Professional Documents
Culture Documents
IP Connectivity in Core Networks
IP Connectivity in Core Networks
The product described in this document is still under development by Nokia Networks. However,
in the interest of offering early possibility to our customers to evaluate the documentation, this
documentation is provided in draft form. Therefore the customer understands that the
information in this document is subject to change without notice and describes only the prototype
product defined in the introduction of this documentation in its current state of development.
Nokia Networks welcomes customer comments as part of the process of continuous
development and improvement of its products and the documentation.
This document is not a final customer document and Nokia Networks does not take
responsibility for any errors or omissions in this document. No part of it may be reproduced or
transmitted in any form or means without the prior written permission of Nokia Networks. The
document has been prepared to be used by professional and properly trained personnel, and the
customer assumes full responsibility when using it.
The information or statements given in this document concerning the suitability, capacity, or
performance of the mentioned hardware or software products cannot be considered binding but
shall be defined in the agreement made between Nokia Networks and the customer.
Nokia Networks WILL NOT BE RESPONSIBLE IN ANY EVENT FOR ERRORS IN THIS
DOCUMENT OR FOR ANY DAMAGES, INCIDENTAL OR CONSEQUENTIAL (INCLUDING
MONETARY LOSSES), that might arise from the use of this document or the information in it.
UNDER NO CIRCUMSTANCES SHALL NOKIA BE RESPONSIBLE FOR ANY LOSS OF USE,
DATA, OR INCOME, COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES,
PROPERTY DAMAGE, PERSONAL INJURY OR ANY SPECIAL, INDIRECT, INCIDENTAL,
PUNITIVE OR CONSEQUENTIAL DAMAGES HOWSOEVER CAUSED.
THE CONTENTS OF THIS DOCUMENT ARE PROVIDED "AS IS". EXCEPT AS REQUIRED
BY APPLICABLE MANDATORY LAW, NO WARRANTIES OF ANY KIND, EITHER EXPRESS
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT,
ARE MADE IN RELATION TO THE ACCURACY, RELIABILITY OR CONTENTS OF THIS
DOCUMENT. NOKIA RESERVES THE RIGHT TO REVISE THIS DOCUMENT OR
WITHDRAW IT AT ANY TIME WITHOUT PRIOR NOTICE.
This document and the product it describes are protected by copyright according to the
applicable laws.
NOKIA and Nokia Connecting People are registered trademarks of Nokia Corporation. Other
product names mentioned in this document may be trademarks of their respective companies,
and they are mentioned for identification purposes only.
Copyright © Nokia Corporation 2006. All rights reserved. Reproduction, transfer, distribution or
storage of part or all of the contents in this document in any form without the prior written
permission of Nokia is prohibited.
Contents
Contents 3
4 IP connectivity 27
4.1 IP connectivity in a mobile network 28
4.2 Site connectivity solutions 30
4.3 Site interconnection (backbone) 31
4.4 Inter-operator connections 31
4.5 Fixed network access 31
Change See
Many 3G operators are planning the deployment of Reference network for the packet backbone solution
HSPA or some other high-speed radio technology.
The most suitable backbone transport solution
depends on the operator's network environment
and network evolution strategy. Operator starting
point is one important element to be considered.
Consolidating TDM and ATM traffic on an IP/MPLS
network is a future-proof solution as IP-based
versions of the key mobile network interfaces
become available within the next years.
For enhanced resilience and scalability, It is Connectivity to external networks in Core network site
recommended to build a separate Gp access functionality and design
network with redundant access to the GRX network
(or networks).
In the Gi network, the principles of the site solution GPRS and 3G packet core site solution
remain the same with the Nokia Flexi-ISN 2.0.
Change See
It is recommended to use IPv6 in large scale IMS IP Multimedia Subsystem site solution
deployments. Using IPv4 connectivity will be
problematic in the long run because inter-operator
connectivity, NAT traversal and the growing number
of IMS users bring challenges to IP addressing.
IMS services' need of user-to-user IP connectivity
causes new security concerns, such as risk for
denial of service and overbilling attacks as well as
spreading of worms and viruses. Introducing SIP-
aware firewalls or session border controllers will
help control from which sources traffic is sent to the
mobile terminals.
Support for multihoming signalling connections is Resilience in Planning site interconnection (backbone)
one of the basic requirements for the backbone.
The number of existing or planned core sites and the number of existing
backbone or transmission solutions is of key importance when planning the
backbone solution for a mobile network. For multisite cases, the cooperation
between Nokia and Cisco enables tailored IP and ATM backbone solutions. The
backbone solutions support the intra-site packet connectivity of GPRS, 3G packet
core, and MSC Server traffic. In all cases, the backbone architecture must support
the evolution of the mobile standards. 3GPP R99 adds the ATM-based Iu
interfaces to the TDM-based GSM architecture. 3GPP Rel-4 specifications allow
the separation of switching and call control in the CS core network using the MSC
Server System. 3GPP Rel-5 removes the imperative to use ATM transport at the Iu
interface. 3GPP Rel-5 also introduces the IP Multimedia Subsystem (IMS) and
Session Initiation Protocol (SIP) connectivity for IMS.
GRX
Backbone Transport
ISP
PSTN -IP/MPLS, ATM networks
-SDH/DWDM
Regional Transport
-TDM/ATM
-SDH
Access Transport
IP
TDM
When moving from Circuit Switched (CS) to Packet Switched (PS) technology,
mobile operators need to implement IP connectivity between the mobile network
elements. In the transition process, there are three technical challenges. First of
all, the Quality of Service (QoS) scheme of the network has to support both real-
time and non-real-time traffic. Secondly, network resilience should be at least as
good as in the TDM-based systems. Finally, network security has to be ensured.
These challenges have to be met in a cost-effective way using architectural
solutions that can be expanded along with the increasing number of mobile
subscribers and use of mobile services.
In addition, network operators also need to develop operational procedures for the
IP networking equipment to make sure that the IP network is operated according
to telecom quality requirements.
Site connectivity
Firewalls
Firewalls (FWs) ensure that communication between the core network and the
Internet/inter-PLMN backbone conforms to a declared security policy. Security is
achieved by using the Stateful Inspection technology. This technology allows the
firewall to associate a network with an application once a session has started. In
other words, the firewall recognises individual packets as being associated with
certain applications. Applications that require the end user to contact a server
through a specific port find the association very useful when the server has
allocated a random port for the back connection. Applications like this present
difficulties for simple packet filters.
In the CS core network, DNS is part of the MSC Server System. The Session
Initiation Protocol (SIP) requires the DNS to resolve IP addresses of the other
signalling end point. In the Nokia MSS and Gateway Control Server (GCS), SIP
can be used as an alternative call control protocol in IP-based networks, and in the
MSS, SIP is used as a tunnelling method for ISDN User Part (ISUP) messages.
The DNS can be used also for setting up H.248 connections in the Multimedia
Gateway (MGW) start-up or when new H.248 connections are created.
In the MSS system, DNS services are needed for converting FQDNs into physical
IP addresses. Reverse conversion from the IP address to the FQDN is needed if
the FQDN of the signalling unit's IP address has to be found out. These FQDNs
are used in SIP and in SIP for telephony (SIP-T). DNS servers are located in the
IP backbone together with the MSSs and the MGWs. On the IP level, the
backbone is independent of other external networks.
The IMS is based on IP networks and requires DNS support to map FQDNs into
physical IP addresses. The IMS also utilises DNS/ENUM functionality in
addition to basic DNS. ENUM is used to map E.164 numbers to SIP contacts.
For more information, see DNS in MSC Server System in M-releases' product
documentation library. The DNS server can be based on the Nokia DNS product.
For more information, see Nokia Domain Name Server product description.
In all cases the transport network architecture has to support the evolution of the
mobile standards. The 3GPP R99 specification adds the ATM-based Iu interfaces
to the TDM-based GSM architecture. In the later 3GPP releases, the use of ATM
transport is no longer obligatory. 3GPP Rel-4 allows the separation of switching
and call control in the circuit switched (CS) domain using the MSC Server
System. 3GPP Rel-5 introduces IP transport of the Iu interfaces, the IP
Multimedia Subsystem (IMS) and Session Initiation Protocol (SIP) connectivity
for IMS.
