Transcription
BROADBANDREMOTEACCESSSERVERSaw Yan PaingCCIE #57007
BroadbandRemoteAccessServer(BRAS) BRAS are an essential part of broadband topologies to control subscriberaccess BRAS is the access point for subscribers, through which they connect to thebroadband network. When a connection is established between BNG andCustomer Premise Equipment(CPE),the subscriber can access the broadbandservices provided by the Network Service Provider(NSP) or Internet ServiceProvider(ISP). BRAS establishes and manages subscriber sessions. When a session is active,BNG aggregates traffic from various subscriber sessions from an accessnetwork , and routes it to the network of the service provider. BRAS is deployed by the service provider and is present at the first aggregationpoint in the network, such as the edge router. BRAS effectively manages subscriber access, and subscriber managementfunctions such as: Authentication, Authorization and Accounting of subscriber sessions Address assignment Security Policy management Quality of Service(QoS)
BRAS orBNG? BRAS (Broadband Remote Access Server) was the termpreviously used, it is now BNG (Broadband NetworkGateway). There is no functional difference.
Task ofBRAS/BNG Connecting with the Customer Premise Equipment(CPE) that needs to be served broadband services. Establishing subscriber sessions using IPoE or PPPoEprotocols Aggregates the circuit from one or more link accessdevices ( provides aggregate capabilities forIP,PPP,ATM, etc.) Interacting with the AAA server that authenticatessubscribers, and keeps an account of subscribersessions. Interacting with the DHCP server to provide IP addressto clients. Enforce quality of service (QoS) polices Provide Layer 3 connectivity and routes IP trafficthrough on ISP backbone network to the Internet
BNGArchitecture The goal of the BNG architecture is to enable the BNGrouter to interact with peripheral devices(like CPE)andservers(like AAA and DHCP),in order to providebroadband connectivity to subscribers and managesubscriber sessions.AAABSSDHCPServer FarmSTBCPEAGGCOREVOIPOLT/DSLAMPCBNGINTERNET
BNGArchitectureAAABSSDHCPServer FarmSTBCPEAGGCOREVOIPOLT/DSLAMPCLayer 2 connectionSubscriber sessionBNG as an edge routerBNGINTERNET
BNGArchitectureAAABSSDHCPServer FarmSTBCPECOREAGGVOIPOLT/DSLAMPCPEBNGLayer 2 connectionL2VPNSubscriber sessionBNG is not edge routerINTERNET
EstablishigSubscriberSessions Each subscriber (or more specifically, an applicationrunning on the CPE) connects to the network by alogical session. Based on the protocol used, subscribersessions are classified into two types:PPPoE subscriber session: The PPP overEthernet (PPPoE) subscriber session is established usingthe point-to-point(PPP) protocol that runs between theCPE and BNG.IPoE subscriber session: The IP over Ethernet(IPoE) subscriber session is established using IP protocolthat runs between the CPE and BNG; IP addressing isdone using the DHCP protocol.
