2000259-en
TRANSCRIPT
-
8/3/2019 2000259-en
1/13
WHITE PAPER
Copyright 2009, Juniper Networks, Inc.
Do You NeeD a BroaDBaND remoteaccess server?
Functionality and Trade-Os o Using Smart DSLAMs and MSANs
-
8/3/2019 2000259-en
2/13
ii Copyright 2009, Juniper Networks, Inc.
WHIte PaPer - D Y Nd Bdbnd r a s?
Table of FiguresFig 1: cnlizd nd diibd inllign bdbnd dl 1
Fig 2: cnlizd Bsr pping lipl hd 3
Fig 3: sipl bdbnd nnin ing PPPX (f Inn ) nd IPe (f IPtv) 4
Fig 4: msaN p-i qing bd n 8021p bi kd by Bsr 5
Fig 5: P-bib Qs 5
Fig 6: H ihil p-bib Qs 6
Fig 7: mcac Bsr, bd n bib link ilizin 7
Fig 8: ayi iy in bdbnd nwk 8
Fig 9: oiw f Jnip Nwk pping wilin bdbnd nwk 9
Table of Contentsexi sy 1
Indin 2
cnlizd cnl 3
PPPX tinin 4
DHcP spp 4Qliy f si 5
Dyni Bndwidh mngn 6
siy 8
Jnip spp 9
cnlin 10
ab Jnip Nwk 11
-
8/3/2019 2000259-en
3/13
Copyright 2009, Juniper Networks, Inc. 1
WHIte PaPer - D Y Nd Bdbnd r a s?
Executive SummaryThere are many misconceptions about the role o the DSL Forums Broadband Network Gateway (BNG), better
known as a Broadband Remote Access Server (BRAS) or Broadband Services Router (BSR). The BSR has evolved
signiicantly rom its original role o terminating PPPoX sessions. Proponents talk about enhanced subscriber
management capabilities, while detractors claim that all needed unctions can be done by a smart Digital Subscriber
Line Access Multiplexer (DSLAM) or MSAN (Multiservice Access Node). These alternatives are shown in Figure 1.
Fig 1: cnlizd nd diibd inllign bdbnd dl
There are several unctions that must be perormed to successully support broadband traic. This paper describes
the key unctions that may need to be implemented by the smart edge device, either the MSAN or the BSR.
It is not intended as a decision guide on whether to use PPPoX or IP over Ethernet (IPoE), nor to provide a tutorial on
what enhancements are required to allow DHCP to be used on a broadband network.
In addition, the intent is not to advocate that a BSR be used in the network, but rather to provide an understanding
o the unctions that it typically provides. This allows you to determine whether these unctions are required in your
network, and whether these unctions are best provided by a centralized BSR or by distributed MSANs. Juniper
Networks supports both network implementations.
What Is an MSAN?
MSAN is a generic term or a device that aggregates xDSL, passive optical network (PON), Ethernet, plain old
telephone service (POTS) and T1 traic rom subscribers. Some operators terminate these unctions in single service
MSANs, including DSLAMs, OLTs and data link controls (DLCs), while others are terminating multiple services using
a single MSAN chassis.
MSAN Switch
Apps
DiributedSmart MSAN
CentralizedBroadband Services
Router (BSR)
Switch
-
8/3/2019 2000259-en
4/13
2 Copyright 2009, Juniper Networks, Inc.
WHIte PaPer - D Y Nd Bdbnd r a s?
IntroductionThe BSR has evolved over time to provide a myriad o capabilities targeted at improving the service providers ability
to control what each subscriber is doing based upon the service they have signed up or, as well as simpliying
overall network operations. Table 1 summarizes the key unctions o the BSR.
