4. Evolution in SP Network Architectures
Diverged “per
Service”
Networks
• Increased revenue by decreasing
Converged “All cost of managing and
in One” maintaining multiple networks
Networks
• Increased overall revenue by increasing
Converged revenue per user
“User Centric” • Customized services
Networks • Rapid deployment of new services based on
market trends
• Subscriber Self Subscription and Self Care
5. The New User Experience – Cisco ISG
Enabling the Next Wave of Broadband
Add Subscribers
Register Log in
Add Services
Pay As You Pay What Broadband Broadband Broadband
Go! You Use! Light Basic Premium
Buy credit Buy Buy: $19.99 Buy: $29.99 Buy: $39.99
Add Value
Branded Branded Branded
VoD TV Phone
($4.99/movie) ($29.99) ($15.99 + LD)
6. The elements of customization
Subscriber identified using multiple
dimensions. Identity gathered:
Identity Subscriber
From multiple sources and events Sessions
Over session lifecycle
Subscriber
Different Services and Rules Services
applied based on: Intelligent
Differentiated Who subscriber is
Services Services
Where he is Session creation/
Gateway
What he requires authentication
Services and Rules updated based on :
Dynamic Service Subscriber
How subscriber behaves Services
Management Dynamic Policy
What he requires NOW Push and Pull
7. Building the Identity and Assigning Services
Example
Subscriber
DHCP Exchange Starts DHCP Exchange Completes(*) Subscriber Authentication(*) Dynamic Service Update
T0 T1 T2 TN
BHAVANI BHAVANI
ISG Subscriber Session Subscriber Session Subscriber Session
Subscriber Session
MAC Addr: 00:DE:34:F1:C0:28 MAC Addr: 00:DE:34:F1:C0:28 MAC Addr: 00:DE:34:F1:C0:28 MAC Addr: 00:DE:34:F1:C0:28
Identities IP Addr: ? IP Addr: 10.1.1.211 IP Addr: 10.1.1.211
IP Addr: 10.1.1.211
Username: ? Username: ? Username: Bhavani Username: Bhavani
Services Service: DEFAULT_SRV Service: PPU_SRV Service: PREMIUM_FR_SRV
Service: DEFAULT_SRV
DEFAULT_SRV PPU_SRV PREMIUM_FR_SRV
Only permits Pay Per Use Service: Flat Rate Premium Data Service:
management traffic - Permits all traffic - Permits all traffic
through the session - 512K/1Mbps US./DS - 1M/8Mbps US/DS
- Accounting enabled on
session
(*) Order of operations not representative of a real call flow
8. Access Technology Abstraction
DSL DSLAM ATM/Ethernet
Switch
CMTS
Cable
Walled Garden Open Garden BRAS/BNG
Subscriber-centric services regardless of: Access
Ethernet Distribution
Access Technology
Access Protocol
Access Technology:
Legacy DSL/ATM 802.11 or
Metro Ethernet, Wireless LAN, Cable 802.16
Access Protocol:
IP
PPP
9. PPP to IP Migration
Key Requirements Goal
There are 3 subscribers
connected through Create a per subscriber
Subscriber G0/1.10 construct over a shared
Access interface (“subscriber
Detection G0/1.10 session”)
John Subscribers are John,
Mike Mike and Ted. Uniquely establish
Ted
Subscriber John and Mike are HSI subscriber identity and
John users, Ted is VoIP user
authentication determine services and
and authorization Mike
G0/1.10 service levels per
Ted
subscriber
10.1.1.10 John
10.1.1.20 Mike Subscribers addresses
10.1.1.30 Ted should be:
Subscriber 10.1.1.10 John
Assign a unique IP address
John to each subscriber based
address 10.1.1.20 Mike
management Mike 10.1.1.30 Ted on provider domain
Ted G0/1.10
10. What is ISG? Subscriber Policy Layer
AAA Policy Web DHCP
…
Server Server Portal Server
Cisco Intelligent Services Gateway (ISG) is
Open a licensed feature set on Cisco IOS that
Northbound provides Session Management and Policy
Interfaces Management services to a variety of access
Policy networks
Subscriber
Management
Identity
Management ISG and Addresses PPPoE to IPoE migration while
Enforcement maintaining all subscriber management
functions
ISG
So focal, that the entire device is often referred as an:
Intelligent Services Gateway router or simply “The ISG”