The transport network has to support the mobile network so that the performance
of the network is not compromised. In many cases the initial rollout of the 3G
network has been based on equipment compliant with the 3GPP R99
specifications. The network is then extended using 3GPP Rel-4 and Rel-5 -
compliant equipment. A smooth transition between the phases is necessary to
guarantee uncomplicated network evolution.
The transport network needs to provide the required connectivity, capacity and
resilience both in the backbone and the access network. Additionally it has to
contribute positively to:
Regional network
(medium capacity backbone,
fiber-based)
Small Sometimes used May be used Routers,
transport sites as a BSC site, as RNC site, Ethernet over
(50...500) typically only TDM more typically fiber
(SDH) connectivity only traffic conc.
(SDH ADMs in (in ATM or TDM
practice) plane)
In addition to 2G and 3G mobile traffic, the packet backbone can be used to carry
traffic from high-speed radio networks and other wireline sources. Especially I-
HSPA, WiMAX, WLAN and copper-based digital subscriber line (DSL) systems
are potential sources of traffic. These traffic sources are very important in
network design, as they can create traffic volumes that are considerably higher
than the mobile traffic itself.
It should be noted that the figure above does not include server sites or sites
related to multi-access, which may affect the core network structure. The location
of the RNCs and BSCs is also important. Depending on the available transport
network and sites, the equipment may be centralised on core sites or distributed to
specific controller sites. In the figure, the latter option is assumed.
Greenfield operators are often using leased facilities, meaning that their network
is dependent on the existing networks and tariff structures of other operators.
Often greenfield operators want to deploy routers/switches on each site, that is,
use their own equipment for the connectivity and for multiplexing of traffic
flows. Transport capacity can be leased on different layers, depending which
functionality the operator is planning to implement by own equipment. The
alternatives are leasing dark fibers, TDM capacity, ATM connections, MPLS or
IP VPN. Depending on the chosen model, the sites may or may not have
equipment for the lower layers (such as SDH or WDM equipment).
Established mobile operators develop the transport network using the existing
sites and fibers as a starting point as the physical layer infrastructure is often
creating the highest cost while it is the slowest to change. Generally the same
SDH network is used to fulfil the new transport needs. Where leased facilities are
used, the new transport requirements are met using the existing links, if possible.
If the operator already has an ATM or IP backbone network, it is obviously the
preferred choice for all new traffic.
Multi-service operators provide mobile and other types of services (such as fixed
line telephony and data services, including Internet access). Established multi-
service operators usually have their own high-capacity general-purpose transport
backbone network, which is typically built with SDH equipment on top of dark
fibers, with some DWDM equipment for the highest capacity routes. The
transport cost (per Mbit/s) for an established multi-service operator is typically
lower than for other types of operators. Often the mobile arm of the company is
obliged to use the in-house leased line or packet transport offering.
An existing network creates a very strong economic and operational push towards
using that network. This is often possible in case of existing ATM and IP
networks. Changing the structure or technology of an existing network is time-
consuming and very expensive. Naturally, the existing transport network needs to
be checked for capacity, feature and interface compatibility.
Existing competence
Operators have different visions on the future of technologies and the speed at
which they will develop. Therefore, different strategies for network evolution are
employed. The selected backbone transport solution needs to support the
operator's intended network evolution path.
There is a desire to minimise the number of protocol layers used in the network.
Today the practical questions are related to the extent to which IP/MPLS can be
used as an alternative to TDM and ATM in the networks when considering
services, resilience and cost.
Generally IP/MPLS over SDH or Ethernet has become the most attractive option
for building new backbones.
There are different ways of grouping the basic network level functionalities,
partly because of the network implementation and evolution strategies mentioned
above.
The functionalities that typically require a general implementation policy (on the
individual network layers) include:
What is the desired speed of protection and the amount of capacity that
may be consumed for it? In which network layer(s) and with which
mechanisms is it implemented? It is recommendable to have fast protection
in one layer only and provide some additional support functionality
(slower) in the other layers.
. Network synchronisation principles and implementation methods
This is typically a layer 1 issue, for which careful planning is needed
(especially when using leased lines or connections).
. Quality of Service (QoS)
QoS is a fundamental issue in packet-based networks.
In the mobile community with improved radio technologies, the increased use of
Internet and intranet services as well as messaging, the amount of non-voice
traffic is growing faster than the traditional voice traffic.
The busy hours for the different services vary. It is likely that people will use
messaging services, entertainment and data access increasingly outside working
hours whereas the behaviour of voice traffic is not likely to change.
Voice traffic is primarily carried over the CS domain still for years. Real-time data
(such as streaming video) is carried over both CS and PS networks. The normal
packet data, picture messaging, and browsing will increase the usage of packet
networks.
The traffic forecasts indicate that the PS traffic will dominate the networks in the
long run. However, it is important to note that in the initial 3G deployment, the
traffic carried through the CS domain will substantially exceed the amount of PS
traffic. Considering that all CS traffic is real-time, proper dimensioning of the
traffic is of key importance.
In most cases, the initial mobile network deployments are characterised by:
For the core network build-out, the mobile network functionality can be
consolidated into a small number of sites. The key reasons are:
. The core network products of today have significantly higher capacity than
the comparable 2G systems.
. In many cases, the split control and user planes allow the optimisation of
both planes separately.
.
A packet-based transport backbone with high-capacity reduces the need to
distribute the network elements geographically. The cost of transport
capacity in the fiber networks has gone down rapidly in recent years.
Considering the above, it is obvious that the new mobile networks require less
core network sites than the traditional networks.
When the transport solution is planned, the fast increase in the number of
subscribers and the amount of traffic per subscriber should be considered. As the
number of transport links in the access and regional networks is high, frequent
capacity upgrades result in significant operational efforts and cost.
Operators with existing GSM or other 2G cellular networks will have to resolve
the integration of the existing access transport and the new capacity required for
carrying 3G traffic. In many cases the deployment of a multi-service network to
the base station sites may be too complex and difficult to justify from cost
Additionally a large number of hub sites is needed in the access network. The hub
sites are at the edge of the operators' fiber network and they typically connect
several radio link clusters of the access network (and also leased lines). At these
sites, traffic is concentrated with an ATM cross-connect. As the typical link speed
of the individual radio link stars/rings/chains at the hub is n x E1&E3, the
transport between the hub sites and the controller (RNC) site should preferably be
planned on STM-1 level, although the use of E3 may be justified for some years
for the 3G traffic alone. At first, the links between the hub sites and controller
sites will not be very loaded, but the amount of traffic will increase rapidly.
The logical structure of the initial 3G core network is outlined in the figure below.
IP (FE/GE/POS)
Core Site ATM
TDM
Integrated MSS MGW
HLR
3G
RNC
SGSN
Controller Site
BG Initial deployment
- up to n x 1000 BTS RNC RNC
- 15 RNC sites
FW - 2 core network sites
SDH/
ISN DWDM
Servers
SDH /
RNC RNC ADM
RNC
Hub Site RNC
RNC
RNC Inter-
SDH / RNC RNC connects
ADM RNC RNC
Core site
nx2M
STM-1 RNC
RNC STM-4
STM-16 STM-16
Core site
RNC RNC RNC
RNC
RNC
RNC RNC
STM-4, STM-1,
E3
In the initial configuration, the individual RNCs handle Iu-CS/Iu-PS traffic in the
order of magnitude of one STM-1. The connections between the controller site
and core site are planned on STM-1 level. The connections between the controller
site and core site should be protected, as the geographical area served by an RNC
is initially very large. The loss of the connection between the controller site and
core site leads to a severe service outage.
Even in the initial configuration, the core sites handle several Gbit/s of user data.
Most of this traffic is not carried to another core site. Instead, it is carried back
either to the radio network, the PSTN or the 2G network, or to an external data
network. In the initial 3G network with two core sites, it can be assumed that less
than 20% of the traffic is carried between the core sites. This suggests that in
planning the transport between the core sites STM-1 - STM-4 level capacity is
initially sufficient. The physical network may still be built for higher capacity
from the start (STM-16 is typically the minimum capacity used in a long distance
network).
Considering the above, it is safe to assume that 3G deployment does not require
heavy DWDM and STM-64 investments unless there is enough other than 3G
traffic to justify the investment.
