

77


• Also follow the procedure for populating the Radius Server as NAS in the NAS_INFO Table

TM

VLAN-A Feature OverviewVLAN-A Feature Overview

TM

MSS VLAN Assignment

• Example VLAN Configuration Table–Table above shows two entries in the table

–The domain wimax.mot.com has a VLAN ID of 201

–The default “catch all” VLAN ID is 926

• By having only the default “catch all” VLAN ID set equal to the AP VLAN ID, the VLAN A feature can be disabled.

VLAN Configuration Table

Index Name Domain Vlan ID

1 Default * 926

2 Motorola wimax.mot.com 201

– Assigned during Network Entry– MSS VLAN ID is a Motorola VSA in the AAA configuration for the user. Ex:

Motorola-Wimax-VLAN-Id=0x0000 – Can be configured in the AAA (EAP-TLS / EAP-TTLS) or via AP configuration at

the PEMS (see “AP->Node Configurations->VLAN Configuration -> IEEE 802.1Q VLAN ID” for the list of VLAN IDs and NSPs).

TM

MSS DHCP and ARP

• MSS VLAN ID same as to AP VLAN ID–AP performs DHCP Relay for the subscriber.

• MSS VLAN ID is not equal AP VLAN ID.–AP performs DHCP broadcast on the VLAN assigned to the subscriber.–ARPs are performed on the VLAN assigned to the subscriber.

• Can support overlapping IP addresses on different VLANs• All bearer traffic is tagged by AP with subscriber VLAN on Uplink• Core network is expected to tag all packets destined to the

subscriber with appropriate VLAN ID on Downlink.

TM

VPN Support in WiMAX SolutionVPN Support in WiMAX Solution

TM

WiMAX Protocol Stack

MAC Layer

Security Sublayer

802.16e Physical Layer

IPv4 Convergence

Sublayer

MAC Common Part Sublayer

IPv6 Convergence

Sublayer

Ethernet Convergence

Sublayer

This is the only CS supported in WMX 1.0, 2.0,2.5, 3.0 Candidates for future releasesCandidates for future releases

TM

So how does Packets get relayed?

Source

Destination

CPE IP

Server IP

Source

Destination

CPE MAC

G/W MAC

Source

Destination

CPE IP

Server IP

802.16e CID

Source

Destination

Host IP

Server IP

Source

Destination

PC MAC

CPE MAC

HostCPE

(NAPT)

AP

SER

TM

So what does that mean?

• The lack of ECS means that:• Ethernet header of packets received by the WiMAX CPE will be stripped off by the

IPv4 CS before segmenting it into WiMAX blocks over the air

• So, Ethernet information such as VLAN tag and 802.1p user priority will be lost

• Only the IPv4 payload will transported over the 802.16e air interface

• L2 VPN’s (MPLS based) rely heavily on Ethernet header information and hence CANNOT be supported in a typical WiMAX deployment

TM

And Customers are interested in Layer 2 and Layer 3 VPN’s

• So what to do?

• Solution is available to the rescue:–L2TPv3 [Layer 2 Tunneling Protocol Version 3]

• WiMAX CPE (B2, JUPITER …etc) and Redback Smart Edge support L2TPv3

• Tunnels are setup between the CPE and SER and Ethernet frames can be transported TRANSPARENTLY over the L2TPV3 Tunnel – LAC –to– LNS model

• We can also do L2TPv3 between CPE’s directly (SER will be merely routing L2TPv3 IP packets) – LAC –to– LAC model

TM

OK, Let’s see how it actually works – L2

Gateway for CPE

Gateway towards tunnel termination

tunnel termination

Physical Loopback

VPLS Bridge Profile

Subscriber Traffic

To VPLS L2 Domain

TM

OK, Let’s see how it actually works – L3

Gateway for CPE

Gateway towards tunnel termination

tunnel termination

Physical Loopback

VPLS Bridge Profile

Subscriber Traffic

CE (behind the CPE) Gateway

TM

Caveats

• Operational overhead for setting up and maintaining L2TPv3 tunnels

• Capacity issues: How many L2TPv3 tunnels can be supported on both the WiMAX CPE and Redback SER