12. ISG’s place in the network
AAA Policy Portal DHCP
Aggregation Internet/Core
Subscriber Identification:
based on:
- who he is,
- where he is,
• Deployed at access or - how he behaves
service edge - what he requires
Subscriber Authentication:
• Communicates with other - PPP CHAP/PAP
devices to control all - Transparent Auto Logon (TAL)
- Web Logon
aspects of subscriber - RADIUS
access in network
Subscriber Services Determination and Enforcement
• Single point of contact Dynamic Service update
Session Lifecycle Management: establishment, configuration and tear dow
13. ISG’s Subscriber Policy Layer
Subscriber Policy Layer
AAA Policy Web DHCP
Server Server Portal Server
Subscriber Authentication
Subscriber Authorization: User and ServiceInternet/Core
Profile Repository
AAA Server Per access and Per Service Accounting
Front-end toward billing system
Guest Video
Policy Server Dynamic Policy Push (Application Level Trigger)
Portal Audio
Open Garden Servers
Walled Garden
Front end toward the subscriber for:
Self Subscription
Web Portal Web Logon
Service Selection (Application Level Trigger)
Hand over of addresses to subscribers
DHCP Server Class-based address handover for ISG driven address pool selection
Note: AAA Server, Policy Server, Web Portal can co-reside in the sample appliance
14. ISG’s Dynamic Policy Activation
Dynamic Policy Pull Dynamic Policy Push
(e.g. Automatic Service-Profile (e.g. “Turbo Button”)
Download on Session Establishment) Application/
Service Layer event
Subscriber Policy Layer Subscriber Policy Layer
DHCP Web Policy AAA DHCP Web Policy AAA
Server Portal Server Server Server Portal Server Server
Network
Layer
Event
Guest Guest
Portal Portal
Open Garden Walled Garden Open Garden Walled Garden
15. ISG’s Northbound Interfaces
Subscriber Policy Layer
AAA Policy Web DHCP
Server Server Portal Server
Internet/Core
Guest Video
Portal Audio
Open Garden Servers
Walled Garden
RADIUS Interface, for subscriber AAA functionalities and Policy
service download PULL
RADIUS Extensions (RFC 3576) and XML based (SGI(*)) Policy
Open Interfaces, for dynamic, administrator or subscriber
driven, session and service management functions PUSH
(*) SGI: Services Gateway Interface
16. The Subscriber Session in ISG ISG Session
Subscriber Policy Layer
AAA Policy Web DHCP
Server Server Portal Server
Subscriber 1 Subscriber 1
session
Subscriber 2
Subscriber 2 Internet/Core session
Subscriber 3
Guest Video session
Subscriber 3 Portal Audio
Open Garden Servers
Walled Garden
• Construct within Cisco IOS that represents a subscriber
– subscriber: billable entity and/or an entity that should be authenticated/authorize
• Common context on which services are activated
• Created at first sign of peer activity (FSOL = First Sign Of Life)
17. Dynamic Session Initiation ISG Session
• ISG sessions are initiated at the First Sign of Life (FSOL)
• FSOL depends on the Session Type
PPP Sessions - FSOL IP Sessions - FSOL
.... there are options .....
Unclassified MAC or IP IP packet with unknown MAC
Data Traffic or IP source address
Use MAC for L2-connected IP
sessions
PPP Call Request (LCP) Use IP for routed IP sessions
DHCP
DHCP Discover message
DHCP discover
ISG must be DHCP Relay or
Server
RADIUS RADIUS
Access Request OR
RADIUS Access/Accnt Start
Accounting Start ISG must be a Radius Proxy
Wireless
AP
Typically used in PWLAN and
Client
WiMAX environments
18. Session Authentication Resources Only to
Authentication: Allow Access to Network
ISG Session
Recognized Users
Authentication models supported:
• Access Protocol Native Authentication:
– PPP: CHAP/PAP
– IP: EAP for wireless client
– DHCP Authentication
• Transparent Auto Logon (TAL):
– Authenticates using subscriber related
network identifiers
– e.g. MAC/IP address, DHCP Option 82,
PPPoE Tags...