FEATURE FEATURE DESCRIPTION BENEFIT
cnlizd cnl Single point o operational control Avoids needing to touch each MSAN to make anetwork change
Access agnostic architecture Uses a common operational model to support allaccess devices, allowing you to select the lowestcost MSAN which meets your needs
MSAN independence Allows operator to select lowest-cost MSANwhich aggregates subscriber trafc
PPPX tinin Establish connection-orientedsessions with keep-alives
Simplifes subscriber management
DHcP spp DHCP Relay converts broadcast tounicast
Reduces network trafc
DHCP Proxy tracks DHCP lease lieand renews leases
Improves security by hiding address o realDHCP server; simplifes network operations by
ensuring that subscriber keeps same IP address
RADIUS Proxy communicates withRADIUS server
Allows single subscriber database or PPPoXand DHCP subscribers; allows use o RADIUSaccounting
DHCP Local Server Eliminates need or separate DHCP servers
Qliy f si (Qs) Per-service marking and queuing Provides basic application-level QoS withoutconsidering what dierent subscribers are doing
Per-subscriber Queues and schedules trafc separately or eachsubscriber
Hierarchical queuing Looks at various potential network bottlenecksto queue and schedule trafc independently oreach subscriber
Multicast call admission control Ensures video quality by allowing new multicast(IPTV) sessions only i bandwidth is available
Dynamic bandwidth management Ensures subscriber satisaction by veriyingnetwork resource availability and dynamicallymarking packets
siy IP Address Tracking Limits number o addresses which can beassigned to a subscriber, and drops trafc romother IP addresses
Firewall Protects network rom attack by checking trafcrom subscribers
-
8/3/2019 2000259-en
5/13
Copyright 2009, Juniper Networks, Inc. 3
WHIte PaPer - D Y Nd Bdbnd r a s?
Centralized ControlPerhaps the most important motivator or deploying a BSR has nothing to do with technology, but rather with
minimizing the total cost. Using a BSR provides three key beneits:
Single point for change control: I a network change needs to occur, it is simpler to make the change at a single
BSR than at dozens, hundreds or even thousands o devices. This is a critical reason why virtually every large
broadband operator has BSRs in the network. For example, it is simpler to update a single, centrally located
security appliance than it is to push security updates to each MSAN. In addition, having a centrally locatedbackup security appliance allows this upgrade to occur without taking subscribers out o service.
Common access-agnostic operational model: Each MSAN has its own coniguration tools, language and
capabilities, driving up costs as technicians need to learn dierent products. This also limits the ability to
move to newer products rom dierent vendors, including migrating to a higher speed solution such as PON.
Implementing dierent eatures on dierent MSANs is also operationally expensive, as technicians must igure
out how customers are connected beore resolving problems.
Fig 2: cnlizd Bsr pping lipl hd
MSAN independence: Finally, adding intelligence into the MSAN drives up the cost o every MSAN in the network.Paying a little bit more or each MSAN oten ends up costing more in the long run than deploying a BSR.
Allowing the MSAN to do what it does bestaggregating subscriber traicoten leads to the lowest overall
cost solution. This total cost o ownership (TCO) business case is most compelling or larger operators
supporting thousands o MSANs. Smaller operators may be willing to ocus on minimizing the cost beneits o
deploying BSRs and deploy smarter, more expensive MSANs instead.
Switch
Dial Up
BSR
IP BACKBONE
Switch
DSL
Switch
Cable
Switch
LMDS802.11
Switch
Satellite(DVB)
Switch
EthernetVLAN
Switch
Leased LineIP or L2
-
8/3/2019 2000259-en
6/13
WHIte PaPer - D Y Nd Bdbnd r a s?
4 Copyright 2009, Juniper Networks, Inc.
PPPoX TerminationOriginally used or dial-in networks, Point-to-Point Protocol (PPP) was adopted by the DSL Forum because o its
additional important unctionality. As DHCP has been enhanced to provide many o these unctions, it is becoming
more common to build networks without PPP. One driving orce behind this transition is the adoption o IPTV service
across broadband networks, which does not work well with PPP. Since the BSR was initially designed to terminate
PPP, the argument goes, it is no longer necessary to have one in the network1.
Many new deploymentsnotably smaller operatorselect to implement a pure DHCP solution, so PPP terminationis rarely the motivator to deploy a new BSR. However, PPP is still widely deployed, with many established broadband
providers continuing to use PPP or new subscribers because o its beneits. Regardless o whether PPPoX is used
or Internet traic, IPTV traic is transmitted across a separate (non-PPPoX) connection as illustrated in Figure 3.
Fig 3: sipl bdbnd nnin ing PPPX (f Inn ) nd IPe (f IPtv)
DHCP SupportWhen using DHCP2, the network ideally provides several addressing capabilities:
DHCP Relay: This capability minimizes network overhead and improves security by converting DHCP
broadcasts to unicast.