The figure above also shows a rough configuration outline of a core site. Most of
the network elements deployed (SGSN, GGSN, MSC Server, HLR, Multimedia
Gateways, Application Servers and so on) are connected to each other using high-
capacity multi-layer LAN switches. In most cases, the switches are duplicated for
enhanced resilience. The LAN switch provides the most cost-effective switching
capacity for the intra-site communications.
The network should be configured so that most of the traffic entering a core site
from the radio network will not traverse through the backbone to the other core
sites. The traffic flows can be controlled, for example, by making the most
frequently used access points available on all core sites and by carefully selecting
the area served by each site (covering a whole city and the surrounding area, for
example). The location of the interconnects also affects the volume of the
backbone traffic.
The figure below shows an exemplary map view of the logical network
architecture. It should be noted that even though it is useful to plan the backbone
network on STM-1/4 levels, the SDH network actually deployed is mainly based
on STM-16 (at least in the long distance network, as noted above).
n*STM-16
STM-16
STM-1
To PSTN
networks, regional
ISPs and corporate
networks
3GPP Rel-4/Rel-5
Radio access
network
To PSTN
networks, regional International
ISPs and corporate traffic, national
networks interconnects
Figure 5. Traffic flows between controller (RNC) site and core site
3G network evolution
After the initial 3G build-out, the network will grow and evolve:
. 4 - 6 core sites
. 20 - 30 controller sites.
In the near future, the number of sites will presumably grow very moderately as
the 3G network elements are of high capacity.
The presence of 2G or PSTN traffic in the network is not considered in the above
transport discussions. If the operator has a GSM network and a UMTS network
with UTRAN, it is likely that RNCs are deployed at the existing BSC and core
sites. The transport of UMTS and GSM traffic at these sites can be consolidated
on the SDH layer or the ATM layer. As a third alternative some operators already
use IP/MPLS for the transport of all traffic. The protocol options are shown in the
figure below. With the MSC Server (MSS) System, also GSM traffic can be
carried over the backbone using IP or ATM (AAL2).
Consolidating the traffic on the SDH network does not require investments in
ATM adapters for the installed 2G network. The potential drawback is that
duplication of functionality in both ATM and SDH may result in higher operating
cost unless the design of the layers is coordinated.
.
Significantly increased bandwidth demand as broadband systems produce
n x 10Mbit/s traffic, which requires more backbone capacity.
.
Potential need for local interconnects to service providers (ISP) at regional
level. ATM or router equipment may be needed at the transport hub sites or
controller sites.
. Increased potential for statistical multiplexing gains in the distribution/
access network due to the large volume of non-real time traffic in the
broadband domain. These advantages may be offset by more unpredictable
traffic patterns, as the bandwidth to individual broadband subscribers is
much higher than for mobiles.
Network engineering
The backbone has to provide sufficient capacity to carry 3G traffic efficiently. For
temporary traffic peaks, outages and for prioritising real-time traffic, a robust QoS
scheme needs to be implemented. The backbone QoS scheme has to interwork
with the UMTS traffic classes to achieve the set QoS targets. In the Nokia
solution, interworking is implemented by using the Differentiated Services
(DiffServ) codepoints and mapping them into the backbone QoS scheme at the
edge routers of a site. For ATM, the real-time and non-real-time traffic can be
mapped to different Virtual Channels (VCs).
When GSM or WCDMA traffic is carried over the packet network, an adequate
clock signal has to be available for the base stations. The clock can be either
distributed using the transmission network or, if this is not possible, generated
using a very accurate local clock (based on a GPS receiver, for example) for the
individual base station or a chain of base stations.
As the individual backbone links serve a large amount of user connections and
the control of network elements, a robust protection scheme is vital to meet the
service availability targets. Today, SDH is typically the most straightforward
method to implement protection. When switches are connected to each other
without an underlying SDH, it is possible to implement the protection also by
using the fast restoration features of the router/switch products.
4 IP connectivity
In the Nokia core network elements, the most commonly used packet interface
types are Fast Ethernet (FE) and Gigabit Ethernet (GE). Ethernet is the most cost-
effective and easiest to use link layer technology for IP networking.
Backbone transport
Nokia
Nokia MSC Nokia Nokia
HLR Server IP/MPLS backbone GGSN SGSN
ADM
TDM(PPP) ADM
Nokia
GGSN
ATM Backbone
Nokia 3G Nokia 3G
RNC SGSN TDM(plain or ATM) RNC SGSN
The Nokia IP connectivity solution is based on site connectivity. There are very
few direct interfaces between the Nokia mobile network elements and the
backbone network. The Nokia products do not rely on any specific backbone
implementation.
As Nokia prefers to build the mobile core networks using IP, the chosen backbone
technology is IP/MPLS. MPLS is used for traffic engineering, Virtual Private
Network (VPN) and IPv6 migration. Some operators (especially those with small
networks) may prefer to use plain IP routing instead. This is fully supported by
the Nokia backbone solution. The existing ATM networks can also be used for
site interconnection.
The 3GPP Rel-4 with the MSC Server System makes it possible to implement
Circuit Switched (CS) services using the IP network. This brings along real-time
traffic, strict reliability requirements and a significant increase in IP traffic
volumes. The Nokia IP connectivity solution for the 3GPP Rel-4 and Rel-5
networks is outlined in the figure below.
Nokia Nokia
CPS HLR
Controller
IP/MPLS connectivity Site
PSTN -QoS
-Security
-Resilience
-IPv4 and IPv6 ISP
networks
Nokia BSC
Nokia Corporate
MGW Corporate
Nokia BSC
Nokia
RNC
In the early 3G network deployment the Iu traffic from the RNC is ATM-based.
RNC connections to the 3G core sites can be arranged using the SDH network.
The Nokia MGW can be used for concentrating the traffic from several ATM-
based interfaces.
Currently the GSM/WCDMA access networks are built using the TDM and ATM
technologies. Low-capacity IP connectivity may be needed for network
management purposes. For more information on access network design, see the
Nokia WCDMA RAN System Information Set.
.
packet core, Border Gateway and Intelligent Content Delivery (ICD)
. CS core
.
Push to Talk over Cellular (PoC)
. IP Multimedia Subsystem (IMS)
.
multimedia messaging (MMS) and browsing
. controller sites.
In addition, as part of the core network site design, Nokia provides application
guides for the implementation of IPSec VPN or tunnelling of frame relay -based
Gb traffic over IP, for example.
While the routed IP/MPLS networks can handle link and device failures with
routing protocols, the resulting delay is too long for some applications. The
introduction of IP telephony will demand extremely fast protection times. The
recommended solution in the initial 3G deployment is to use SDH protection
schemes. If MPLS switches are connected to each other directly (using DWDM,
for example), MPLS fast reroute can be used as well.
service access node with direct support of native 2 wire telephony connections
from customers, allow a common access network infrastructure for multiple
services. At the same time, advances in DSL access network technology enable
increased end user coverage for broadband services and wider bandwidth
availability. The benets for a fixed network operator are:
.
the opportunity to provide new value added services
. increased average revenue per user
.
a reduction in operational costs.
The new services will complement the existing PSTN services while providing a
growing customer base with exibility and choice. Mobility will become an
accepted step in the evolution path. The xed network, with its superior quality
and bandwidth capability, has a vital part to play in this scenario.
The Nokia end-to-end system solutions provide fixed network operators with the
ability to evolve their networks and deploy a wide range of revenue enhancing
services and applications.
The Nokia D500 is a multi-service access platform that supports a wide range of
services from the central office to remote environments; from fast Internet access
to the various services such as legacy voice (POTS), Video on Demand (VoD),
digital broadcast and interactive TV.
For more information on Nokia D500, see the product documentation provided in
Nokia Online Services (NOLS).
Many server-based service subsystems are physically located at the core network
site. For more information, see WAP gateway and MMS site solution and
Controller site solution.
The core network site and its LAN/WAN connectivity in an IP/MPLS backbone
environment is outlined in the figure below. The figure includes the key products
used in the Nokia IP connectivity solution, which are described in Products used
in the core network site solution.
Core Site
MSS DNS CPS IMR MGW
.
Iu-CS between the RNC and the MGW
. Iu-PS between the RNC and the SGSN
.