• Web Logon
Authentication Is Not Mandatory on a Session,
but Used in Most Situations
19. ISG’s Subscriber Authentication
- IP sessions
IP – common scenarios
+ Web Logon Web AAA • User traffic redirected to Web Portal to enter credentials
Portal Server • User Credentials propagated to ISG
• ISG uses credentials to authenticate user with AAA server
RADIUS
Data Traffic Username: WebLogon • Applicable to all session types
Username
redirection
TAL: Option82 Auth AAA • Access Switch inserts Option82 Circuit and Remote ID in DHCP
Server Requests
DHCP exchange RADIUS • ISG performs authentication using a combination of Circuit and
Username: RemoteID
Access SW inserts Option 82 MAC/RemoteID:CircuitID
CircuitID/RemoteID
• ISG session must be DHCP initiated
• User starts EAP authentication with Access Point (AP)
EAP Auth
AAA • ISG impersonates RADIUS server toward AP, and RADIUS client
RADIUS Server toward real server
EAP (EAP based auth)
RADIUS • ISG learns session authentication status by proxying RADIUS
Wireless Username: messages betw/ real RADIUS client and Server
Client AP EAP username
• ISG session must be RADIUS initiated
TAL:IP/MAC AAA • ISG performs authentication using identifiers from subscriber traffic
Data Traffic Server (source IP/MAC)
RADIUS • Typically used in topologies w/ L2 connected subscribers to support
- Username:
MAC or IP
clients w/ static IP address or in IP-routed topologies
20. Session TerminationPPP Sessions
IP and
ISG Session
Idle and Absolute Timeouts/Timer Expiry Web Logoff Web
Portal
RADIUS CoA
Account-Logoff
PPP Sessions Exclusively IP Sessions Exclusively
ICMP/ARP keepalive failure
Keepalive failure
PPP and PPPoX protocol events
ICMP Keepalives used for routed sessions
ppp disconnect; ppp keepalives or L2TP ARP keepalives used for l2-connected sessions
hellos failure DHCP OR DHCP DHCP
lease expiry initiated
DHCP Release
RADIUS PoD (Packet Of Disconnect) Policy sessions
Manager only
RADIUS PoD
RADIUS
RADIUS RADIUS
EAP Accounting Stop initiated
Wireless sessions
Client AP only
21. ISG Services ISG services
• Service: A collection of features that are applicable on a subscriber session Service =
{feat.1, feat.2,...,feat.n}
Portbundle (PBHK)
Session
Keepalives: ICMP and ARP based
Features Administration Timeouts: Idle, Absolute
QoS: Policing, MQC
Traffic Conditioning
Security: Per User ACLs
Subscriber Address Assignment Control
Traffic Forwarding Redirection: Initial, Permanent, Periodic
Control VRF assignment: Initial, Transfer Associated to
L2TP assignment
Primary Services
PostPaid
Prepaid: Time/Volume based
Traffic Accounting Tariff Switching
Interim
Broadcast
Primary Service: Contains one “traffic forwarding” feature and optionally
other features; only one primary service can be active on a session
22. ISG Feature Granularity
Subscriber Session
Classification
ACL
TC1 Session
Flow Features
ACL
SubscriberX TC2 grouped in
Features
Data Session
ACL
TC3 Services
• ISG Classification resembles • Each Traffic Class can have a
different set of features applied
Modular QoS CLI (MQC)
• A Traffic Class and associated
• IP ACL (standard or extended) features also referred as
are used to create differential TC service
flows (Traffic Classes) • A Default TC can be used to drop
traffic that could not be classified
23. Defining Services
1
Premium HSI service
AAA Server should be activated 2 RADIUS Access-request
Services defined in Service Profiles on the session Username: Premium_HSI
Standard and Vendor Specific No definition yet Password: <service pwd>
available
RADIUS attributes used
Service Activated on session 3 RADIUS Access-accept
On demand download on a Service Stored in local cache Features associated w/ service
