Professional Documents
Culture Documents
5 - Access Layer (Hardware)
5 - Access Layer (Hardware)
TEData Access
Layer
Chapters
1. Components
2. PPP
3. Broadhop Operations
4. DNS & Connections
5. References
TEData
Chapter [1]
Components:
i. ADSL Modems
ii. DSLAMs
iii. Switches
iv. Routers
v. ACE 6509 Balancer
vi. SMEs , Radius and other servers [LDAP, … etc]
ADSL Modems: called router and it is located at end user and its types [Netgaer, 3Com, Speech touch,
etc], its connected to user PC by Ethernet cable and PSTN to ISP [Internet service provider].
DSLAM [Digital subscriber line access multiplexer]: it is used to terminate the end users and its
components:
1. Chassis
2. Uplink card
3. Aggregation cards
DSLAM Models:
DSLAM Types:
I. Huawei
a. 5100
b. 5103
c. 5600
d. 5603
e. 5605
II. Alcatel
a. ASAM
b. ISAM
i. FD
ii. XD
2
III. Paradyne [or Zhone]
a. ATM
b. IP
Switches: it is used to connect IP DSLAMs to Routers, apply DSLAM VLAN and there are other features
SWs types:
I. Cisco
II. Juniper
III. Brocade
Routers [Called ISG]: its function to terminate PPP and customer routing, it is client to ACE [IP:
163.121.189.129], it is handling its requests to ACE through two ports 1812 & 1813 for authentication and
accounting.
Routers types:
I. Cisco
a. 7206 [support theoretically 64000 session but actually about 3000 sessions]
b. ASR1004 [can handle up to 32000 sessions]
c. 10K [can handle up to 32000 sessions]
II. Juniper: isn’t used in TEData network [but it can support PPP].
ACE 6509 Balancer: its function to balance Authentication customer request between SMEs and
Probe [it is like ping but at layer 7 in OSI Model and it is used the ports 1812 & 1813 to check the service.]
SMEs, Radius and other servers [LDAP, etc]: it is a radius [Remote Authentication Dial In User
Service] and all these devices used to check customer username, password, profile, accounting, Etc.
3
Chapter [2 & 3]
“PPP”
Why PPP?
In networking, the Point-to-Point Protocol (PPP) is a data link protocol commonly used in establishing a
direct connection between two networking nodes. It can provide connection authentication,
transmission encryption and compression.
PPP is used over many types of physical networks including serial cable, phone line, trunk line, cellular
telephone, specialized radio links, and fiber optic links such as SONET. PPP is also used over Internet
access connections (now marketed as "broadband"). Internet service providers (ISPs) have used PPP for
customer dial-up access to the Internet, since IP packets cannot be transmitted over a modem line on their
own, without some data link protocol. Two derivatives of PPP, Point-to-Point Protocol over
Ethernet (PPPoE) and Point-to-Point Protocol over ATM (PPPoA), are used most commonly by Internet
Service Providers (ISPs) to establish a Digital Subscriber Line (DSL) Internet service connection with
customers.
Permits multiple network layer protocols to operate on the same communication link. For every network
layer protocol used
PPP Layers:
LCP [Link Control Protocol]: initiates and terminates connections gracefully, and in this stage the
authentication occurred.
NCP [Network Control Protocol]: is provided in order to encapsulate and negotiate options for the multiple
network layer protocols and in this stage Customer obtained IP.
PPP types:
PPPoA: The Point-to-Point Protocol over ATM is a network protocol for encapsulating PPP frames in AAL5
Figure 1
4
Figure 2
PPPoE: The Point-to-Point Protocol over Ethernet is a network protocol for encapsulating PPP frames
inside Ethernet frames
5
PPP Stages:
- there are two stages:
o PPP Session: when the MAC address of the peer is known and the session has been established.
o PPP Discovery [Figure.1]
There are four steps to discovery stage as follow:
Step 1 [Client to server: Initiation (PADI)] the host broadcasts an initiation packet [MAC:
ff:ff:ff:ff:ff:ff].
Step 2 [Server to client: Offer (PADO)] one or more Router sends offer packets.
Step 3 [Client to server: request (PADR)] the host sends a unicast session request packet.
Step 4 [Server to client: session-confirmation (PADS)] the selected router sends a confirmation
packet.
Step5 [Either end to other end: termination (PADT)] this packet terminates the connection. It
may be sent either from the DSL Modem or from the Router.
6
*** When these four stages are completed, both peers know the PPPoE SESSION_ID and peer’s Ethernet address.
When the host receives the confirmation packet it can proceed in PPP session stage in the following steps:
Step 1 LCP negotiation between two end-points connections [Client & Router].
Step 2 Authentication Phase [Where the router actually authenticates the users [the default for most ISP]].
But in TEData the users authenticates from SMEs [How?]********
Step 3 this is the final stage the host is assigned with IP address.