PPPoE PPPoE was designed for managing how data istransmitted over Ethernet networks, and it allows a singleserver connection to be divided between multiple clients,using Ethernet. As a result, multiple clients in sharednetwork can connect to the same server from the InternetService Provider and get access to the internet, at thesame time, in parallel. To simplify, PPPoE is a modernversion of the old dial-up connections, which were popularin the 80s and the 90s. P2P protocol over ethernet encapsulating PPP frames inEthernet frames (Src MAC, Dst MAC). Old days used mainly with ADSL services ( most commonPPPOE over ATM) Offers standard PPP features such as authentication,encryption, and compression PPPoE has two distinct stages as defined in RFC 2516:- Discovery stage- PPP session stage
PPPoECall FlowDiscovery stage- The discovery stage allows the PPPoE client (enduser PC/ router / Modern ) to discover all PPPoEservers and then select one to use.CPEOLT/DSLAMBNG1. PPPoE Active Discovery Initiation (PADI)1. PPPoE Active Discovery Offer (PADO)1. PPPoE Active Discovery Request (PADR)1. PPPoE Active Discovery Session Confirm (PADS)- The host must identify the MAC address of the peerand establish a PPPoE sessionEthertype : 0x8863
PPPoECall FlowSession stage- PPP normal operation (LCP,NCP(IPCP))- data plane: each PPPoE Session ID attached tovirtual access interface on BRAS/BNGCPEOLT/DSLAMBNG2. LCP Configuration Request2. LCP Configuration Request2. LCP Configuration Ack2. LCP Configuration Ack2. CHAP/PAP ChallengeEthertype : 0x88642. CHAP/PAP ResponseAfter the PPPoE session has established,- with Ethertype 0x8864 and all the messages willinclude inside PPPOE header the session ID ( and that'sfor PPP session stage and data plane)2. CHAP/PAP Success3. IPCP Configuration Request3. IPCP Configuration Request3. IPCP Configuration Ack3. IPCP Configuration NAK ( Containing provided IP Address)
PPPoECall FlowCPEOLT/DSLAMDataplane: MTU 1492PADT ( PPPoE Active Discovery Terminate ): can sendthis message by PPPoE client or the PPPoE server toterminate the session.Notes:-maximum payload size for Ethernet is 1500 octets- PPPoE header is 6 octets- PPP protocol ID is 2 octetsSo PPP maximum transmission unit (MTU) must notgreater than (1500-8) 1492 bytesPPPoE Active Discovery Terminate (PADT)BNG
IPoE IPoE is essentially DHCP-triggered subscriber interfaces. Users are "authenticated" through the use of DHCPv4/v6Option-82 inserting their Circuit-ID into their initial DHCPDiscovery - this identifies the physical location of the user basedon the tail that they are connected to (this would be done at anaggregation switch between the xPON network and whateverbackhaul gets them to their ISP of choice). The ISP will then service the DHCP request (if the Circuit-ID canbe mapped to a valid user via RADIUS), provide an IP (andhopefully prefix-delegation if they're offering IPv6) and thencreate a logical interface representing that subscriber that youthey apply their filtering/rate-shaping to and start grabbing statsfrom. Session lifecycle based on DHCP Lease Tracking and Split Lease Authentication methods- DHCP Option82- DHCP Option 60- Vlan Encap
IPoECall FlowOLT/DSLAMCPEDHCP Option 82 insert1. DHCP Discover with Option 822. DHCP OfferIPoE does not establish a session between theendpoints, and therefore does not have a unique,permanent subscriber identifier . Therefore, the IPaddress must be used to identify the subscriber, andsteps must be taken to ensure that the IP addressassigned to a subscriber does not change, or that thenetwork adapts as the IP address changes .3. DHCP Request4. DHCP AckBNG
PPPoE vsIPoE
Interactingwith theRADIUSServer BNG relies on an external Remote Authentication Dial-In User Service (RADIUS)server to provide subscriber Authentication, Authorization, and Accounting (AAA)functions. During the AAA process, BNG uses RADIUS to: authenticate a subscriber before establishing a subscriber session authorize the subscriber to access specific network services or resources track usage of broadband services for accounting or billing The RADIUS server contains a complete database of all subscribers of a serviceprovider, and provides subscriber data updates to the BNG in the form of attributeswithin RADIUS messages. BNG, on the other hand, provides session usage(accounting) information to the RADIUS server. BNG supports connections with more than one RADIUS server to have fail overredundancy in the AAA process. For example, if RADIUS server A is active, then BNGdirects all messages to the RADIUS server A. If the communication with RADIUSserver A is lost, BNG redirects all messages to RADIUS server B. During interactions between the BNG and RADIUS servers, BNG performs loadbalancing in a round-robin manner. During the load balancing process, BNG sendsAAA processing requests to RADIUS server A only if it has the bandwidth to do theprocessing. Else, the request is send to RADIUS server B.