Iur between neighbouring RNCs
Both Iu-CS and Iu-PS traffic from an RNC can be carried in one STM-1 to the
MGW, where Iu-CS is terminated and Iu-PS is carried over a second STM-1
interface to the SGSN. Also Iur traffic can be carried on the same STM-1 with Iu-
CS and Iu-PS and switched to another STM-1 towards the second RNC.
Connections via the MGW can be set up using AAL2-signalling (AAL2 nodal
function).
In 3GPP Rel-4 networks, ATM traffic coming to the core site can be greatly
reduced or even completely eliminated by distributing the MGWs to the
controller (RNC) sites and handling Iu-CS locally. The MGW Nb traffic can be
carried over the IP/MPLS backbone. Also Iu-PS traffic can be carried over the IP/
MPLS network. IP-based Iu-PS is part of the 3GPP Rel-4 specifications.
Note
Nokia SGSN supports Iu-PS over IP. While the user plane traffic can be
converted from ATM to IP by terminating the AAL5 protocol at the ATM
interface of any router, a signalling converter is needed for the control plane.
For more information on site connectivity of the CS core network elements, see
Site Connectivity Guidelines available in CS Core system documentation library.
Design principles
All of these traffic types can be separated. Separating the traffic leads to increased
security and manageability of the network.
The easiest way to separate traffic at the core site is to use virtual LANs
(VLANs). Some of the Nokia elements provide VLAN support so that many
logical interfaces can be carried over a single physical interface. This is
particularly useful for those networks that change over time (such as corporate
access points at the GGSN). For network elements that do not support VLAN,
dedicated cables are used. The traffic coming from these interfaces can be VLA-
tagged in the LAN switch.
The use of VLANs at the core site is outlined in the figure below.
Gn/intra-PLMN network
Gi network
O&M network
BDCU network*
STU network**
Charging network
GN Gi
Gi
DNS DNS ISN CG
BG FW
Gn/intra-PLMN network
Gi network
O&M network
BDCU network*
STU network**
Charging network
Figure 10. Use of VLAN at the core site (basic PS and CS core)
In the figure above, the Operation and Maintenance (O&M) network is carried
using the same site switch and physical links as all the other traffic. This is the
easiest way to build the network. However, some operators may prefer using
separate switches and routers for the network management traffic for security
reasons.
MPLS Virtual Private Networks (VPNs) can be used for carrying the different
types of traffic separated across the IP/MPLS backbone. Different VLANs are
connected to different MPLS VPN in the Provider Edge (PE) device. The
mapping of VLAN to MPLS VPN on the core site is outlined in the figure below.
multilayer multilayer
site site
switch switch MSC MSC
GGSN
GGSN GGSN
MSC MSC MSC MSC
interface Ethernet1/1.2
ip vrf forwarding GnNetwork GGSN GGSN
The mapping of VLANs to MPLS VPN keeps the different logical networks
separated also in the Wide Area Network (WAN). This solution may not be
secure enough for some types of traffic requiring additional secure VPNs. This
can be done using VPN gateways at each of the core sites. The VPN gateways
and the use of IPSec is described in more detail in Backbone network security.
In the ATM backbone, ATM Virtual Channels (VCs) can be used instead of
MPLS VPNs. In routed networks, layer 3 VPNs can also be used.
Core sites are the natural place for connecting roaming partners and service
providers (ISPs). IP connectivity to external networks brings along important
security and resilience considerations.
Messaging/
Messaging / SIP-aware Gn network Gi SIP-aware
Firewalls Firewall Firewalls
SBC SEG
Internet FW
BG Routers or router
with access
control lists
GRX ISP/
Network Internet
Peering with ISPs and connections to the national Internet exchange and
corporate customers are implemented using the same principles as the GRX
connectivity. Distributed access network provides additional flexibility and
resilience when interfacing with the external networks.
Scalability
Probably the most scarce resource is the number of LAN interfaces. In practical
7609/6509 configurations, the number of Fast Ethernet (FE) interfaces is 240
336. Smaller LAN switches can be used as access concentrators to increase the
number of interfaces and to simplify the cabling at the core site.
Resilience
As almost all traffic in the 3G network is carried over the multilayer LAN
switches several times, the site solution and the WAN connectivity have to be
extremely resilient. Redundant node and link configurations eliminate single
points of failure. The resilience in the Nokia 3G backbone is outlined in the figure
below.
Several DNS
servers in
different subnets
Nokia Nokia
HLR MSS Nokia 2G CPS IMR
Traffica MGW NEMU SGSN DNS CG
Host-based products
- duplicated LAN (FE/GE) interfaces in key elements
- key elements connected to two site switches
- HSRP or GLBP in the site switch
Firewall/VPN GW resilience
GGSN/ 3G - clustering
ISN SGSN BG Gi FW - VRRP
Gn network
In the Nokia 3G networks, both the GGSN/ISN and the 3G SGSN are
implemented on router platforms. In the recommended site configuration the
SGSN/GGSN applications use loopback interfaces. IP connectivity for each GSN
is available using two interfaces (different VLAN and subnet). The Open Shortest
Path First (OSPF) protocol is used for rerouting in failure cases. The resilience
concept of the router-based elements is shown in the figure below.
DNS
-Dual VLAN used for resilience
-Separate VLANs allow load sharing
-Loopback interface used as GTP tunnel endpoint, allows
routing protocol to reroute in case of (interface) failure
Gn VLAN A
multilayer multilayer
GGSN GGSN site switch site switch
802.1Q
3G
SGSN
Gn VLAN B
GSR GSR
DNS PLMN
Backbone
In the Nokia GPRS networks, the SGSN has IP host capabilities (DX 200). The
resilience of the GPRS Gn interfaces is implemented using duplicated Fast
Ethernet (FE) interfaces in the SGSN packet processing units (PAPU). Only one
of the interfaces is active at any time. During the switchover the IP address is
moved from the failed interface to the new active interface. The new active MAC
address is advertised using a gratuitous Address Resolution Protocol (ARP)
message (Unsolicited Neighbour Advertisement with IPv6).
The site switch acts as the default gateway in the recommended configuration.
AHSRP pair is configured between the two site switches for resilience. The
configuration is outlined in the figure below.
Gn VLAN 1
HSRP
multilayer multilayer
site 802.1Q site
2G 2G
switch switch
SGSN SGSN
Gn VLAN 2
GSR GSR
DNS PLMN
Backbone
Stand-by interface
Active interface
Two DNS servers are shown in the figures above. When implementing the
domain name service, alternative servers should be located in different subnets
and physical locations.
Gi network
In early Gi network deployments, site switches are used only for LAN switching.
Static routing from the GGSN/ISN to the Gi firewall is used. In that case, the
resilient Gi firewall configuration consists of two Nokia firewall routers running
Virtual Router Redundancy Protocol (VRRP) pairs for each access point.
In large networks where an access point name and Gi firewalls are available at
several locations, it is advisable to use dynamic routing. In that case, the resilient
firewall configuration consists of two Nokia firewall routers running in parallel.
GGSN GGSN
multi- multi-
layer layer
site site
switch switch
OSPF 802.1Q
Gi VLANs
MSC MSC
ISP/
Internet
With the Nokia ISN, the principles of the site solution remain the same. The site
connectivity for Flexi-ISN 2.0 is illustrated below.
When the Nokia packet core is enhanced with Intelligent Content Delivery (ICD)
for enhanced traffic handling and charging, a Traffic Analyser (TA) and Content
Analyser (CA) are added to the data path. The resilience of the enhanced Gi
network is outlined in the figure below.
2G 3G DMZ/GRX
SGSN SGSN
DNS
BG / Firewall
Gn1/2
GGSN
FlexiISN
TA
Ga/Ro/ICD Gn1/2
DCN
Gi Firewall
CG OSC NPS
Prepaid SCP
NetAct/ Corporate/
IPN Manager Internet
Business
Support
Systems
The enhanced Gi network has to offer connectivity to server sites unless all the
service systems (such as WAP gateway and multimedia messaging service centre)
are collocated with the mobile packet core. The server sites typically need
Internet connectivity. It is possible to set up Demilitarised Zones (DMZ) that are
parallel to the Gi network to provide the connectivity.
IMR HLR
RNC
BSC CDS
Logically there are several separate networks. Separate Virtual Local Area
Networks (VLANs) are established for the user traffic, Operation and
Maintenance (O&M), traffic, statistics, charging, SMS and traffic analysis.
