enterprise the t-mobile hotspot@home uma service on a … · 2018. 4. 24. · wmm qos wmm power...

Design and Implementation Guide |

Peter Thornycroft | Aruba Networks

Enterprise The T-Mobile HotSpot@Home UMA Service on a University or Enterprise WLAN

Revision 2.0

Aruba Networks T-Mobile HotSpot@Home UMA Service on a University or Enterprise WLAN 1

1 Enterprise FMC and the T-Mobile HotSpot@Home service In recent years the features of dual-mode devices (cellular voice and data clients with additional Wi-Fi radios) have grown increasingly sophisticated. The burgeoning capabilities of these devices have attracted the attention of IT staff at enterprises and universities with campus environments because of potential synergies with already installed wireless LANs. More specifically, the potential exists for a user to carry a single device that leverages Wi-Fi coverage where cellular reception is poor, thereby lowering telecom expenses and improving the user browsing experience because of Wi-Fi’s higher data rates.

Analysts such as ABI Research see a bright future for dual-mode Wi-Fi/cellular technology (see right). As volumes increase and the cost of adding Wi-Fi to a cellphone falls, increasing numbers of handset manufacturers are supporting Wi-Fi on a wide range of devices.

The T-Mobile HotSpot@Home service supports a range of dual-mode client devices that implement the Unlicensed Mobile Access (UMA) protocol, an ITU/3GPP standard. UMA is a form of fixed-mobile convergence (FMC) in which the phone has a single number for both cellular and Wi-Fi networks, and automatically hands over to Wi-Fi when it detects good reception from a suitable access point, returning to cellular when the device loses a usable Wi-Fi signal. UMA is one of many forms of FMC, and due to lack of integration with the PBX, is most suitable for organizations that do not rely on PBX-based 4- or 5-digit numbering plans. A companion paper, Fixed-Mobile Convergence with UMA for Enterprises, discusses different FMC architectures and their suitability for different organizations.

No other national cellular operator in the U.S. offers a comparable service, putting T-Mobile in a unique position to benefit students, schools and enterprises alike.

In this guide we discuss features required by a network engineer in order to develop reliable support for the HotSpot@Home service using an Aruba wireless LAN. Key technical considerations discussed include:

Authentication requirements; Advertising a suitable SSID; Implementing firewall rules; End- to-end quality of service; Bandwidth requirements and call admissions control; Emergency call handling.

Before diving into the technical details, let’s examine why enterprises, and universities in particular, would find this service of interest.

mipan.info

http://www.mipan.info


1.1 Students, faculty and staff save on their personal cellular bills Students were traditionally significant customers of universities’ telecoms groups because everyone needed fixed lines to their dorm rooms and long-distance plans. Today students favor cellphones over fixed lines, and Skype or other free VoIP services over traditional long distance services. This change represents a loss of significant revenue for universities’ telecoms groups.

A service such as HotSpot@Home offers a cost-reduction path from which students, faculty, and staff who pay their own cellular bills will benefit. Users that purchase a suitable phone and subscribe to the HotSpot@Home service for $10/month can make free local and national calls over Wi-Fi (including home access points and T-Mobile hotspots). Since these calls do not accrue towards monthly air-time minutes, this plan can yield considerable savings for garrulous users.

While the increase in voice traffic over a university’s WLAN does not directly benefit the school, it may be possible for the university to negotiate incentives with the carrier.

1.2 University employees and faculty trim the university’s budget The section above targeted students, but all members of the university community who work on-campus but pay their own cellular bills would benefit in the same way. As noted, the benefits to the user are direct, while the university’s are indirect.

Conversely, any user whose cellular bill is paid or reimbursed by the university represents an immediate opportunity for cost savings by the telecom department. By converting that user from a standard cellphone contract to HotSpot@Home, the university can ensure that calls made and received on-campus, at a T-Mobile hotspot or at home near a HotSpot@Home-configured Wi-Fi access point are free, and do not count in the monthly usage contract.

Samsung Katalyst802.11b/g

W PA2 -personalW MM QoS

W MM power save

Samsung t409802.11b/g


W MM power save

BlackBerry 8820802.11a/b/g

W PA2 -enterpriseW MM QoS

W MM power save

BlackBerry Curve802.11 b/g


W MM power save

A selection of HotSpot@Home handsets

Samsung Katalyst802.11b/g


W MM power save

Samsung t409802.11b/g


W MM power save

BlackBerry 8820802.11a/b/g


W MM power save

BlackBerry Curve802.11 b/g


W MM power save

A selection of HotSpot@Home handsets

mipan.info



International roaming represents a most promising opportunity for savings. If a faculty member travels internationally to another university served by a HotSpot@Home-enabled WLAN, all calls made and received when on Wi-Fi will be free, instead of incurring international roaming charges. The calls will be delivered over Wi-Fi and VoIP via the Internet to the T-Mobile UMA gateway.