I need to authenticate
to get IP for browsing
SME 1 LDAP
PPP
Terminator SME 2
IP
DSLAM
Cloud
SME 3 Other servers
User PC Modem Router ACE 6509
SW SME 4
PPP
Used to check the
password after
Radius 4 at RAMSIS Zone taking a copy from
worked as backup Radius 1 Radius 2 Radius 3 username from
ACE
DATA Center
When PPP established as explained above the user passes the authentication stage to get IP for browsing and the
following steps explained the authentication process:
We defined on ISG bba group called globel which contained Virtual-template 500.
Virtual-template 500 contains where the user authenticate, authorize & account
7
bba-group pppoe global
virtual-template 500
vendor-tag circuit-id service >> should be exist for NAS_PORT_ID
sessions per-vc limit 1
****** When the first customer on ISG complete his PPP process the ISG opens sessions with SMEs via portbundle number and
its loopback which create service called PBHK [first service for customer] plus open garden which allow user to access
DNS and TEData site and when authentication success he obtains his service [like: 512_MONTHLY].
Note 1: we can configure on each ISG portbundle length which contains 4000 ports >> its means the ISG can handle 4000
sessions or users and we can upgrade it to be 3 or 2 but must be the same on the broadhop to avoid any problem.
8
Note 2: the ISG download the user service from SMEs if it has no the service and for first user only and the second user can
obtain it from ISG directly.
Summary:
CPE sends username and password to ISG to authenticate.
ISG forward it to ACE.
ACE sends username to SMEs to user profile and all his data and forward copy of username to radius to check the
password.
Now, we have three conditions:
1. Username and password right
SMEs get from customer profile his service and forward to ISG.
2. Username right but password wrong
Radius replys by [wrong password] so SMEs forward to ISG suspended service for this user.
3. Username not found on both SMEs and Radius.
In this case, we should synchronize the DB for both SMEs and Radius to be the same.
o User obtained default service
i. ISG [Intelligent Services Gateway (ISG)]: has the ability to manage and modify the service in real time on other
words it works on service level [i.e can change user service in real time as Quota].
ii. BRAS [Broadband Remote Access Server]: it works on session level.
9
ip portbundle
match access-list 188 >> Check router configuration [caontains ACE IP and Broadhop IPs]
source Loopback0
!
class type traffic default in-out >> The default class is the class to which traffic is directed if that traffic does not match any of the match criteria in the configured class maps
drop
2 service-policy type service name PBHK_SERVICE >> called “policy-map type service PBHK_SERVICE”
3 service-policy type service name OPENGARDEN_SERVICE >> Called “policy-map type service OPENGARDEN_SERVICE”
!
class type control always event account-logon
1 authenticate aaa list SME_AUTHEN_LIST
!
class type control always event account-logoff
1 service disconnect delay 5
!
class type control always event service-stop
1 service-policy type service unapply identifier service-name
!
class type control always event service-start
2 service-policy type service unapply name QUOTAREDIRECT_SERVICE
3 service-policy type service identifier service-name
Finally, we need to keep in our mind in order to make any policy the following steps should be taken:
10
Chapter [4]
DNS
The following command should be applied to let the user to obtain ISP [TEData] DSN:
Connections Types:
IP
DSLAM Ethernet Ethernet
SW Router
Figure 3
IP IP
DSLAM DSLAM
[2] [1] Ethernet
Router
Figure 4 Cascaded
IP
IP
DSLAM Ethernet Ethernet
[2] DSLAM
SW Router
11
ATM IP DSLAM
DSLAM Ethernet
Router
ATM ATM
DSLAM DSLAM ATM
[2]
Router
12
References:
http://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet
http://en.wikipedia.org/wiki/DSL_splitter
http://en.wikipedia.org/wiki/Public_switched_telephone_network
http://en.wikipedia.org/wiki/Point-to-point_protocol
http://books.google.com.eg/books?id=3MzYgtt6BScC&pg=SL20-PA18&lpg=SL20-
PA18&dq=where+the+authentication+takes+place+at+PADI+or+PADO&source=bl&ots=ax6ItPX93X&sig=0bOGeU_9V_Km6Ca5MsshFAXRfbY&hl=ar&sa=
X&ei=hXNpUbLoNInA7AaMpYDoAw&ved=0CCwQ6AEwAA#v=onepage&q=where%20the%20authentication%20takes%20place%20at%20PADI%20or%2
0PADO&f=false
http://www.cisco.com/en/US/docs/ios/ios_xe/isg/configuration/guide/isg_cntrl_policies_xe.html
http://www.cisco.com/en/US/docs/ios/isg/command/reference/isg_m1.html[ISG]
http://docwiki.cisco.com/wiki/Intelligent_Services_Gateway_(ISG)_--_Residential_Access_Using_DHCP_Sessions_Configuration_Example[ISG]
http://www.cisco.com/en/US/docs/ios/ios_xe/isg/configuration/guide/isg_rabapol_xe.html[ISG]
http://www.cisco.com/en/US/docs/ios/isg/configuration/guide/isg_l4_redirect.html[ISG]
http://www.cisco.com/en/US/docs/ios/isg/configuration/guide/isg_subscriber_svcs.pdf [ISG]
13