Separate VLANs are also used for the core network control traffic and radio
network control traffic.
Note
Note
In Nokia MSC Server System Release 2.0 the integrated IPSec functionality in
MSS network element is restricted to management plane traffic, charging and
OCLM reports. In MGW network element the IPSec is provided in an external
IPSec security gateway.
Integrated IPSec for control plane traffic (NNI signalling such as BICC, H.248,
MAP) will be implemented in a later MSS System release.
Nokia has productised a standard site connectivity solution for sites hosting the
MSC Server and MGW. Additionally a cost-optimised MGW site connectivity
solution and an even more cost-efficient site connectivity solution for SIGTRAN
and IP-based control plane traffic is available. The latter also applies to a MSC
environment in addition to the MSC Server System.
The physical LAN connectivity of the MSS and MGW is shown in the figure
below. Both are connected to the two site switches. For resilience, Hot Standby
Router Protocol (HSRP) pairs are established for each VLAN. The ESA and ESB
units in the figure are LAN switches.
External
IP network
connections
3G
SGSN RNC RNC
ATM
STM-1
Signalling
ESB Signalling
User plane Switch IP NIU
ESB Signalling
matrix
User plane IP NIU
Signalling
Power1 Power
Signalling
NEMU
Signalling ESA
The MSC Server Site solution is implemented with a duplicated modular site
switch. It is used:
For network environments where user plane traffic is carried over ATM or TDM a
cost-efficient low capacity IP connectivity solution is available. The solution
applies to MSC Server deployments as well as to MSC environments where
SIGTRAN is used.
The SIGTRAN and control plane site connectivity solution consists of two
stackable Cisco Catalyst 3750 switches. For wide area connectivity, a pair of
Cisco 7206 routers is used.
In networks where the MGWs are distributed to remote sites not housing any
other core network infrastructure, the standard MSS/MGW site connectivity
solution may be considered as too expensive.
IP/MPLS
backbone
SDH*
NEMU
O&M
ESA
O&M
Signalling ESA
Power Power
Signalling
.
A central MSS/MGW with the standard site connectivity solution
. An ATM backbone
MGW chaining
The purpose of Inverse Multiplexing for ATM (IMA) is to combine the capacity
of many lower bit rate transmission lines into a group that is seen as a single
virtual link by the ATM layer of a network element.
The IMA provides modular bandwidth for user access to ATM networks and for
connections between ATM network elements at rates between traditional order
multiplex levels, for example between E1 or E3 levels. The IMA involves inverse
multiplexing and de-multiplexing of ATM cells in a cyclical fashion among links
grouped to form a higher bandwidth logical link referred to as an IMA group. The
rate of the IMA group is approximately the sum of the link rates.
SCTP multihoming
The IP connectivity of the MSC Server has some special requirements that affect
the core site design. As the user traffic is almost exclusively voice, the real-time
requirements are very strict. The signalling traffic uses signalling common
transport protocol (SCTP) with multihoming capabilities.
To provide faster link failure recovery, SCTP will switch to the alternative IP
interface with a sub-second failure time. This has to be considered in the IP
connectivity design. The alternative signalling connections should use different
paths across the site to allow the SCTP multi-homing to operate properly. The
preferred operation is outlined in the figure below.
S S
C C.2 A.2 C
T IP network T
D.2 B.2
P P
The principles for the IMS site solution are the same as for packet core and circuit
switched core.
It is recommended to use IPv6 in large scale IMS deployments. This requires the
implementation of IPv6 access points in selected GGSNs and IPv6 connectivity
from the GGSNs to the service elements. The connectivity solution presented
below is based on IPv6. However, the network operators of today tend to launch
the IMS using IPv4 connectivity. This will be problematic in the long run because
inter-operator connectivity, NAT traversal and the growing number of IMS users
bring challenges to IP addressing. To resolve these issues, application-specific
session border controllers can be introduced to the network.
GE optic
IPD
IPD
Nokia IMR
GE optic
IPD
IPD
Nokia CPS
FE/GE
optic/
copper
Nokia MSS
FE
ESA24
ESA24
Power Power
IPFGE (WO)
IPFGE (SP) 8xFE/GE optic/copper
On the IMS site, the IPv6 Gi networks can be treated like all the other VLANs.
The IPv6 traffic can be routed in the site switch (Cisco 7609) if it is equipped
with Supervisor 720.
For wide area connectivity, the MPLS Provider Edge (PE) functionality for IPv6
(6PE) can be used. With 6PE, the IPv6 traffic is carried over an IPv4-based
MPLS network essentially as a Virtual Private Network (VPN). IPv6 routing
information is carried in the multiprotocol extensions of the Border Gateway
Protocol (BGP4). With 6PE, IPv6 can be carried over an existing MPLS
backbone without upgrades in the backbone routers.
The Domain Name Server (DNS) services for the IPv6 access point are available
from the same DNS server as for the IPv4 access points. For the CPS, ENUM
service is needed. ENUM allows the use of the DNS for storage and mapping of
E.164 numbers to alias addresses.
External
network
connections
Push to Talk
Call Processors
1...n
CPU SWSE
supervisor
supervisor
CPU SWSE
1...n
CPU SWSE
DC- DC-
Power1 Power2
CPU SWSE
1...n
supervisor
supervisor
CPU SWSE
CPU SWSE
The PoC site solution is implemented with a cabinet switch (modular site switch).
It is used:
. to interconnect the four chassis LANs of each Push to Talk call processor
to one cluster LAN (L2)
. to connect Push to Talk call processors and Push to Talk register (located
on the same site) to each other (L3)
. to connect Push to Talk call processors and Push to Talk register to the
operator's IP network.
For more information on the Nokia MGW, see the section Multimedia Gateway in
CS Core System Overview available in the CS core system documentation
library.
The border gateway provides the packet core roaming interface towards the
GPRS roaming exchange (GRX) networks and other mobile operators. The exact
architecture of the BG is not defined in the 3GPP specifications; instead, the
operators agree on the architecture in the roaming agreements. In the Nokia
solution, the border gateway is combined with firewall functionality.
Nokia firewall routers running Check Point FireWall-1 are used as Gp firewalls.
GPRS Tunneling Protocol (GTP) -aware firewall software is also available for the
BG solution to supplement the standard firewall functionality.
The GTP-aware FireWall-1 GX software inspects the GTP traffic for GTP anti-
spoofing. It performs intra-tunnel Access Point Name (APN) domain
enforcement as well as MS-to-MS policy enforcement. It also blocks GTP in
GTP. In addition, the software has many GTP logging options.
Nokia firewall routers running the Check Point FireWall-1 are used at the Gi
interface to protect the mobile network from threats from the public Internet.
For more information on Nokia firewall routers and the FireWall-1 GX, see the
section Backbone Network Security.
The Nokia Security Gateway provides a secure connection between the network
security domains. It comprises of Nokia IP series router platform running the
Check Point Technologies' VPN-1 and Firewall-1 software. For more information
on Nokia firewall routers, see the section Backbone Network Security.
A Domain Name Server (DNS) is a network service that enables the clients to
name resources or objects and share this information with other objects in the
network. DNS functionality is provided by The Berkeley Internet Name Domain
(BIND) implementation. BIND provides a reference implementation of the DNS
protocols. The current BIND version is 9.2.0.
The Nokia DNS platform is based on a standard HP server running HP-UX 11i.
At controller sites with MGWs and large amounts of real-time IP traffic, the
Cisco 7609 multilayer LAN switches/edge routers can be used to provide in-site
connectivity and the WAN interface for core routers. Core site devices, such as
the SGSN, 3G SGSN, GGSN, DNS and gateways, are connected using Fast
Ethernet (FE) or Gigabit Ethernet (GE).
The Cisco 7600 devices use the same hardware as the Catalyst 6500 multilayer
LAN switches.
The Cisco 7609 offers aggregate switching capacity up to 720 Gbit/s and multi-
layer switching up to 400 Mpps IPv4 and 200 Mpps IPv6. It supports a wide
range of interface types and densities to include support for up to 384 10/100
Ethernet and 130 Gigabit Ethernet ports.
In the recommended architecture the 7609 performs the MPLS Provider Edge
(PE) functions.