1.3 Improved coverage Beyond cost savings, an additional benefit of the HotSpot@Home service is that a university can add voice coverage in areas where cellular signals are weak, a common issue on large campuses. Previously this problem was addressed by installing additional cellular base stations, a very expensive proposition. With HotSpot@Home, coverage holes can be filled by the university’s telecom/datacom group as part of the normal WLAN build-out.

Note that it is possible to use HotSpot@Home with a standard T-Mobile SIM card installed in a HotSpot@Home handset, without subscribing to the extra $10/month HotSpot@Home ‘talk forever’ service. In this case minutes used are deducted from the subscriber’s plan in the usual way, but there is no supplementary monthly charge. This may be attractive where the desired benefit of the Wi-Fi service is improved coverage rather than cost savings.

1.4 Improved, low-cost data services For those users who access university data services, HotSpot@Home phones can be configured to connect directly over Wi-Fi to the university LAN. This means that data services can be delivered over the WLAN instead of the cellular network, yielding higher speeds, lower latency and an opportunity to save on data plan expenses.

1.5 HotSpot@Home is for some users, but not all The UMA FMC technology used by HotSpot@Home demonstrates characteristics that are ideal for some, but not all, users. These include:

Single (cellular) number and public dial plan. HotSpot@Home has a very straightforward architecture in which all calls are controlled by the T-Mobile core network, regardless of whether they pass over Wi-Fi or the cellular network. This means HotSpot@Home phones only use public (10-digit) numbers, and do not integrate with PBXs using 4- or 5-digit numbering plans. For instance, other FMC clients may allow the user to dial ‘6543’ to reach another employee’s desk phone directly, whereas on HotSpot@Home the caller would have to dial ‘408-345-6543’ for this destination. However, this is no different from normal cellphone usage, and for these users one benefit of HotSpot@Home is that no retraining or change in user behavior is required;

No PBX integration or PBX/UC services. HotSpot@Home can be considered an overlay communications network, an extension of the cellular network that does not touch the PBX. This means PBX features are not available on HotSpot@Home phones, whereas most PBX-attached FMC architectures support enterprise-based Unified Communications services. The features available on HotSpot@Home phones, whether on Wi-Fi or cellular connections, are the familiar features available on cellphones. HotSpot@Home emphasizes simplicity over sophistication, and in so doing avoids the extra complexity associated with PBX integration;

mipan.info



Telco dependency and control. This is an age-old tradeoff similar to the Centrex vs. PBX debate. Some universities may prefer to maintain control over their own communications infrastructure, as they find they can control costs, switch or mix telcos and introduce features more flexibly when they own and manage the PBX. A sizable minority, however, will find that the simplicity and lack of on-premise equipment allows them to save considerable capital and operating expenses while still offering good service to their users. Many organizations will adopt a mixed FMC environment where some users are served by HotSpot@Home, while others are a better match for alternative FMC architectures.

In summary, HotSpot@Home service is good for users who already use cellphones on the job because it is simple, reduces costs, and requires no learning or changes in user behavior. Organizations in which all calls are delivered via the PBX, especially those using advanced features such as Unified Communications, will not be good candidates for HotSpot@Home service, although certain users may benefit even in this environment. In those cases HotSpot@Home can be adopted on user-by-user basis, as there is no extra hardware to purchase or install.

2 Technical considerations when deploying HotSpot@Home in enterprise The following sections consider how to protect the enterprise network, and what functionality is required to deliver a satisfying user experience. The diagram below shows that HotSpot@Home handsets operate as standard cellular devices while outside Wi-Fi coverage. When a suitable WLAN is detected the handset automatically authenticates, tunnels all its signaling and media traffic over IP, and reaches the cellular core network over the Internet.

Corporate Firewall

InternetCellular

Cellular

Wi-FiAccess point

SecurityGateway& UNC

Cellular Core(HLR, AuC,

MSC etc)

Cellular

CellularMobility Controller

LAN

Wi-FiAccess point

Cellular service

Cellular –Wi-Fi

handover

Wi-Fi –cellular

handover

Cellular service

Wi-Fi service with AP -AP handover

HotSpot@Home network architecture and roaming

Corporate Firewall

InternetCellular

Cellular

Wi-FiAccess point

SecurityGateway& UNC

Cellular Core(HLR, AuC,

MSC etc)

Cellular

CellularMobility Controller

LAN

Wi-FiAccess point

Cellular service

Cellular –Wi-Fi

handover

Wi-Fi –cellular

handover

Cellular service

Wi-Fi service with AP -AP handover

HotSpot@Home network architecture and roaming

mipan.info



3 Authentication requirements HotSpot@Home handsets use UMA-specified protocols including IKE, IPSec and EAP-SIM to authenticate with the T-Mobile core network and obtain T-Mobile’s ‘dial-tone’. However, the campus WLAN manager may require devices to first authenticate with the enterprise network before proceeding to T-Mobile. All HotSpot@Home handsets are capable of this two-stage authentication, however, some only support WPA2 with pre-shared keys (PSK), while others (such as the BlackBerry 8820) can perform full WPA2-enterprise (WPA2/802.1x) authentication for WLAN access. The relevant architectures are discussed in more detail in the companion paper Fixed-Mobile Convergence with UMA for Enterprises.