need basis while in use by at least 1 sessions
4
• Definition of all existing Services
Policy Manager typically pre-downloaded on Box
(supporting the SGI Interface) 1 SGI Request
Services defined in XML Premium, Standard, Basic
3 HSI service definitions
Pre-download of all existing services Services permanently stored
in local database 2 SGI Response
ISG
Services pre-configured using CLI
Services permanently stored
Services defined on Service Policies: in local database
policy-map type service <name>
24. How Services Are Activated on a Session?
During Subscriber Via an External Policy Via the On-Box Policy
Authentication/ Manager/Web Portal Manager
Authorization
from
Administrator external PM
Subscriber Policy Layer Subscriber Policy Layer
events
Policy
plane plane plane
DHCP Web Portal / AAA DHCP Web Portal / AAA actions
Server Policy Server Server Server Policy Server Server
Data Control
from
RADIUS RADIUS data
Acc-req RADIUS CoA or SGI plane
Acc-accept Request
Subscriber Subscriber
Policy Plane determines what actions
Subscriber is successfully Service Activation request sent to take on session based on events
authenticated by External Policy Managers via actions *include* applying a service
a RADIUS CoA or a SGI
RADIUS Response includes Request message Control Plane ensures actions are
Services and Features to activate taken –i.e. provisions the data plane
on Session (from UserProfile)
Data Plane enforces traffic conditioning
policies to the session
26. Broadband Aggregation Architecture
BNG
Content Farm Mobile Core
Subscriber
WiFi Mesh ESE+BNG
GGSN PDN GW HA
VOD TV SIP LNS
Mobile
Access Aggregation Edge IP / MPLS Core
Residential
Core
Aggregation Network
Business MPLS/IP Network
Corporate MPLS /IP
Access Node
ISG
(SP-WiFi)
MSE+BNG
27. ASR1000 BNG/ISG
Deployment models – Subscriber Services
LAC/LNS/ISG
Migration from Legacy Broadband Subscriber auto provisioning
networks – ATM & Ethernet Dynamic service creation
Wholesale and Retail options IPv4 & IPv6-based services
Wireline and Wireless (WiFi)
aggregation
Range of scale for small to HA & ISSU
Large networks
Sub-4K to 64K sessions scale Stateful Intra-chassis
5G to 40G (160G future) redundancy
128K queues In Service Software
1RU to 13RU form-factor Upgrade
28. Why ASR1000 for BNG/ISG?
•Prepaid services, Per subscriber Firewall, Portal integration for self-
Feature richness & services support provisioning, Policy server solutions, Services accounting within a
session, Integrated DPI (by mid-CY11) etc
•Dual-stack subscribers - PPPoE now and IPoE by mid-CY11)
IPv6 Subscriber Support: •IPv6 native sessions with ISG
•IPv6 subscribers tunneled in L2TP
•NAT44 - maximum of 2M NAT sessions
IPv4 Address Exhaust solutions •NAT64 - stateless model now and stateful NAT64 by mid-CY11
•6RD - IPv6 Rapid Deployment tunneling model
•LNS - aggregating the hotspots
•ISG - Managing individual subscriber authentication, services, billing
SP WiFi Aggregation
etc
•NAT - Providing translation for private IPv4 address to public
•PPPoEoA
Legacy Broadband Migration options •PPPoA
•RBE
•LNS
Wholesale Broadband Deployment •PW based backhaul
•RA-MPLS
•HA for PPP, L2TP, AAA
High Availability and ISSU
•HA for IPoE and TCs
29. HLR OCS PCRF CGF
ASR1k in SP Wi-Fi - Today DHCP AAA Portal
Gy Gx Ga
Mobile Home Network Policy
AP Features & Scale – (IOS XE 3.6S)
AP IPoE Sessions: Radius CoA Interface
WLC DHCP initiated, Per-User ACLs
unclassified IP or IP Session Keep-alives,
MAC-address timeouts
Access Network Policy initiator, Radius- • VRF Transfer
L2 Connected
Proxy initiator • Port Bundle Host Key
AP L4 Redirect (PBHK)
Traffic Classes Stateful inter-chassis
Postpaid & Prepaid redundancy with HSRP
L2 Switch
AZR Accounting Max scale: 32k Sessions
L3 Dynamic Rate with ESP40/RP2
ASR1K
ISG Limiting
L3 Connected
LI
VLAN
AP
AP/CPE Tunnel (L2TP)
LAC
LNS Internet
Residential WiFi