DHCP Proxy: This urther improves security by hiding the address o the real DHCP server; and reducesnetwork complexity by ensuring that each subscriber uses a single IP address.
RADIUS Proxy: This allows the DHCP Relay Agent to receive inormation about the subscribers permissions
rom a RADIUS server, and to track subscriber usage via RADIUS accounting.
DHCP Local Server: The DHCP Relay Agent can also serve as the DHCP server, assigning IP addresses to
subscribers upon request. This eliminates the need to have a separate server arm supporting this unction.
All o these unctions are supported by BSRs. It is becoming increasingly common or MSANs to implement DHCP
Relay, although DHCP Proxy and RADIUS Proxy are less requently implemented. Only BSRs implement the Local
Server unction.
VLAN for Internet Access
PPP session carried within VLAN
Internet Traffic
IPTV contentVLAN for IPTV
BSRMSANDSL
-
8/3/2019 2000259-en
7/13
Copyright 2009, Juniper Networks, Inc. 5
WHIte PaPer - D Y Nd Bdbnd r a s?
Quality of ServiceAnother important requirement o the broadband network is its ability to eectively manage traic in the access
network. One approach, per-service QoS, prioritizes traic based strictly on the priority bit settings within the packet.
In the extreme case, a ew subscribers running all high-priority applications could prevent low-priority traic rom
reaching other subscribers. More realistically, the high-priority subscribers will receive more than their air share o
the bandwidth, at the expense o other subscribers. The second approach, per-subscriber QoS, manages traic based
on both priority bit settings and destination. This ensures that each subscriber gets a air share o the bandwidth.
With this in mind, there are several capabilities that can be provided by the broadband network:
Per-service marking and queuing: Subscriber-bound traic must be marked to conorm to service provider
standards. For example, VoIP traic may be marked dierently than Web traic. Individual packets may be
prioritized based on Layer 3 IP DiServ markings or based on Layer 2 Ethernet 802.1p markings. Application
servers and gateways typically mark IP DiServ bits, and IP routers can use these bits to prioritize traic.
However, Layer 2 equipment such as lower-cost MSANs can only look at the Ethernet markings. Thereore, the
choices are to purchase MSANs that have the processing and memory to examine DiServ bits, or else have
something in the network (typically a BSR) that sets the 802.1p bits based on the DiServ settings. This is depicted in
Figure 4.
Fig 4: msaN p-i qing bd n 8021p bi kd by Bsr
Per-subscriber QoS:
Ensuring that each subscriber gets his/her air share o bandwidth requires per-subscriber QoS where there is a separate set o priority queues or every subscriber. This also allows the
network to deliver dierent types o traic to dierent subscribers at the same time. Figure 5 provides a simple
example o per-subscriber queuing.
Due to the large number o queues and associated memory, per-subscriber queuing is typically provided only by
custom application-speciic integrated circuits (ASICs) in BSRs.
Fig 5: P-bib Qs
Scheduler
802.1p = 7
MSAN
BSR
802.1p = 7, 6
802.1p = 5, 4VoIP Frame
VoIP Frame
802.1p = 3, 2
802.1p = 1, 0
802.1p = 6
802.1p = 5
802.1p = 4 802.1p802.1p = 3
802.1p = 2
802.1p = 1
802.1p = 0
Control1 1 2 2 1 1 2 2 1 1
Sub. 1
IPTV
VoD
VoIP
VPN
Gaming
Web
Control
Sub. 2
IPTV
VoD
VoIP
VPN
Gaming
Web
Control
Sub. N
IPTV
VoD
VoIP
VPN
Gaming
Web
Sorted packets:
subscriber in
priority order
Sorting based on:
Unsorted packets
subscribers
Subscriber #2
Subscriber #1
BSR
-
8/3/2019 2000259-en
8/13
6 Copyright 2009, Juniper Networks, Inc.
WHIte PaPer - D Y Nd Bdbnd r a s?
Hierarchical queuing: A related capability is hierarchical queuing, which looks at dierent potential bottlenecks
beore determining how to schedule traic. For example, the MSAN or BSR can look at bandwidth utilization on
a shared PON link to ensure that this link is not oversubscribed, and to ensure that each subscriber gets their
air share o the shared iber connection.