3.1 ‘Inside the firewall’ access If users require access to data services on the corporate LAN, or if the network manager wishes to restrict access to only authorized devices using the most stringent authentication, the best course of action is to configure handsets for WPA2/802.1x. In this scenario, HotSpot@Home handsets will be subject to the same security regime as other Wi-Fi devices such as notebook PCs. Authentication is based on a RADIUS server, with pre-configured credentials.

The primary benefits of this form of authentication are:

Most stringent security and access control: only specifically authorized users will be able to connect to the enterprise WLAN;

Uniform implementation: an existing SSID may be suitable, as the HotSpot@Home devices will use the same standard protocols as other devices such as notebook PCs, e.g., PEAP-MSCHAPv2 or other EAP types.

Handsets gain access directly to the corporate LAN and can use corporate data services without ‘hairpinning’ traffic back via the Internet or the T-Mobile UMA gateway. This avoids the need for VPN client usage when on Wi-Fi, and improves performance with higher data rates and lower latency. ‘Inside the firewall’ access may be understood as two-stage authentication: first to the enterprise network, and then to T-Mobile.

The drawback of this approach is that every user, and possibly every device depending on the authentication used, must be configured individually. For PEAP-MSCHAPv2 this requires that the network certificate be loaded on the phone, and userid and password configured, just as for a WLAN-connected notebook PC.

Firewall& NAT T-Mobile

Gateway

Corporate SSID

Internet

Wi -Fiaccess point

Inside the firewall access for a HotSpot@Home handset

RADIUSauthentication

LAN

Full authentication, followed by full LAN access


Gateway

Corporate SSID

Internet

Wi -Fiaccess point

Inside the firewall access for a HotSpot@Home handset

RADIUSauthentication

LAN

Full authentication, followed by full LAN access


3.2 ‘Guest’ access

An alternate ‘guest’ access scenario connects users to the WLAN with relatively few obstacles, but their traffic will pass directly to the Internet, and hence to the T-Mobile UMA gateway. Within this class of access, there are a number of alternatives:

Open guest access: an SSID is provided (see next section) with no authentication requirement. This is easy to implement, but will allow any member of the public to connect to the Wi-Fi access point. Some organizations may require more stringent restrictions on access to or via their WLAN than an open SSID provides;

Open guest access backed by firewall restrictions: an open SSID as discussed above can be backed up by a firewall to ensure that the only traffic allowed via that SSID is bona fide HotSpot@Home traffic. This can be accomplished either using the integrated firewall provided in Aruba’s multi-service mobility controller, or by configuring other enterprise firewalls. See below for the required firewall rules;

Protected guest access with a Captive Portal: A Captive Portal is an intercepting Web page on which the user must enter a credential (or at the least acknowledge the conditions for access). The more sophisticated UMA handsets can be pre-configured to accomplish Captive Portal access, while simpler phones at present need some user intervention during every access attempt, which might prove impractical. Aruba’s multi-service mobility controllers offer the Captive Portal functionality, or external servers may be used.

4 Advertising a suitable SSID HotSpot@Home phones will only connect to configured SSIDs, so the options are generally to advertise one of the pre-configured SSIDS which all HotSpot@Home phones seek, or to configure the phone with a new SSID, either locally or by pushing a configuration profile from the BlackBerry Enterprise Server.

4.1 Pre-configured SSIDs All T-Mobile HotSpot@Home devices are pre-configured with two SSIDs, using profiles that cannot be deleted or edited by the user:

HotSpot profile. This seeks an SSID ‘tmobile’, and is aimed at T-Mobile public hotspots @Home profile. This seeks an SSID ‘@Home_****’, where **** can be any ASCII string


Gateway

Internet

Outside the firewall ( ‘guest ’) access for a HotSpot@Home handset

‘guest ’SSID

No authentication, nor access to the LAN

Corporate SSID

Wi-Fiaccess point

MobilityController

LAN


Gateway

Internet

Outside the firewall ( ‘guest ’) access for a HotSpot@Home handset

‘guest ’SSID

No authentication, nor access to the LAN

Corporate SSID

Wi-Fiaccess point

MobilityController

LAN


Either of these SSIDs can be implemented, though the second is probably more appropriate as it will attract only HotSpot@Home clients and not hotspot data service users. For instance, Pembroke College might set up an SSID named ‘@Home_Pembroke. If this approach is followed, all HotSpot@Home devices will attempt to connect to this SSID without any re-configuration being necessary.

