2013

TEData Access
Layer
Chapters
1. Components
2. PPP
3. Broadhop Operations
4. DNS & Connections
5. References

TEData
 Chapter [1]
Components:
i. ADSL Modems
ii. DSLAMs
iii. Switches
iv. Routers
v. ACE 6509 Balancer
vi. SMEs , Radius and other servers [LDAP, … etc]

ADSL Modems: called router and it is located at end user and its types [Netgaer, 3Com, Speech touch,
etc], its connected to user PC by Ethernet cable and PSTN to ISP [Internet service provider].

DSLAM [Digital subscriber line access multiplexer]: it is used to terminate the end users and its
components:

1. Chassis
2. Uplink card
3. Aggregation cards

DSLAM Models:

I. IP: its uplink Ethernet Cable

II. ATM: its uplink STM1, E3 and E1s [connected via IMA].

DSLAM Types:

I. Huawei
a. 5100
b. 5103
c. 5600
d. 5603
e. 5605
II. Alcatel
a. ASAM
b. ISAM
i. FD
ii. XD

2
III. Paradyne [or Zhone]
a. ATM
b. IP

Switches: it is used to connect IP DSLAMs to Routers, apply DSLAM VLAN and there are other features
SWs types:

I. Cisco
II. Juniper
III. Brocade

Routers [Called ISG]: its function to terminate PPP and customer routing, it is client to ACE [IP:
163.121.189.129], it is handling its requests to ACE through two ports 1812 & 1813 for authentication and
accounting.

Routers types:

I. Cisco
a. 7206 [support theoretically 64000 session but actually about 3000 sessions]
b. ASR1004 [can handle up to 32000 sessions]
c. 10K [can handle up to 32000 sessions]

II. Juniper: isn’t used in TEData network [but it can support PPP].

ACE 6509 Balancer: its function to balance Authentication customer request between SMEs and
Probe [it is like ping but at layer 7 in OSI Model and it is used the ports 1812 & 1813 to check the service.]

SMEs, Radius and other servers [LDAP, etc]: it is a radius [Remote Authentication Dial In User
Service] and all these devices used to check customer username, password, profile, accounting, Etc.

3
 Chapter [2 & 3]
“PPP”
Why PPP?
 In networking, the Point-to-Point Protocol (PPP) is a data link protocol commonly used in establishing a
direct connection between two networking nodes. It can provide connection authentication,
transmission encryption and compression.
 PPP is used over many types of physical networks including serial cable, phone line, trunk line, cellular
telephone, specialized radio links, and fiber optic links such as SONET. PPP is also used over Internet
access connections (now marketed as "broadband"). Internet service providers (ISPs) have used PPP for
customer dial-up access to the Internet, since IP packets cannot be transmitted over a modem line on their
own, without some data link protocol. Two derivatives of PPP, Point-to-Point Protocol over
Ethernet (PPPoE) and Point-to-Point Protocol over ATM (PPPoA), are used most commonly by Internet
Service Providers (ISPs) to establish a Digital Subscriber Line (DSL) Internet service connection with
customers.
 Permits multiple network layer protocols to operate on the same communication link. For every network
layer protocol used

PPP Layers:
 LCP [Link Control Protocol]: initiates and terminates connections gracefully, and in this stage the
authentication occurred.
 NCP [Network Control Protocol]: is provided in order to encapsulate and negotiate options for the multiple
network layer protocols and in this stage Customer obtained IP.

PPP types:
 PPPoA: The Point-to-Point Protocol over ATM is a network protocol for encapsulating PPP frames in AAL5

Figure 1

4
 Figure 2

 PPPoE: The Point-to-Point Protocol over Ethernet is a network protocol for encapsulating PPP frames
inside Ethernet frames

5
PPP Stages:
- there are two stages:
o PPP Session: when the MAC address of the peer is known and the session has been established.
o PPP Discovery [Figure.1]
There are four steps to discovery stage as follow:
 Step 1 [Client to server: Initiation (PADI)] the host broadcasts an initiation packet [MAC:
ff:ff:ff:ff:ff:ff].
 Step 2 [Server to client: Offer (PADO)] one or more Router sends offer packets.
 Step 3 [Client to server: request (PADR)] the host sends a unicast session request packet.
 Step 4 [Server to client: session-confirmation (PADS)] the selected router sends a confirmation
packet.
 Step5 [Either end to other end: termination (PADT)] this packet terminates the connection. It
may be sent either from the DSL Modem or from the Router.