CPEInteractingwith theRADIUSServerOLT/DSLAMAAABNGPPPoE Exchange (PADI,PADO,PADR,PADS)PPP LCP Message ExchangeAccess – Request MessageAccess – Accept Message(IPv4 Parameter Negotiation)PPP IPCP Message ExchangeAccounting start MessageIPCP open stateIPv4 data traffic can flow through the session
CPEInteractingwith theRADIUSServerOLT/DSLAMBNGDHCP Discover with option 82AAAAccess – Request MessageAccess – Accept MessageDHCP OfferDHCP RequestDHCP AckAccounting start MessageIPv4 data traffic can flow through the session
RADIUSMESSAGETYPES Access – RequestAuthentication requests from NAS to server Access – ChallengeRequest from server to NAS, asking for additional infofrom user Access – AcceptResponse from server to NAS accepting the usersession Access – RejectResponse from server to NAS rejecting the usersession Accounting – RequestThe NAS sends accounting information to the server Accounting – ResponseThe server ACKs the acct packet to the NAS
RADIUSATTRIBUTES Common Attributes (AVP)- User-Name- User-Password- NAS-IP-Address- NAS-Port- Service-Type- NAS-Identifier- Framed-Protocol- Vendor-Specific- Calling-Station-ID- Called-Station-Id
RADIUSATTRIBUTES
RADIUSATTRIBUTESIETF Attributes Versus VSAsRADIUS Internet Engineering Task Force(IETF) attributes arethe original set of 255 standard attributes that are used tocommunicate AAA information between a client and a server.Because IETF attributes are standard, the attribute data ispredefined and well known ; thus all clients and servers whoexchange AAA information via IETF attributes must agree onattribute data such as the exact meaning of the attributes and thegeneral bounds of the values for each attribute.RADIUS vendor-specific attributes(VSAs) derived from oneIETF attribute-vendor-specific(attribute26).Attribute26 allows a vendor to create an additional255attributes however they wish. That is, a vendor can create anattribute that does not match the data of any IETF attribute andencapsulate it behindattribute26;thus, the newly created attributeis accepted if the user accepts attribute26.ValueDescription1 User-Name2 User-Password3 CHAP-Password4 NAS-IP-Address5 NAS-Port6 Service-Type7 Framed-Protocol8 Framed-IP-AddressData 2865][RFC2865][RFC2865][RFC2865]9 Framed-IP-Netmask10 Framed-Routing11 Filter-Id12 ][RFC2865][RFC2865]13 Framed-Compression14 Login-IP-Host15 Login-Service16 Login-TCP-Port17 Unassigned18 Reply-Message19 Callback-Number20 Callback-Id21 Unassigned22 ][RFC2865]text[RFC2865]23 Framed-IPX-Network24 State25 5]26 Vendor-Specific27 Session-Timeout28 Idle-Timeout29 FC2865][RFC2865][RFC2865]
VendorSpecificAttributeVSA(26) Vendor-specific information between the networkaccess server and the RADIUS server by using thevendor-specific attribute(attribute26). Attribute26encapsulates vendor specific attributes, thereby,allowing vendors to support their own extendedattributes otherwise not suitable for general use. Attribute26 Typecontainsthese Length String(also known as data) Vendor-ID Vendor-Type Vendor-Length Vendor-Datathreeelements:
VSA(26)CiscoVendor-ID 9“cisco-avpair”
VSA(26)CiscoVendor-ID 9“cisco-avpair”
RADIUS CoA(Change ofAuthorization)CPE RADIUS Change of Authorization (RFC 3576 & RFC5176) Allows a RADIUS server to send unsolicitedmessages to the Network Access Server (aka NetworkAccess Device/Authenticator e.g. BNG) to change theconnected client’s authorized state. This could mean anything from disconnecting theclient, to sending different attribute value pairs to theAuthenticator to change the device’s VLAN/ACL andmore.OLT/DSLAMBNGAAA
RADIUS CoA(Change ofAuthorization)
BNGConfigurationProcess Configuring RADIUS Server Activating Control Policy Establishing Subscriber Sessions Deploying QoS Configuring Subscriber Features Verifying Session Establishment
Lab Session TBC
Remote Access Server (BRAS) BRAS are an essential part of broadband topologies to control subscriber access BRAS is the access point for subscribers, through which they connect to the broadband network. When a connection is established between BNG and Customer Premise Equipment(CPE),the subscriber can access the broadband