4.2 User-configured SSIDs If the WLAN manager does not wish to advertise one of the pre-configured SSIDs, any other may be chosen. Indeed, an existing SSID for secure or guest access is suitable so long as the authentication capabilities are appropriate. All new T-Mobile BlackBerries are capable of full WPA2-enterprise security, but not all phones sold with the service are so advanced - some only support pre-shared keys.

If this scheme is chosen, HotSpot@Home users will be informed which SSID they should use, and given instructions to configure their clients. Alternately, a profile may be constructed at the enterprise’s or university’s BlackBerry Enterprise Server, and pushed to internal (not visiting) HotSpot@Home devices.

— Continued on next page —


5 Implementing firewall rules Since the HotSpot@Home service is driven from the T-Mobile core network, handsets must be able to access a T-Mobile UMA gateway in order to draw ‘dial-tone’. This means the handset must be able to authenticate, and ultimately set up an IPSec tunnel via the enterprise LAN and the Internet.

After the handset has successfully associated with the enterprise Wi-Fi network, it follows a well-defined sequence of protocols to establish this IPSec tunnel. Aruba’s integrated stateful firewall may be configured to tightly restrict any traffic originating from devices on the ‘HotSpot@Home’ SSID, ensuring it is indeed HotSpot@Home traffic. Alternately, the corporate firewall(s) at Internet portals may be configured with similar rules.

The sequence of protocols used is explained below. Note that some of the information, such as the list of IP addresses, while provided in good faith, is not guaranteed by T-Mobile and may change in the future. It is accurate to the best of our knowledge as of this writing. Note that the handset saves information to its SIM card periodically, and as a consequence may not exhibit repeatable behavior as it moves to different locations. The protocol information includes the following:

Authentication and association to the WLAN & DHCP; Discovery of the Provisioning Security Gateway (psgw). In some cases, such as initial connection from a

new location, the handset may need to use DNS to find the Provisioning Security Gateway and the Provisioning UNC. If this is required, DNS lookups to psgw.t-mobilesgws.com will be observed;

If the handset has already made a successful UMA connection, it will usually go straight to the previously-used IP address as stored on the SIM card. It then uses IKEv2 with UDP port 500 for an initial ISAKMP exchange, followed by UDP 4500, i.e., the Provisioning Security Gateway’s IP address is 208.54.3.1in the example below. At the end of this phase, the handset will be redirected to a particular Serving Security Gateway (several Serving Security Gateways exist), identified by an FQDN;

The handset then uses DNS to find the address of the Serving Security Gateway, with an FQDN such as n37.w122.t-mobilesgws.com. This is resolved to the IP address of the Security Gateway used for the service. Thus far, these IP addresses have been logged: 208.54.3.1, 208.54.4.1, 208.54.6.1, 208.54.7.1, 208.54.8.1, 208.54.83.1. 208.54.84.1, 208.54.85.1, 208.54.86.1, 208.54.87.1, 208.54.88.1, 208.54.90.1;

Firewall& NAT

Wi -Fi mobility

controllerLAN

Serving UNC

ServingSecurityGateway

Wi-FiInternet

Wi-Fiaccess point

DNS ProvisioningUNC

ProvisioningSecurityGateway

1. DNS lookup for Provisioning Security Gateway & UNC

2. IKEv2 exchange & IPSec tunnel with Provisioning Security Gateway & FQDN of Serving Security Gateway

3. DNS lookup for Serving Security Gateway.

4. Connect to Serving Security Gateway. Establish IPSec tunnel.

Discovery and registration sequence for a HotSpot@Home handset

Firewall& NAT

Wi -Fi mobility

controllerLAN

Serving UNC

ServingSecurityGateway

Wi-FiInternet

Wi-Fiaccess point

DNS ProvisioningUNC

ProvisioningSecurityGateway

1. DNS lookup for Provisioning Security Gateway & UNC

2. IKEv2 exchange & IPSec tunnel with Provisioning Security Gateway & FQDN of Serving Security Gateway

3. DNS lookup for Serving Security Gateway.

4. Connect to Serving Security Gateway. Establish IPSec tunnel.

Discovery and registration sequence for a HotSpot@Home handset


IKEv2 authentication completes with the Serving Security Gateway using UDP port 500; Subsequent traffic is within the IPSec tunnel to the Security Gateway using UDP port 4500. The handset

connects through the tunnel to the Serving UNC, but this traffic is encrypted and not visible to the observer.