TM

BACKUP SLIDE

TM

EAP Authentication

MSS CAPC

AP AAA

EAP Client EAP Proxy EAP Authenticator <Pass Through> RADIUS Client

EAP Server RADIUS Server

EAP Method

PKMv2 EAP RADIUS

TM

Authentication Flow (EAP)MSS CAPC

AP AAA (NetOp PM

PKMv2 EAP-START M_SEC_INIT_AUTH

M_SEC_EAP-REQ

(EAP Identity Request)

Maximum EAP

sessions

PKMv2 EAP-TRANSFER

PKMv2 EAP-Message

(EAP Identity Response)M_SEC_EAP_RSP

(Identity username@domain) RADIUS Access Request (RFC2865, RFC 2869)

CAPC replicates the EAP Response containing the identity of MSS in the EAP-Message attribute

Pass Through EAP-Message

RADIUS Access Challenge

(M_SEC_EAP_REQ (EAP TTLS START))M_SEC_EAP_REQ

(EAP TTLS START)PKMv2 (EAP TTLS START)

EAP – TTLS Tunnel Establishment (TLS Handshake)Tunnel extended by AP

EAP Message Exchange: EAP – TTLS MS – CHAP – v2 or another methodTunnel extended by AP

RADIUS Access Accept

(EAP Message/EAP Success, VSA's)M_SEC_EAP_COMPLETE

(EAP SUCCESS)PKMv2 (EAP SUCCESS)

TM

NetOP manages Radius Interaction with Service Provider

Access Network Service ProviderDAP CAP-C NetOp PM ISP RADIUSDAP CPE

EAP-TTLS (secure data tunnel)

AccessRequest (Radius)user@isp_realm

EAP-Request (Identity)

EAP-Response (Identity)

EAP REQ passthrough

EAP TTLS:Client Hello

EAP Requestpassthrough

EAP TTLSServer Hello

EAP-RESPPassthrough

Radius-AUTHRequest

EAP REQ ID

EAP-RESP ID

Radius ChallEAP-REQTTLS Start

Radius-AUTHResponse

Radius AUTHResponse

Radius ChallEAP-REQ

TTLS Server Hello


EAP TTLS:Client Key Exchange

Radius-AUTHRequest

Radius AUTHRequest

Radius ChallEAP-REQChange

Cipher Spec


EAP TunnelEstablishment

EAP-RESPPassthrough

Radius AUTHRequest

Username MS-CHAP

usernameMS-CHAP Challenge

Radius Proxy – AUTH Request

Radius Proxy – AUTH ResponseRadius AUTH ACKMS-CHAP success

EAP sucess passthroughMS-CHAPsuccess

EAP REQ passthrough

Authentication Flow (EAP) with RADIUS Proxy

Two use cases:

1. Wholesale

2. If the customer existing AAA does not support EAP

TM

Network Entry Message Flows: Authentication

SM DAP CAPC NetOP PM

PKM-REQInitial EAP

PKM-ResponseEAP ID Req.

PKM-REQAccess Req.

username

EAP TTL Secure Tunnel

Access ChallengePKM-Response

MS-CHAPv2 secure password authentication

PKM-REQAccess Req.

Lookup profile ID

Access AcceptPKM-Response

NetOP PM will store the MAX Address and send MotoWMX VSAs

TM

Network Entry Message Flows: IP Address Assignment

CPE DAP DHCP Server

DHCP Request (Broadcast) DHCP Request

(Unicast)

NetOP PM

RADIUS Access Req

RADIUS Access Accept

DHCP Request (Unicast)

DHCP AckDHCP Ack

DHCP Ack

IP2

Source: IP1 Destination: IP2

IP1

Source: IP2 Destination: IP4 CHAddr: CPE MAC

IP4 IP5

Offered IP addressOffered IP address

VSA = context & QoS

Lookup contextdefinition usingCPE MAC

Lookup IPaddress basedon GIA=IP4

IP3

Source: IP3 Destination: IP5 GIA: IP2

SE 400 Context local SE 400 Context Users

Switch to target contex

Documents

ASN GW Workshop