6
*** When these four stages are completed, both peers know the PPPoE SESSION_ID and peer’s Ethernet address.
When the host receives the confirmation packet it can proceed in PPP session stage in the following steps:

Step 1 LCP negotiation between two end-points connections [Client & Router].
Step 2 Authentication Phase [Where the router actually authenticates the users [the default for most ISP]].
But in TEData the users authenticates from SMEs [How?]********
Step 3 this is the final stage the host is assigned with IP address.

I need to authenticate
to get IP for browsing

SME 1 LDAP
PPP
Terminator SME 2

IP
DSLAM
Cloud
SME 3 Other servers
User PC Modem Router ACE 6509
SW SME 4

PPP
Used to check the
password after
Radius 4 at RAMSIS Zone taking a copy from
worked as backup Radius 1 Radius 2 Radius 3 username from
ACE

DATA Center

******* How TEData user authenticate?

When PPP established as explained above the user passes the authentication stage to get IP for browsing and the
following steps explained the authentication process:

1. User turn on his CPE PPPoE negotiation started [PADI].

2. The router sends offer packet when received PADI packet from user on below sub-interface.
3. CPE sends request.
4. Router Confirms and can proceed in authentication process through keyword [group global]
interface GigabitEthernet0/1.50
description 15MAY-D02H-C-EG GLBL VLAN
encapsulation dot1Q 50 second-dot1q any Inner VLAN for each customer
ip mtu 1492 Outer VLAN for DSLAM
pppoe enable group global
pppoe max-sessions 20000 >> number of max PPPoE sessions that this sub-interface can handle

We defined on ISG bba group called globel which contained Virtual-template 500.

Virtual-template 500 contains where the user authenticate, authorize & account

7
 bba-group pppoe global
virtual-template 500
vendor-tag circuit-id service >> should be exist for NAS_PORT_ID
sessions per-vc limit 1

Current configuration: 373 bytes

!
interface Virtual-Template500
description "GLOBAL"
ip vrf forwarding RMS.BB >> to be under vrf RMS.BB
ip unnumbered Loopback0 >> to be have router IP when exchange all data with ACE.
ip mtu 1492
ip tcp adjust-mss 1432
no logging event link-status
peer default ip address pool TEMP >> if user failed in authentication he will get IP from Temp Pool which configure on router
ppp lcp delay 5 random 20
ppp authentication pap BH >> authenticate from BH / type of authentication is PAP
ppp authorization BH >> authorize from BH
ppp accounting SM >> account from SM
no clns route-cache
service-policy type control tedata-parent-1 >> will be explained below
end

aaa group server radius TEDATA

server 172.16.0.42 auth-port 1812 acct-port 1813
server 172.16.0.34 auth-port 1812 acct-port 1813
server 163.121.183.202 auth-port 1812 acct-port 1813
!
aaa group server radius SME-SERVER
server-private 163.121.189.129 auth-port 1812 acct-port 1813
server-private 163.121.183.202 auth-port 1812 acct-port 1813
ip radius source-interface Loopback0
!
aaa group server radius SM-SERVER
server-private 213.158.166.86 auth-port 1812 acct-port 1813 key 7 100F1A10091E11040245
ip radius source-interface Loopback0

aaa authentication suppress null-username

aaa authentication login network group tacacs+ local
aaa authentication login SME_AUTHEN_LIST group BH-SERVER
aaa authentication ppp ADSL group TEDATA
aaa authentication ppp PPPTP local-case
aaa authentication ppp BH group SME-SERVER
aaa authorization network ADSL group TEDATA
aaa authorization network BH group BH-SERVER
aaa accounting network SM
action-type start-stop
group SM-SERVER

****** When the first customer on ISG complete his PPP process the ISG opens sessions with SMEs via portbundle number and
its loopback which create service called PBHK [first service for customer] plus open garden which allow user to access
DNS and TEData site and when authentication success he obtains his service [like: 512_MONTHLY].

Note 1: we can configure on each ISG portbundle length which contains 4000 ports >> its means the ISG can handle 4000
sessions or users and we can upgrade it to be 3 or 2 but must be the same on the broadhop to avoid any problem.

8
Note 2: the ISG download the user service from SMEs if it has no the service and for first user only and the second user can
obtain it from ISG directly.

Summary:
 CPE sends username and password to ISG to authenticate.
 ISG forward it to ACE.
 ACE sends username to SMEs to user profile and all his data and forward copy of username to radius to check the
password.
Now, we have three conditions:
1. Username and password right
SMEs get from customer profile his service and forward to ISG.
2. Username right but password wrong
Radius replys by [wrong password] so SMEs forward to ISG suspended service for this user.
3. Username not found on both SMEs and Radius.
In this case, we should synchronize the DB for both SMEs and Radius to be the same.
o User obtained default service

The difference between ISG and BRAS

i. ISG [Intelligent Services Gateway (ISG)]: has the ability to manage and modify the service in real time on other
words it works on service level [i.e can change user service in real time as Quota].
ii. BRAS [Broadband Remote Access Server]: it works on session level.