The following is a packet capture of an 8820 starting up and connecting to the Security Gateway. Note that following a certain stage, information is encrypted and not visible to an on-premise

network analyzer.


6 End-to-end quality of service (QoS) Voice services require good quality of service: low delay and jitter, and low rates of packet errors and drops. Quality of service is a network requirement, end-to-end: overall quality suffers if any link of the call introduces impairment. The end-to-end chain for the HotSpot@Home service starts at the handset and covers the following bi-directional links:

Over the air, handset to Wi-Fi access point; Over the LAN, access point to Internet connection across the enterprise network; Internet path to the T-Mobile UMA gateway; Within the T-Mobile core network; From the T-Mobile network to the destination.

We will discuss each in turn.

6.1 Over the air QoS The over the air link from the handset to the Wi-Fi access point is likely to be the most challenging in the overall voice connection. Wi-Fi quality is dependent of factors such as signal strength and interference, both of which can be controlled by good Wi-Fi network design practices. Aruba’s enterprise WLANs are typically deployed with access points spaced relatively closely (50-70 foot spacing) to provide continuous coverage with good signal-to-noise characteristics and automatic coverage in the event of an access point failure. The network access points also perform double duty as RF monitors to detect and mitigate interference. This allows handsets to move around the network without losing the Wi-Fi signal. Aruba’s design tools and guidelines assist in implementing good network designs.

Once the RF environment has been addressed, it is important that voice traffic transmitted over-the-air is given priority. If one client has voice traffic to transmit, and another data traffic, the former must be able to transmit when required to avoid degrading voice quality due to jitter or dropped frames.

QoS over Wi-Fi is achieved by implementing the Wi-Fi Alliance Wireless Multi Media (WMM) certification. WMM uses four priority levels that map to the 8 levels defined in the 802.1d standard. Priority is set per-packet rather than per-flow, and so is similar to diff-serv rather than int-serv. The correct priority for upstream (towards the access point) traffic is WMM ‘voice,’ the highest level. Handsets must queue all voice frames as ‘voice,’ and usually signalling frames are similarly tagged. Downstream traffic (transmitted by the access point over the air) must also be queued and transmitted at ‘voice’ priority from the access point. Downstream prioritization is the responsibility of the WLAN, rather than the handset, and is implemented in all state-of-the-art enterprise WLANs.

6.2 Wired LAN QoS Good QoS for wired LANs is required of all VoIP systems, and if the enterprise is already using an IP PBX or other VoIP system, HotSpot@Home traffic will be well-served. As above, packets are given priority according to the tags on their headers. At L2 this will be 802.1p, while at L3 an IP TOS (DSCP) tag is necessary. Performance should be good provided that the wired LAN gives priority to traffic tagged (according to 802.1d) at level 6 (voice) or 7 (network control). All modern LAN switches and routers are capable of QoS and should be configured appropriately.


6.3 Internet QoS Once HotSpot@Home traffic leaves the enterprise or university LAN, it must traverse the Internet to the T-Mobile HotSpot@Home gateway. The public Internet is not generally priority-aware, however, given sufficient bandwidth on the access link, VoIP over the Internet can be successfully accomplished, and is now well-accepted and in everyday use. Once a link has been tested and proven, performance is likely to remain good. This is especially true of organizations with high-speed Internet access links, as congestion most often occurs on lower bandwidth connections.

6.4 QoS in the T-Mobile core network and beyond The T-Mobile core network is, of course, properly engineered for VoIP traffic. Once the connection leaves this network, it can take many paths in the same way that a call from a cellphone traverses many networks to reach its destination.

6.5 Upstream WLAN requirements In the upstream direction, all HotSpot@Home handsets transmit frames with WMM ‘voice’ priority, even though the frames are encapsulated in an IPSec tunnel. This ensures preferential access to the air for best QoS.

Once frames reach the Aruba WLAN access point, the 802.11 headers are stripped away but the priority tag is maintained (using a mapping defined in WMM) and checked against a ‘user priority’ field in the 802.11 header that defines the original 802.1d priority level. A matching priority tag is then attached to the outer header of the L2 or L3 tunnel carrying the frame to the Aruba multi-service mobility controller. The mapping is configured in Aruba software, but unless over-ridden by a firewall rule, the access point will map according to the following rule: WMM level 3 (‘voice’) = DSCP code 46 = 802.1d (802.1p) priority 6. Provided the LAN recognizes and correctly handles these tags, VoIP priority will be maintained between the Aruba access point and controller. A similar mapping is used when the frame has been decrypted in the controller and directed to the enterprise core LAN.