The servers used for the end user services delivered over the mobile packet core
can be co-sited with the core network equipment. Here it is assumed that the
servers are on a separate site.
The Multimedia Messaging Service (MMS) site solution provides security, load
balancing and LAN/IP connectivity for the servers. The solution is shown in the
figure below.
Terminal
Management
Server
192.168.1.0 /24
active standby
192.168.1.0 /24
The nodes are synchronised by using dedicated ports and IP subnets, which are
not routed. When only two firewalls are used, the synchronisation can be
implemented using cross-connection cables.
Static routing is used for the site solution. The default route is to the routed Gi
network.
Currently one set of load balancers is used for all front-end servers. In the future it
will be possible to separate or distribute the load balancing services so that
dedicated load balancing units are used for MMSC Relays. The Universal
Inspection Engine of the BIG-IP load balancer can be used to look as deep as it is
needed inside of the message/packet. Synchronisation between the load balancers
is implemented using a dedicated serial cable and LAN connectivity.
. MMSC
A dedicated WAP gateway is used as part of the MMS solution for connectivity
and security.
The Storage Area Network (SAN) displayed in the figure is not described here. It
should be noted that the SAN will need to handle a considerable amount of data
when the MMS usage grows.
All the application platforms can be logically viewed as separate IP entities for
design purposes (load balancing and relevant security issues).
The products used in the MMS site solution have been selected to allow for
scalability both in functionality and capacity. Additionally, maximum synergy
with the Nokia backbone solution for mobile networks has been considered.
The Firewall frontier consists of two Nokia IP routers. These use Check Point
FW-1 NG Firewall software. The Nokia Firewall/VPN appliance offers an
unbeatable combination: market-leading Check Point firewall/VPN technology
on a purpose-built, hardened Nokia platform with a security specific IPSO
operating system. The firewall functionality is explained in more detail in CS
Core System Overview.
The load balancing solution consists of two BIG-IP 6400 application switches.
The BIG-IP application switch is a flexible and fast IP-centric Internet Traffic
Management (ITM) device capable of securing Internet traffic. The products
provide all-in-one ITM, combining load-balancing, content switching, traffic
management, Secure Socket Layer (SSL) acceleration and management, as well
as Ethernet switching.
In a 3GPP R99 3G network, the MGW is not present at the controller site and the
connectivity between the RNC and the core site MGW is typically implemented
by using STM-1/ATM links. The connectivity of 3GPP Rel-4 controller sites (or
sites hosting BSCs that are upgraded to IP connectivity) require careful planning.
Here the focus is on these more challenging cases.
The figure below outlines the typical location of the controller sites in the
physical network and the additional protocols that have to be carried from or
across the controller sites. It should be noted that the BSC sites are on lower level
in the network topology than the RNC sites. Often Iub traffic is concentrated at
the BSC sites. Concentration can be done with the Nokia S-AXC ATM cross-
connect, for example.
Many of the protocols listed are initially not IP-based. They are, however, IP-
enabled in the 3GPP Rel-4 and later specifications. Gb and Iu-PS are the first of
this kind.
High capacity
Core
transport
Site
backbone
IP connectivity is initially needed at the BSC sites for the following applications:
For the Lb, BSC-BSC and Gb over IP interfaces, the Nokia BSC is connected to
the site routers as outlined in the figure below.
The switching units of the Nokia BSC3i are integrated LAN switching units.
Rapid Spanning Tree Protocol (RSTP) is used to break the loop in the LAN.
Multigroup High Speed Routing Protocol (HSRP) can be configured to the site
routers for resilience and load sharing.
As the volume of IP traffic from the BSC sites is initially rather low, the most
cost-effictive alternative for the wide area transport is the utilisation of the 2 Mbit/
s TDM connectivity that is already being used. When the traffic volumes grow or
when traffic is groomed from several BSC sites, 34 Mbit/s or STM-1 connections
may become attractive.
BSC3i
IP/MPLS
Backbone
BCSU 0 BCSU 6 MCMU 0 MCMU 1 OMU
CPU CPU CPU CPU CPU
1 Gbps optical
uplinks (s11.5)
or 100 Mbps
uplinks
MCMU 0 MCMU 1
VRRP/ 2x100
SWU Mbps
SWU
HSRP
2x100
SWU SWU
Mbps
Gb over IP
100 Mbps traffic
L2/Le
switch PCU PCU PCU PCU
BCSU 0 BCSU 0
EMC Interface
Connector panel
The configuration of the Gb over IP and the tunnelling of frame relay -based Gb
over IP is shown in the figure below. The same site routers can be used for early
Gb over IP and the other IP traffic.
BSC Site
If NG SDH is
available the
L2/L3 can be
directly
connected to Core Site
the SDH node
router using FE 2G-SGSN
E1/
T1 E1/
T1
Nokia BSC2i
SDH
SDH
node
node
E1 link
Fast Ethernet link
The BSC site solution is implemented using a site router (or a small site switch
with the BSC2i). The solution is used for:
.
Grooming of FE for BSC2i
. IP connectivity for:
- Lb (SIGTRAN)
- BSC-BSC (SIGTRAN)
- Gb over IP
.
Tunneling of frame relay -based Gb over IP
. The equipment on the BSC site:
- Switch: Cisco Catalyst 3750
- Router: Cisco 7200 series
.
The equipment on the core site:
- Cisco 7609
- FlexWAN in 7609 or separate Cisco 7200 for 2Mbit/s connections
RNC site
In the 3GPP R99 3G network, controller sites only host one or more RNCs and
the MGWs are located at core sites.
The easiest way to connect RNCs to the core network is to use direct STM-1
ATM links between the RNC and the MGW. No additional switching or routing
equipment is needed.
In the 3GPP Rel-4 and Rel-5 architecture both RNC and MGW interfaces towards
the core site can be implemented using IP (Iu-CS, Iu-PS, Iur, Nb).
The reasons for placing the MGW at the controller site are:
.
Cost savings in the interconnection tariffs when the peering is implemented
on a regional level.
.
Savings in transmission costs as the local 2G and 3G traffic does not have
to be carried to the core site.
.
Better perceived service quality because of the lower propagation delay of
the voice traffic. This improvement is significant only in large networks.
When there is a significant amount of local traffic at the controller site, the site
connectivity and the edge router functionality can be implemented in the same
way as the core site connectivity using one or two site switches. The connectivity
of such a site is outlined in the figure below.
The wide area connectivity from a large controller site requires n x STM-1 or
even higher connection speeds. These connections can utilise the existing SDH
networks, dedicated fibers or Dense Wavelength Division Multiplexing
(DWDM).
Core Site
BSC
2GSGSN
2GBTS BSC-BSC
IP Controller Site
2GMS 2GBTS Nb, Mc,
Abis Lb, Gb
TDM Ater Iu_ps SMLC
2GBTS TDM
Nokia
BSC3i
TCSM
Nokia A SDH
3GBTS RNC node 3GSGSN
Iub
ATM Nokia
MGW
3GMS 3GBTS
MGW
3GBTS Iur
ATM SS7/TDM
TDM MSS
Iu-cs
RNC ATM
PSTN - Nb is IP or ATM (or TDM)
operator choice
- Iu-PS is initially ATM but
IP connectivity can be moved to IP
ATM connectivity - Mc is IP-based
TDM connectivity - Controller site switch/
router is Cisco 7609
Cisco 7609 router can be used at the controller sites that have MGWs and large
amounts of real-time IP traffic.
For the BSC sites, the recommended site switch is Cisco Catalyst 3550. The site
router used for wide area connectiviy is Cisco 7200. It provides the latest IP/
MPLS functionality and native support for 2 Mbit/s and channelised 2 Mbit/s
interfaces. In case NG SDH is available and Ethernet can be used for connecting
the site switch to the SDH node, the site router is normally not needed.
For more information, see Products used in the core network site solution or
Cisco web pages (www.cisco.com).
Backbone transport
ATM Backbone
LAN routing
IP
TDM
In network environments where the number of sites stays small, the most
straightforward way to build a backbone is to connect the site routers directly to
each other using Packet Over SDH (POS) or Gigabit Ethernet (GE) links.
Resilience is achieved with a ring or a mesh structure. In larger networks a routed
or switched backbone is needed.