30. SP Wi-Fi Target Architecture HLR OCS PCRF CGF
DHCP AAA Portal
AP
Gy Gx Ga
AP Mobile Home Network Policy
WLC
Access Network Policy
L2 Connected 4G Core
PGW/LMA
AP
L2 Switch
AZR GTP
L3 ASR1K Gn’ GGSN
3G Core
IWAG
L3 Connected
LMA/sGRE agg
AP
AP/CPE
Internet
MAG/sGRE Initiator Target Scale: 128k sessions
Residential WiFi
31. ASR1000 iWAG – Phase 1: IOS XE 3.8S HLR OCS PCRF CGF
DHCP AAA Portal
AP Gy Gx Ga
AP Mobile Home Network Policy
WLC
Access Network Policy
L2 Connected 4G Core
PGW/LMA
GTP
Features: ASR1K Gn’ GGSN
3G Core
IWAG
• L2 Access & AAA Policy
1. EAP - FSOL: Radius Proxy/DHCP
2. TAL - FSOL: Unclassified MAC
3. Web Logon - FSOL: DHCP
• GGSN/LMA selection via AAA attribute Internet
• Overlapping MNO address support with multiple SSID
Scale:
• 32k authenticated
33. ASR 9000 System Portfolio
One Edge System to meet all of your needs
• 240G Line Cards
• From 512K to 2M MACs learned in
Hardware
• From 1.3M to 4M IPv4 prefixes
• From 512k to 2M IPv6 prefixes
• Hyper-Intelligent
• Video buffering for lossless multicast
• In-line video monitoring
• Integrated G.709
• SyncE / IEEE 1588-2008 PTP timing
• Tunneling services optimized
ASR 9001 ASR 9006 ASR 9010 ASR 9922
2 RU 6 slots (¼ rack) 10 slots (½ rack) 22 slots (fullrack)
LC / Chassis 2 IO Slots 4 LC + 2 RSP 8 LC + 2 RSP 20 LC
Max Bandwidth / Slot 440G 440G 1.2TB
BW / Chassis 240 Gb 3.2 Tb 6.4 Tb 48 Tb
Double your system capacity by upgrading any ASR 9000 product to an ASR 9000 nV System
37. BNG and CGN NAT44 on ISM
ingress LC ISM egress LC CGN supported
at full session
scale
Inside Outside
VRF VRF
Private IPv4 Interface
Public IPv4
Subscribers AppSVI ISM AppSVI VLAN
Subscriber session ISM performs Translated
traffic sent to ISM translation and subscriber’s traffic
through VRF mapping forward packet forwarded on
or ABF into outside VRF interface in outside
VRF
Compliant with standard NAT behaviors (RFC4787, RFC5382, RFC5508)
38. ASR 9000 nV (Network Virtualization) Technology
Simplify operations & scale
ASR 9000 “nV System”
ASR 9000 Simplify Operations
Cloud Reduce overall TCO
nV Integrated A to Z
Management
Network
Multi-dimensional
nV Scale
Client
System and services scale
ASR ASR
9000v 9000v Increased Service
Velocity
Quickly deploy new services
40. Creating an ASR 9000 Virtual System with nV Technology
Enables a self protected, self managed ASR 9000 virtualized system
Third-Party
Services/ Content
Control
plane
Virtualized Control & Data Plane
Remote Data
plane Inter-chassis Connections
ASR 9K
Control
Series Core
plane 0 1
Activ Standb Activ Standb
Remote Data e y e y
plane RSP RSP RSP RSP
Edg
L L L L L L L L
e C C C C C C C C
Remote nodes are viewed as linecards and
remote platforms are discovered automatically. Aggregat
ion
Remote nodes are provisioned by the host. Virtualized control plane achieved via EOBC between
RSP’s provides hitless outage upon node failure.
Software images for remote nodes can be Acce
upgraded automatically and features are in sync. ss Virtualized data plane achieved through linecard inter-
chassis connections.
A self-managed access is created allowing scale
to be decoupled from a single platform. A self-protected virtual chassis is created doubling the
system capacity.
46. We value your feedback.
Please be sure to complete the Evaluation Form for this session.
Access today’s presentations at cisco.com/ca/plus
Follow @CiscoCanada and join the #CiscoPlusCA conversation
47. ISG’s Subscriber Identification
AAA Policy Portal DHCP
A construct in
Cisco IOS that
Aggregation Internet/Core represents
subscriber
ISG subscriber session: created at First Sign Of Life (FSOL)
N:1 relationship between session and interface
FSOL
PPP Sessions PPP call request
Received Packet w/ unknown IP or MAC source
address IP or MAC initiated IP session
IP Session DHCP Discover DHCP initiated IP session
RADIUS Request RADIUS initiated IP session