Internet

Wi-Fiaccess point

Corporate

firewall & NAT

Wi -Fi mobility

controller

LAN

T-Mobile

Wi-Fi

1. Handset transmits voice frames @ WMM priority 3 (VOI)

2. AP transfers voice priority to outer envelope of GRE/IPSec tunnel to controller (firewall rule can over -write original tag).

3. LAN must be QoS -aware for L2 L3 QoS tags.

4. Mobility controller maintains priority as it unpacks the voice packet.

5. QoS awareness should be supported as far as possible, especially on low -bandwidth access links.

Upstream QoS chain for Aruba networks carrying HotSpot@Home traf fic

Internet

Wi-Fiaccess point

Corporate

firewall & NAT

Wi -Fi mobility

controller

LAN

T-Mobile

Wi-Fi

1. Handset transmits voice frames @ WMM priority 3 (VOI)

2. AP transfers voice priority to outer envelope of GRE/IPSec tunnel to controller (firewall rule can over -write original tag).


4. Mobility controller maintains priority as it unpacks the voice packet.

5. QoS awareness should be supported as far as possible, especially on low -bandwidth access links.

Upstream QoS chain for Aruba networks carrying HotSpot@Home traf fic


6.6 Downstream WLAN requirements

In the downstream direction, it is likely that packets will lose their QoS tags as they traverse the Internet. Therefore it is important that packets are re-tagged as soon as possible after entry to the enterprise network. This can be accomplished by a firewall using a rule that recognizes IPSec protocol from one of the source addresses identified above. Even if such a firewall is not available, the Aruba multi-service mobility controller can be configured to recognize HotSpot@Home traffic and assign it ‘voice’ priority as above.

7 Bandwidth requirements and Call Admissions Control Although HotSpot@Home traffic is VoIP with the additional overhead of an IPSec tunnel, the bandwidth overhead is relatively low because the codec used is the GSM AMR (selected rates from 4.75 – 12.2 kbps) rather than the more common G.711 PCM (64 kbps). Over the air, HotSpot@Home voice frames are 222 B long. They will be somewhat shorter on Ethernet due to the smaller header.

Voice frames are sent every 20 milliseconds (50 frames/sec) yielding a rate of 88.8 kbps in each direction of the call. Thus, a single HotSpot@Home call takes close to 180 kbps over the air. On Ethernet, 140 kbps per call is more typical, due to the shorter headers.

The GSM-AMR codec uses silence suppression, so if the caller is not speaking it sends only keepalive frames that consume just 52-54 bytes every 40 or 50 milliseconds. But for the purposes of LAN dimensioning, the engineer should assume constant speech, the ‘worst case’ setting.

When HotSpot@Home traffic shares LAN links with enterprise traffic, QoS tagging ensures it receives preferential treatment when competing with data frames for limited link bandwidth. Assuming the networking devices are correctly configured, voice traffic will maintain priority. That is, data frames will be delayed and dropped before voice frames if the combined voice and data traffic load exceeds the link capacity.

Internet

Wi-Fiaccess point

Corporate

firewall & NAT

Wi -Fi mobility

controller

LAN

T-Mobile

Wi-Fi

5. Handset receives frame

4. AP transfers voice priority to WMM ‘voice ’priority, queues and transmits with priority.


2. Firewall rules in mobility controller identify UMA traffic, tag packets with ‘voice ’ priority on outside of GRE/IPSec tunnel to AP.

1. It must be assumed that packets received from the Internet are not priority -tagged.

Downstream QoS chain for Aruba networks carrying HotSpot@Home tr affic

Internet

Wi-Fiaccess point

Corporate

firewall & NAT

Wi -Fi mobility

controller

LAN

T-Mobile

Wi-Fi

5. Handset receives frame

4. AP transfers voice priority to WMM ‘voice ’priority, queues and transmits with priority.


2. Firewall rules in mobility controller identify UMA traffic, tag packets with ‘voice ’ priority on outside of GRE/IPSec tunnel to AP.

1. It must be assumed that packets received from the Internet are not priority -tagged.

Downstream QoS chain for Aruba networks carrying HotSpot@Home tr affic


7.1 Call admissions control As discussed above, voice in the presence of data will always gain priority in a QoS-enabled network, both over the air and over the wire. However, network engineers should consider the maximum expected voice loading, both per-AP and per-link on the wired LAN, to ensure that voice traffic in total will not overload any given link.

The calculations above indicate that each over-the-air HotSpot@Home voice connection will consume 180 kbps. This is less than for most Wi-Fi handsets using the G.711 codec, which has a raw rate of 64 kbps, and after overhead requires about 240 kbps per connection. There are many considerations when estimating maximum call limits, but for this traffic each access point (assuming it is working at 802.11a or 802.11g rates) can support 20 to 25 calls. Therefore the network designer should ensure that there is little likelihood of exceeding 20 simultaneous active calls (as opposed to handsets in the region of the AP) because there is currently no accurate call admissions control (CAC) mechanism for UMA traffic.