An existing ATM network can be used for site interconnection. The network
should support real-time traffic and preferably Quality of Service (QoS)
differentiation.
For more information, see the network planning overview in CS core system
documentation library.
Backbone services
.
Support for real-time voice traffic
. Support for multihomed signalling connections
.
Resilience
. Security and Virtual Private Network (VPN) capabilities
. Scalability
There are also additional features that contribute significantly to the cost-
effectiveness of the backbone transport, such as QoS differentiation, traffic
engineering capabilities and the ease of operation.
The amount of real-time traffic in the MSC Server (MSS) System suggests the
use of hardware-based packet processing throughout the network.
Headers
(bytes)
NbUP 4 4 4 4 4 4
RTP 12 12 12 12 12 12
UDP 8 8 8 8 8 8
IP v4 20 20 20 20 20 20
Ethernet 38 38 38 38 38 38
II
Total 82 82 82 82 82 82
(bytes)
Voice
Packeti- 20 20 20 20 20 5
sation
interval
(ms)
Payload 12 12 31 31 160 40
size
(bytes)
VAD
VAD 5 5 5 5 5 5
payload
size
(bytes)
Total 87 87 87 87 87 87
VAD
packet
size
(bytes)
Signalling connections are essential for the operation of the telecom network. A
cut in signalling connections affects charging and eventually leads to dropped
calls and lost revenue. H.248 control connections are equally critical, as a MGW
cannot operate without control from the MSC Server.
S S
C C.2 A.2 C
T IP network T
D.2 B.2
P P
Resilience
The target is to have sub-second fail-over times across the network. At the sites
resilience is achieved by using duplicated multilayer LAN switches that also act
as edge routers.
In the wide area network SDH resilience schemes can be used for protection
against link failures. Alternatively, MPLS and ATM provide fail-over
mechanisms of their own.
The edge router connected to the MPLS or ATM backbone is the most critical
component for the resilience of the IP connectivity. A failure of the edge router
has to be communicated across the network so that packets are not sent to the
malfunctional node. Because this causes delay, the resilience of the edge router
should be assured.
There are many different logical networks within the operator backbone, such as
Gn, Gi services, Gi corporate, charging and O&M. For enhanced security and
because of potential address overlaps, it should be possible to carry the different
networks in VPNs across the backbone. The default solution is to use MPLS L3
VPNs, but also Layer 2 Tunneling Protocol (L2TP), Generic Routing
Encapsulation (GRE) or Internet Protocol Security (IPSec) can be used for many
of the special applications. These layer 3 tunneling mechanisms may be sufficient
for small networks, but they cannot be easily expanded to large networks.
Network dimensioning
RTP 12 bytes
UDP 8 bytes
IP 20 bytes
AAL5
ATM PPP
26 bytes 4 bytes Ethernet
26 bytes
SDH/PDH
The small size and large number of the voice packets leads to a traffic profile that
is different from traditional IP networks. The packet processing capacity of the
networking equipment has to be dimensioned for the small packet size.
.
20 ms packetisation interval (AMR and GSM): 40 bytes payload
. 5 ms packetisation interval (G.711): 40 bytes payload
. RTP, IP and UDP overheads: 40 bytes
. Total message size: 80 bytes
.
AMR codec: 6000 x 50 pps = 300 kpps => 192 Mbit/s
. G.711 codec: 6000 x 200 pps = 1.2 Mpps => 768 Mbit/s
The example does not contain link layer overheads. They have to be calculated
separately for PPP, ATM, Ethernet or any other protocol used.
Scalability
The backbone solution should be scalable with the network. For example, a
switchover from ATM to IP/MPLS may become very complex when there are
millions of active users in the network.
The same applies to backbone products themselves. Modular products that can
handle real-time traffic should be deployed already now. The backbone should
already be operational when the MSC Servers or 3GPP Rel-6 IMS systems are
taken into use.
Figure 32. MPLS provider and provider edge functionality in the network
An alternative to SDH protection is the MPLS Fast Reroute, which provides fast
(50 ms) traffic restoration in the core, protecting time-sensitive applications. The
MPLS Fast Reroute allows to build IP/MPLS backbones with high availability
without an underlaying SDH network. The differences between MPLS Fast
Reroute and SDH protection are outlined in the figure below.
Today, SDH is used for fast restoration (Multiplex Section Protection, MSP;
Mobile Station Special Routing, MS-SPRing). Its drawbacks include:
. the need for extra Add-Drop Multiplexers (ADMs) in the packet networks
.
inefficient capacity utilisation.
.
easy multiservice support
. default clock distribution mechanism.
Separation of customer traffic at the IP layer using MPLS Virtual Private Network
(VPN) provides the same level of security as a layer 2 network, without resorting
to a costly overlay model. MPLS is the optimal platform for VPN
implementations allowing simple point-to-multipoint provisioning. ATM
overhead is about 10-20%, while MPLS overhead is only about 1-2%.
MPLS 6PE is the recommended way for carrying IPv6 traffic over an existing
MPLS network. With 6PE the IPv6 traffic is carried over an IPv4-based MPLS
network essentially like a VPN. IPv6 routing information is carried in the multi-
protocol extensions of Border Gateway Protocol version 4 (BGP4). 6PE allows
the IPv6to be carried over an existing MPLS backbone without upgrading the
backbone routers to IPv6.
MPLS-enabled IP VPNs are used for both the operators internal purposes (e.g.
network management) and as a sellable service. MPLS-enabled IP VPN networks
are easier to integrate with IP-based customer networks when compared to
traditional ATM or frame relay -based VPN. Subscribers can seamlessly
interconnect with a provider service without changing their intranet applications,
because these networks have application awareness, privacy, QoS, and any-to-
any networking built in.
At the controller sites, the type of the ATM equipment required depends on the
access network structure. If the access network is built using direct leased lines
from the base stations to the controllers, a large number of low-speed interfaces
have to be groomed at the controller site. If grooming is done in the access
network, a small number of high-speed interfaces is used.
On the transport hub sites and the BTS sites, the ATM cross-connect functionality
can be deployed. In practice, the ATM network is often built in parallel with the
existing 2G transport solution utilising the same SDH network.
Server Site
MMSC DB servers ATM(STM-1)
FE/GE
ATM network
Nokia -QoS
MGW -Security
-Resilience GGSN Nokia Nokia
-IPv4 and IPv6 Nokia 3G 2G
Nokia Nokia Nokia Nokia ISN SGSN SGSN
MSS CPS HLR IMR
Controller
PSTN Site
BSC Controller ISP
Site networks
Nokia BSC
Nokia Corporate
MGW Corporate
Nokia
RNC SDH
Controller Site
The evolution to a 3GPP Rel-4/Rel-5 network does not change the scope or
structure of the ATM backbone. MGWs can be added to the controller and core
sites and connected to the backbone the same way as RNCs. Both the MGW and
RNC are built on the Nokia IPA2800 platform.
In recent years, SDH has been developed to suit the datacom environment better.
Virtual concatenation allows the mapping of the data interfaces to the SDH
payload in fragments. In addition to the more efficient mapping schemes, the
Next Generation SDH equipment supports Ethernet and ATM interfaces. They
also implement the Link Capacity Adjustment Scheme (LCAS, ITU-T G.7042),
which allows the change of virtually concatenated capacity in the increments of
its fragments.
Meeting the requirements of all services with uniform best effort service and
heavy overprovisioning may be possible in small networks. However, rapid
traffic increase or certain exceptional situations (such as loss of transmission or
routing capacity because of a failure) may cause the best effort network to fail, as
even the mission-critical applications experience extensive loss and delay. In
QoS-enabled networks, prioritised packets survive while the less important traffic
is dropped.
budget budget
MPLS
RAN
delay
jitter
+
loss
Operator 2 SLA between
QoS ATM operators
= budget
+
Gate-
Operator 3 way
QoS
IP
budget RAN
In the figure there are three operators involved in the connection (an UMTS
operator in Europe and another in Asia with a global carrier between them). Each
of the operators may have networks utilising different technology and a
technology-dependent QoS scheme.
UMTS operators themselves have two QoS schemes in use, as the mechanisms
specified by the 3GPP only apply from the user equipment to the GGSN. The
Nokia 3G implementation supports QoS interworking with all major packet-
based backbone technologies.