In addition, the BSR can veriy that bandwidth to the MSAN is available. Internet-based video, video on demand (VoD)
and HDTV are driving up bandwidth requirements to the MSAN, making this link a potential bottleneck. By controlling
traic being sent to the MSAN, the BSR urther ensures that each subscriber gets a air share o bandwidth.
This unction, depicted in Figure 6, is provided by custom ASICs in a BSR.
Fig 6: Hihil p-bib Qs
QoS continues to be an important dierentiator or BSRs. Commercial chipsets used in MSANs cannot support
separate queues or each subscriber, and only the BSR can dynamically control bandwidth to each MSAN.
Dynamic Bandwidth ManagementClosely related to QoS is dynamic bandwidth managementensuring that the bandwidth is available to support a
new application, making network changes to support requests, and preventing new services that can aect existing
sessions. This last capability is call admission control and is similar to what is done in traditional voice networks.
Multicast Call Admission Control (MCAC): This capability prevents the network (MSAN or BSR) rom honoring
channel change requests that would oversubscribe bandwidth to the subscriber. For example, a subscriber
may have enough bandwidth to support one SDTV and one HDTV connection. I one TV is already viewing HDTV
content, then the other TVs must be prevented rom attempting to view a dierent HD channel.
Most oten, operators avoid this situation by only limiting the number and type (SD/HD) o set-top box receiverseach subscriber can have. This is becoming a serious concern or both subscribers and operators, who oten
would like to support more TVs that use the same bandwidth or choose which TV on which to view the HD
content. For these situations, MCAC is the preerred solution.
An additional complication arises as video traic moves to a unicast model. In this case, it is more likely that the
connection to the MSAN, rather than the link to the subscriber, can be the bandwidth bottleneck. Thereore, it is
necessary to look at available bandwidth to both the MSAN and the subscriber to determine whether the request
can be honored.
Home 1Queues
VLANPer MSAN Scheduler
(if required)
To DSLAM or Switch
GigE
BSR
VoIP
Internet Access
VPN Service
Broadcast TV
IP/VLAN Node(per household)
IP QueueService Queues(per subscriber)
Home 2Queues
Business 1Queues
DSLAM x DSLAM y DSLAM 1
Multicast Traffic(unique VLAN)
-
8/3/2019 2000259-en
9/13
Copyright 2009, Juniper Networks, Inc. 7
WHIte PaPer - D Y Nd Bdbnd r a s?
Figure 7 shows a sample calculation to decide whether a channel change request can be honored. In this
example, this unction is perormed by the BSR, based solely upon bandwidth to the subscriber. An analogous
calculation can check bandwidth available to the MSAN as well. Some MSANs also support multicast CAC,
although only BSRs can consider bandwidth to the MSAN when determining whether to honor the request.
Fig 7: mcac Bsr, bd n bib link ilizin
Unicast bandwidth management: Incoming requests to establish new sessions can be checked against
criteria such as available bandwidth to determine whether the connection can be permitted. For instance, a
session border controller that cannot accept any more calls must inorm the MSAN or BSR that the call cannot
be completed.
Unlike multicast IPTV, these applications each have their own control protocols. Thereore, the application
server must ask the network whether resources are available, ater determining the required resources. For
example, when a subscriber requests to view VoD content, the VoD system irst determines that the requested
content is 3.75 Mbps (SDTV), and then asks whether this much bandwidth is available rom server to subscriber.
To accomplish this, there must be a single device that holds a complete picture o the network, including
existing bandwidth commitments. This device, architecturally called a Pliy Diin Pin (PDP), makes
the decision about whether new requests can be honored. In addition to inorming the application, it may also
need to tell certain network elements, called Pliy enfn Pin (PeP), how to treat this traic. For
example, once it is determined that a VoIP session can be supported, this traic can be marked as high priority
i (and only i) the subscriber has signed up or VoIP service. Otherwise, a dierent policy is applied to mark it
as best eorts traic.
Dynamic bandwidth management is recognized as an important mechanism or protecting the network and
improving revenues by controlling network access. Current MSANs do not work with PDPs (that is, do not unction as
a PEP), while many BSRs do support this. An important requirement is that the PDP use standard Web services such
as Simple Object Access Protocol (SOAP) to communicate with application servers, making it as easy as possible to
support a wide range o applications.