Note that the estimate of 20+ calls per access point is an extremely high figure for a wireless LAN deployment scenario: it is challenging to gather 60-80 people in a single access point’s area, in order to generate 20+ active calls. Adding access points to load-balance in areas with very high voice traffic is the best way to mitigate access point loading, so crowded halls are usually served by several access points. Aruba’s load-balancing algorithm moves handsets and other clients to adjacent access points with available capacity as traffic rises.

It may also be helpful to set a bandwidth contract for each access point for IPSec traffic in Aruba software. This mechanism allows the network engineer to guarantee a minimum or maximum bandwidth for the total traffic in a certain category, in this case traffic using the IPSec protocol. As long as the traffic is within its limit, it will be given as much bandwidth are it needs: if , it exceeds its contract it will be buffered and throttled to that rate. Thus bandwidth contracts can be used either to place a per-access point ceiling on HotSpot@Home traffic, or to place a ceiling on all other traffic, so guaranteeing a minimum bandwidth for HotSpot@Home.

7.2 Delay and jitter considerations The delay and jitter of the UMA chain over Wi-Fi and the Internet is generally comparable to that of the cellular network. The Wi-Fi link itself introduces negligible delay in VoIP terms, where one-way, end-to-end delay should be kept within 200-250 msec for best quality.

Delay is comprised of the cumulative total of all links in the call listed above. The most significant contributions will be in the order of 20 msec for packetization and 50 msec for the dejitter buffer, for a minimum end-to-end latency in the order of 70 msec, to which the delays through all switches and routers in the path, and the propagation delay of links, primarily the Internet link, should be added. It should be safe to assume a worst case of around 100-150 msec between the handset and the T-Mobile core network.

Jitter is accounted for in the jitter buffer, effectively becoming extra latency on the connection. In practice, figures of <10 msec are typical for the Wi-Fi segment, and provided there is good QoS on the LAN, it should add negligible jitter. Thus a 100 msec jitter buffer is more than adequate for quite extreme conditions, giving the 50 msec figure quoted above for a normal 50% buffer fill.


All calls will, of course, include a second leg to the destination. If this destination has long delay, for instance an international call or a call to a cellphone, the overall connection may exhibit noticeable delay, but no greater than for a cellphone-to-cellphone connection.

For data traffic, no jitter buffer is necessary so delays will be considerably smaller, and significantly better than for cellular data connections. For a quick indication, ping the IP addresses listed below for T-Mobile gateways from a WLAN client, handset or PC. Since these are geographically distributed, try them all. From Aruba, ping (round-trip) delays range from 20 – 90 msec, depending on the gateway. The registration process is designed to connect the phone to the geographically closest gateway, which will normally deliver the lowest delay figures.

In an ‘inside the firewall’ network, authenticated HotSpot@Home handsets will be able to reach servers on the LAN without ‘hairpinning’ through the T-Mobile gateway. In this case, performance should be similar to Wi-Fi connected PCS, as the protocols and data paths are identical.

8 Emergency call handling Although it’s not clear whether FCC mandates apply to Wi-Fi-connected handsets, operators are working to implement E911 functionality equivalent to the cellular network. The two most important aspects of emergency calling are to direct the call to the correct (usually nearest) Public Safety Answering Point (PSAP), and to provide that PSAP, if it is E911-enabled, with the location of the caller. Since UMA technology allows calls to be made from any Internet-connected access point, the network uses a number of factors to determine the caller’s identity and location, and to populate the information required. If the handset is within cellular coverage, a GSM emergency call may be made in the usual way. In cases in which the handset is on Wi-Fi but out of reach of the cellular network, a variety of input data is used, including:

The last known GSM cell site detected by the handset; The registered address of the purchaser of UMA service, provided at point-of-sale; The MAC address of the associated AP (particularly useful for T-Mobile hotspots); The IP address assigned to the handset.

These input data, and the algorithms used to derive a corresponding location, are not yet standardized, but together they provide a framework for correct emergency call handling that is more advanced and effective than for PBX-connected Wi-Fi handsets. Customers will want to consult their T-Mobile representative for a comprehensive and up-to-date explanation of state-of-the-art E911 services over HotSpot@Home.

9 Enabling voice service on an existing Aruba wireless LAN Most enterprises installing Wi-Fi networks today do so with the expectation that they will be able to support voice services, either immediately or in the future. Aruba’s product line has incorporated voice over Wi-Fi features for the entire history of the company, and our experience is that when customers come to add voice to an existing Wi-Fi network, even one that was installed some years previously, there is seldom a need to re-engineer the network. The main considerations are: Consider upgrading to the latest software when deploying voice on a previously data-only network, to

take advantage of current features. Purchase the Voice Services Module, a software license enabling a number of useful voice-related

features.