9
 ip portbundle
match access-list 188 >> Check router configuration [caontains ACE IP and Broadhop IPs]
source Loopback0

class-map type traffic match-any OPENGARDEN_SERVICE

match access-group input name OPENGARDEN_ACL_IN>> called access-list with name OPENGARDEN_ACL_IN which contained TEData site, DNS and other sites
match access-group output name OPENGARDEN_ACL_OUT

policy-map type service PBHK_SERVICE

ip portbundle
!
policy-map type service OPENGARDEN_SERVICE
10 class type traffic OPENGARDEN_SERVICE >> called “class-map type traffic match-any OPENGARDEN_SERVICE”

!
class type traffic default in-out >> The default class is the class to which traffic is directed if that traffic does not match any of the match criteria in the configured class maps
drop

policy-map type control tedata-parent-1

class type control always event session-start >> Specifies a control class for which actions may be configured and enters control policy-map class configuration mode.
1 collect identifier unauthenticated-username >> Collects the specified subscriber identifier from the access protocol and used for All users in the first to take PNHK and
opengarden as shown below:

2 service-policy type service name PBHK_SERVICE >> called “policy-map type service PBHK_SERVICE”
3 service-policy type service name OPENGARDEN_SERVICE >> Called “policy-map type service OPENGARDEN_SERVICE”

!
class type control always event account-logon
1 authenticate aaa list SME_AUTHEN_LIST
!
class type control always event account-logoff
1 service disconnect delay 5
!
class type control always event service-stop
1 service-policy type service unapply identifier service-name
!
class type control always event service-start
2 service-policy type service unapply name QUOTAREDIRECT_SERVICE
3 service-policy type service identifier service-name

Finally, we need to keep in our mind in order to make any policy the following steps should be taken:

Redirection for PPP Sessions: Example

The following example shows how to configure Layer 4 redirection for PPP sessions:
class-map type traffic match-any CLASS-L4R
!
policy-map type service svc-rdt
class type traffic CLASS-L4R
redirect to group PORTAL
!
policy-map type control THE_RULE
class type control alwyas event session-start
1 authenticate
2 service-policy type service name svc-rdt
!
redirect server-group PORTAL
server ip 10.2.36.253 port 80

10
 Chapter [4]
DNS
The following command should be applied to let the user to obtain ISP [TEData] DSN:

async-bootp dns-server 163.121.128.134 163.121.128.135

Connections Types:

IP
DSLAM Ethernet Ethernet

SW Router

Figure 3

IP IP
DSLAM DSLAM
[2] [1] Ethernet

Router

Figure 4 Cascaded

IP
IP
DSLAM Ethernet Ethernet
[2] DSLAM

SW Router

Figure 5 Cascaded from one SW

11
 ATM IP DSLAM
DSLAM Ethernet

Router

Figure 6 Aggregation 5600

ATM ATM
DSLAM DSLAM ATM
[2]

Router

Figure 7 Cascaded [ATM]

12
References:
http://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet

http://en.wikipedia.org/wiki/DSL_splitter

http://en.wikipedia.org/wiki/Public_switched_telephone_network

http://en.wikipedia.org/wiki/Point-to-point_protocol

http://books.google.com.eg/books?id=3MzYgtt6BScC&pg=SL20-PA18&lpg=SL20-
PA18&dq=where+the+authentication+takes+place+at+PADI+or+PADO&source=bl&ots=ax6ItPX93X&sig=0bOGeU_9V_Km6Ca5MsshFAXRfbY&hl=ar&sa=
X&ei=hXNpUbLoNInA7AaMpYDoAw&ved=0CCwQ6AEwAA#v=onepage&q=where%20the%20authentication%20takes%20place%20at%20PADI%20or%2
0PADO&f=false

http://www.cisco.com/en/US/docs/ios/ios_xe/isg/configuration/guide/isg_cntrl_policies_xe.html

http://www.cisco.com/en/US/docs/ios/isg/command/reference/isg_m1.html[ISG]

http://docwiki.cisco.com/wiki/Intelligent_Services_Gateway_(ISG)_--_Residential_Access_Using_DHCP_Sessions_Configuration_Example[ISG]

http://www.cisco.com/en/US/docs/ios/ios_xe/isg/configuration/guide/isg_rabapol_xe.html[ISG]

http://www.cisco.com/en/US/docs/ios/isg/configuration/guide/isg_l4_redirect.html[ISG]

http://www.cisco.com/en/US/docs/ios/isg/configuration/guide/isg_subscriber_svcs.pdf [ISG]

13