Group Bandwidth
Bandwidth per channel
IGMP (join 224.1.1.2)
Bandwidth (per subscriber)
224.1.1.2224.1.12.101
224.1.12.102
2 (SD)6 (HD)
6 (HD)
Sub Total Commit Request
Approved: Total bandwidth is < 10 Mbps
Approved: Total bandwidth is < 10 Mbps
Denied: Total bandwidth exceeds 10 Mbps
Total
10.10.1.3 10 0 2 2
Sub Total Commit Request Total
10.10.1.3 10 2 6 8
Sub Total Commit Request Total
10.10.1.3 10 8 6 14
IGMP (join 224.1.12.101)
IGMP (join 224.1.12.102)
Denial Message
10 Mbps
Subscriber
1 Gbps 1 Gbps
DSLAM Port
Channel 318
Channel 2
MSAN Switch BSR
-
8/3/2019 2000259-en
10/13
8 Copyright 2009, Juniper Networks, Inc.
WHIte PaPer - D Y Nd Bdbnd r a s?
SecurityProtecting the application servers rom attack is another undamental network requirement.
IP Address Tracking: The network should ensure that only authorized subscribers can access the network
by dropping traic rom IP addresses that have not been assigned to this subscriber. This inormation can be
learned rom DHCP lows. As a related capability, the network should limit the number o IP addresses that can
be assigned to a subscriber.
Firewall: Incoming traic rom subscribers can be redirected to a security appliance to protect against networkattacks. I an attack is noted, the policy enorcement node can be instructed to drop incoming packets rom
a given subscriber. Generally, all traic rom all subscribers is validated, while traic to subscribers (which
originates at trusted servers within the network) bypasses the security check. This prevents the security
appliance rom being overwhelmed by IP video traic.
Figure 8 depicts a network supporting asymmetric security. On the let, traic rom the subscriber is checked and
allowed to pass to the application server, which responds by orwarding application traic. On the right, an attack is
detected, so the security device notiies the network to drop all traic rom this subscriber. In addition, inormation
about the attack will be displayed on an operator console. The application server does not see the attack.
Providing this unction requires deploying a security appliance alongside the redirection engine, as well as support
or this asymmetric model. It is not cost eective to do the ormer, and most MSANs do not support the latter. The
most common solution is to have the MSAN itsel provide some level o checking to protect against common attacks
such as Distributed Denial o Service (DDoS). The MSAN vendor provides periodic updates that the operator mustapply to each MSAN.
Fig 8: ayi iy in bdbnd nwk
ISG Series
BSR
Policy
Enforcement
Point
Security
Appliance
SRC Policy
Engine
CORE
MSAN
ISG Series
BSR
Policy
Enforcement
Point
Security
Appliance
CORE
MSAN
-
8/3/2019 2000259-en
11/13
Copyright 2009, Juniper Networks, Inc. 9
WHIte PaPer - D Y Nd Bdbnd r a s?
Juniper SupportAs shown in Figure 9, Juniper supports a wide range o connectivity or access networks. MSANs and aggregation
switches can connect upstream to any o three Juniper Networks routers:
Ethernet aggregation switches (Juniper Networks MX Series Ethernet Services Routers)
IP routers with high Ethernet density (Juniper Networks M Series Multiservice Edge Routers)
Broadband Services Routers (Juniper Networks E Series Broadband Services Routers)
Fig 9: oiw f Jnip Nwk pping wilin bdbnd nwk
For networks that require a BSR, Juniper Networks E Series portolio o IP edge routing platorms is a critical elemen
in the control, delivery and accounting o services at the network edge. The E Series routers support DHCP and PPPoX
operational models including PPPoX termination and DHC Proxy Relay. In addition, they shape traic to individual
subscribers, to MSANs, and to aggregation switches. Policy enorcement is provided in conjunction with the Juniper
Networks SRC Series Session and Resource Control Modules, which provides the policy decision point unction.