Review the network’s coverage, as voice users may require a Wi-Fi signal in previously unserved locations such a stairwells, lobby and outdoor areas. However, in already-covered areas it is seldom necessary to reduce AP spacing, as most Aruba networks are already designed for high-capacity, pervasive coverage.

Consider whether to add a new SSID to the network. While voice and data traffic can coexist on a single SSID, battery-saving features can be more aggressively implemented on an SSID targeted at handheld, battery-powered clients.

Review the 2.4 GHz and 5 GHz channel plans. The 5 GHz band is preferred for voice because there are fewer interfering devices such as microwave ovens, cordless phones and Bluetooth transmitters. However, as most handsets are only capable of 2.4 GHz operation, it may be necessary to use that band for voice, in which case grooming some or all data-only devices to the 5 GHz band may the best policy for optimum bandwidth use.

Complete recommendations for voice services over Aruba wireless LANs are available in the ‘Voice design and implementation guide’.

10 Sample configuration for use in Aruba WLAN networks Sample rules used to restrict access and set QoS for an Aruba Multi-Service Mobility Controller are shown below. The netdestination list permits traffic only to the identified T-Mobile network. The access-list sets all IKE and NAT-T traffic to high priority for the uplink and downlink, regardless of its tagging when it reaches the controller or access point. The ‘disable-scanning’ command prevents the access point from going off-channel to monitor other RF channels when HotSpot@Home traffic is present, as would be configured for other types of voice traffic. In Aruba’s architecture, the user role allows any user this type of access, separate from authentication and not linked to a specific SSID or VLAN. For instance, an open guest SSID could have this restriction behind it, allowing HotSpot@Home traffic to bypass the captive portal.

netdestination tmobile-uma-svc host 208.54.3.1 255.255.255.0 host 208.54.4.1 255 255.255.0 host 208.54.6.1 255 255.255.0 host 208.54.7.1 255 255.255.0 host 208.54.8.1 255.255.255.0 host 208.54.83.1 255.255.255.0 host 208.54.84.1 255 255.255.0 host 208.54.85.1 255 255.255.0 host 208.54.86.1 255 255.255.0 host 208.54.87.1 255 255.255.0 host 208.54.88.1 255 255.255.0 host 208.54.90.1 255 255.255.0

! ip access-list session tmobile-uma user alias tmobile-uma svc-esp permit disable-scanning queue high

user alias tmobile-uma svc-ike permit disable-scanning queue high user alias tmobile-uma svc-natt permit disable-scanning queue high

! User-role logon

Session-acl tmobile-uma position 1 !


All packets destined for the HotSpot@Home handset will have appropriate ‘voice’ priority tags, and should be given good QoS in the same way as the uplink. The Aruba controller will use these tags outside the tunnel header for all such traffic transmitted to an access point, and the access point, in turn, will use WMM ‘voice’ priority to queue and transmit frames over the air to the handset.

Conclusion UMA is a very successful technology, and more than one million handsets were activated worldwide in 2007 by just a handful of GSM carriers including T-Mobile’s HotSpot@Home service in the U.S. Considerably more UMA handsets are in use than any other form of FMC.

The initial target market for UMA was residential customers leveraging their home access points and public hotspots for Wi-Fi coverage. However, a significant number of enterprise and university telecoms users can benefit from this service by obtaining better coverage, data performance, reduced expenses, and/or favorable tariffs.

There are many paths to enterprise FMC, and HotSpot@Home is one approach among many. In its favor it is simple to adopt, requires no new user behavior, and offers a very clean single-number solution. A substantial percentage of organizations and users would benefit from deploying HotSpot@Home over an Aruba wireless LAN, and this guide was intended to inform network administrators about the advantages of such a deployment. These benefits can accrue whether one is implementing a single-access point based residential service or enabling an enterprise WLAN.

1344 Crossman Ave. Sunnyvale, CA 94089-1113Tel. +1.408.227.4500 | Fax. +1.408.227.4550 | [email protected]

http://www.arubanetworks.com

© 2009 Aruba Networks, Inc. AirWave®, Aruba Networks®, Aruba Mobility Management System®, Bluescanner, For Wireless That Works®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFProtect, The All Wireless Workplace Is Now Open For Business, Green Island, and The Mobile Edge Company® are trademarks of Aruba Networks, Inc. All rights reserved. All other trademarks are the property of their respective owners.

enterprise the t-mobile hotspot@home uma service on a … · 2018. 4. 24. · wmm qos wmm power...

Documents