For networks using smart MSANs, the Juniper Networks M Series Multiservice Edge Routing portolio and MX Series
Ethernet Services Routers (ESRs) combine best-in-class capabilities with unmatched reliability, stability, security
and service richness. These products allow providers to consolidate multiple networks into a single inrastructure
while simultaneously generating new revenues with leading-edge services. M Series Multiservice Edge Routers
support both Ethernet-based and ATM-based MSANs, while the MX Series Ethernet Services Routers establish
a new industry standard or Carrier Ethernet capacity, density and perormance. The Juniper Neworks MX960
Ethernet Services Router is the industrys largest-capacity Carrier Ethernet platorm, with up to 960 gigabits per
second o switching and routing capacity, while the Juniper Networks MX480 and Juniper Networks MX240 Ethernet
Services Routers provide smaller capacity routers or those locations and subscriber densities where ewer ports
are required. In addition, the MX Series can serve as a smart Ethernet switch that aggregates MSAN traic while
supporting required broadband unctions such as Internet Group Management Protocol (IGMP) snooping.
MSAN
MSAN
M Series
T Series
BSR
Head-End
MX Series
E Series
Apps
MX Series
-
8/3/2019 2000259-en
12/13
10 Copyright 2009, Juniper Networks, Inc.
WHIte PaPer - D Y Nd Bdbnd r a s?
ConclusionEach o the the unctions described in this paper may be provided by MSANs that use commercially available
chipsets, by MSANs that use custom ASICs or by BSRs. Its not surprising that MSANs with custom ASICs cost more
than those using commercially available chipsets but provide more unctionality. Similarly, BSRs generally provide
more unctionality than MSANs. Table 2 summarizes which type o platorm supports each unction.
FEATURE DESCRIPTION COMMERCIAL
MSANS
ADVANCED MSANS JUNIPER
NETWORKSE SERIES BSR
Centralized Control
singl pin f nl, gni,msaN indpndn
3
DHCP Support
DHcP rly 3 3 3
DHcP Pxy, DHcP raDIus Pxy 3 3
DHcP Ll s 3
PPPoX
PPPX tinin 3 3
QoS
Qs p i 3 3 3
Qs p bib, hihil Qs 3
Dynamic Bandwidth Management
mcac 3 3
uni bndwidh ngn, pliynfn pin
3
Security
IP add tking 3 3 3
cnlizd Fiwll 3
BSRs have evolved rom their initial role or terminating PPPoX traic. Most importantly, they increase Average
Revenue per User (ARPU) potential by controlling network access and using bandwidth more eiciently, while
reducing operational costs. However, the initial cost o implementing a BSR may outweigh the beneits, notably or
smaller service providers with relatively ew MSANs.
-
8/3/2019 2000259-en
13/13
WHIte PaPer - D Y Nd Bdbnd r a s?
cp and sl Hdq
Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, CA 94089 USAPhone: 888.JUNIPER(888.586.4737)or 408.745.2000Fax: 408.745.2100
aPac Hdq
Juniper Networks (Hong Kong)26/F, Cityplaza One1111 Kings RoadTaikoo Shing, Hong KongPhone: 852.2332.3636Fax: 852.2574.7803
emea Hdq
Juniper Networks IrelandAirside Business ParkSwords, County Dublin,IrelandPhone: 35.31.8903.600Fax: 35.31.8903.601
Copyright 2009 Juniper Networks, Inc.All rights reserved. Juniper Networks, theJuniper Networks logo, JUNOS, NetScreen,and ScreenOS are registered trademarks oJuniper Networks, Inc. in the United States andother countries. Engineered or the networkahead and JUNOSe are trademarks o JuniperNetworks, Inc. All other trademarks, servicemarks, registered marks, or registered servicemarks are the property o their respectiveowners. Juniper Networks assumes noresponsibility or any inaccuracies in thisdocument. Juniper Networks reserves the rightto change, modiy, transer, or otherwise revisethis publication without notice.
2000259- 001-EN Feb 2009 Printed on recycled paper.
1
To purchase Juniper Networks solutions, pleasecontact your Juniper Networks representative
at 1-866-298-6428 or authorized reseller.
About Juniper NetworksJuniper Networks, Inc. is the leader in high-perormance networking. Juniper oers a high-perormance network
inrastructure that creates a responsive and trusted environment or accelerating the deployment o services and
applications over a single network. This uels high-perormance businesses. Additional inormation can be ound at
wwwjnipn