Urgent operation and maintenance traffic Assured Forwarding class 4, Low Drop
Precedence
For more information on Quality of Service in the circuit switched core network,
see QoS in CS core network in the CS core system documentation library.
Charging network
GRX networks
Signalling network
Intra-PLMN backbone - GPRS/3G roaming
- IP-based interconnects
- Global reach
O&M network - Reasonable security
Operator
Legal Interception
Corporate VPN
- GSM 02.33 & 03.33, TS 33.107...
- Mobile terminals access corporate
- Regulative requirement
network
- Authorities to get access to
- End-to-end operator-to-corporate
selected NEs
- Security requirements variable
- Security requirements high
The basic security mechanisms for the IP connectivity include traffic separation,
encryption and layered firewall defences. Transport network security can be
arranged on the physical layer with simple traffic separation. Also link layer
(MPLS, ATM, VLAN) or IP layer Virtual Private Network (VPN) technologies
are used. On the core sites Ethernet Virtual Local Area Networks (VLANs) are
used to separate Gn, Gi and other traffic streams. For more information on traffic
separation using VLAN and MPLS VPN, see the guidelines for planning site
connectivity provided in CS core system documentation.
The backbone Domain Name System (DNS) servers do not accept database
updates from anywhere else than the NMS (NetAct/NameSurfer). Zone transfers
are sent from the NMS using the Dynamic DNS (DDNS) protocol.
The backbone is isolated from the outside networks with firewalls. The
particularly sensitive parts of the network, like network management and billing
systems, are further isolated from the backbone. Inside the NMS network, IPSec,
SSL/TLS or SSH are used for maximum security.
It is also possible to use IPSec AH in all packets in the backbone. This will stop
all attacks that use GTP tunneling because the outside sender cannot generate a
proper AH for the backbone. AH is easier to calculate than ESP and thus has less
impact on the performance of the network.
Security Gateway
The Nokia Security Gateway (SEG) is a network element that provides a secure
connection between network security domains that are managed by a single
administrative authority.
The border between the security domains is protected by security gateways. In the
3GPP security model, all secure communication between the security domains
takes place through SEGs. The Nokia SEG is fully compliant with the 3GPP
Network Security Domain specification (3GPP TS 33.210).
The Intranet connection is more complex than the BG because there are many
existing networks to which the Gi interface must adapt. Often network address
translation (NAT) is required. In many cases only mobile-originated connections
are allowed. Also, application layer gateways are increasingly required to secure
the operator service infrastructure.
10.2 Firewalls
Firewalls provide the most effective means for controlling the flow of IP traffic
between two networks or servers. The principle of firewall operation is that all
traffic across an interface is examined in the firewall. It is allowed to pass only if
the explicitly defined security policy for that interface permits. The firewall can
apply different security rules for inbound and outbound traffic.
Firewalls are generally used at the boundaries of a network. They can also be
used to implement network islands and security domains within a wider network.
This is the case in the server site solution, for example. The network islands do
not have to be in one place as they can be interconnected securely using VPN
tunnels encrypted with IPSec.
The Nokia Firewall includes a spoofing filter against forged IP addresses. This is
a useful feature since many attacks use IP spoofing to hide the true identity of the
attacker. A spoofing filter will stop such attacks before they reach their target.
Implementation is simple when the underlying network topology is known. For
example, an inbound message outside a security island cannot have a sending
address that is inside the island.
GTP firewalls
Internet
FW-1/VPN-1
Gi
GGSN/ISN
Backbone
BG
SGSN
Gp
GPRS Network FW-1 GX GPRS Roaming
Exchange
IPv6 firewalls
For the IP Multimedia Subsystem (IMS), IPv6 firewall capabilities are required.
IPv6 firewall protection is needed for the following applications:
Currently the Check Point Fire Wall-1 AI supports dual IP stack IPv4 and IPv6
firewall functionality with IPv6 and IPv4 policy-based access control. IPv6
extension headers and IPv6 in IPv4 tunnels are also supported. Additionally a
number of services (such as HTTP, SMTP, Telnet) are available.
. Transport mode places the IPSec header after the original outer IP header
and before the upper layer protocol.
. Tunnel mode encapsulates the entire IP header and datagram with an
Authentication Header (AH) or Encapsulating Security Payload (ESP)
header and an additional IP header.
ESP is the encryption part of IPSec. In the transport mode ESP encrypts only the
payload leaving the header unmodified. In the tunnel mode the whole packet is
encrypted and encapsulated in another IP packet.
PKI
The Nokia VPN Gateway (GW) is based on the Nokia IP series HW platform
running the IPSO operating system. As encryption is a resource-intensive
function, it is recommended that a separate hardware accelerator card is used to
enhance capacity. This is what the IPSO platform does. The actual VPN
functionality is provided by Check Point's VPN-1/FireWall-1 software. VPN
software is available for all IP series platforms.
In the Nokia solution, IPSec can be used between the network elements if needed.
In many cases the most straightforward way to provide IPSec to the installed
systems is an inter-site IPSec VPN implemented with dedicated VPN gateways.
3G
MGW SGSN
PLMN
Backbone
1 2 3 4
1. The MSC sends signalling traffic (intra-site and inter-site on the same
interface).
2. Routing is based on OSR access list trigger policy (source/destination
address, the port number used). The packet is routed to the VPN gateway
(GW).
3. Security association is selected on the basis of the destination address
(IPSec tunnel mode used). The packet is encrypted and routed to the VPN
GW across the wide area network. Note that the traffic between the MSC
and VPN GW and VPN GW towards WAN are in different VLANs.
4. The packet is decrypted and routed to the destination address.
The resilience of the inter-site VPN can be enhanced using clustered VPN nodes.
If clustering is not available, two synchronised VPN gateways running VRRP on
the interfaces to the site switches can be set up on each site. (VRRP is also needed
on the VLAN that carries the encrypted traffic.)
One of the key services of the GPRS and 3G packet switched networks is to
connect mobile users to corporate networks. Corporate connectivity can be
implemented by an end-to-end VPN service or an access service where only the
section between the mobile operator core site and the corporate network is a
secure VPN. These two options are shown in the figure below.
VPN VPN GW
Services
Client
Corporate
GGSN/ISN VPN GW
Services
VPN GW
For the end-to-end VPN a client software is needed in the end-user device. In
addition, a VPN gateway is installed at the corporate site. This does not require
significant involvement of the mobile operator. In theory the mobile network is
only a bit-pipe between the VPN client and the corporate network. It may be used
in parallel with other bit-pipes (such as DSL). In practice the corporate network
has to be tuned for enabling a meaningful service set.
A wide variety of end user devices (such as laptops with different operating
systems, smart phones, PDAs) creates a challenge for the IPSec end-to-end VPN
implementation. Therefore, the solution described here suits those large
companies best that have uniform terminal infrastructure and strong in-house IT
competence.
It should be noted that currently IPSec is used for the end-to-end VPN. The
emerging Transport Layer Security (TSL) VPN solutions make end-to-end VPNs
available for terminals with standard web browsers.
When an end-to-end VPN is not available but secure connectivity from the
mobile terminals to the corporate intranet is needed, VPN gateways are used at
the mobile operator and the corporate site. In a typical use case the operator
provisions corporate access points at the GGSN. For security reasons and also to
enable overlapping IP addresses in the different VPNs, the corporate traffic is
tunnelled from the GGSN to the VPN gateway (using VLAN or L2TP). The
actual IPSec VPN is established between the VPN Gateway and the corporate
network. This service model does not require special clients in the end user
equipment. The service closely resembles dial-up connectivity.
The key elements in the Nokia IP connectivity and security solution are Cisco
7609 multilayer LAN switches which also act as edge routers on the core sites
and Cisco 12000 series routers for the IP/MPLS backbone. Nokia IP series
firewall routers with Check Point software is used for securing the network.
For enhanced resilience Nokia recommends to use two Cisco 7609s per site.
A major additional benefit of the site connectivity focus is that the Nokia mobile
network elements do not mandate the use of any specific backbone technology
for site interconnection. While IP/MPLS is the recommended site interconnection
technology, ATM networks and direct links between the site routers are equally
supported. This allows a cost-effictive migration to packet-based networks for
any type of mobile operator.
Related Topics
IP connectivity
IP/MPLS backbone
ATM backbone
Transmission layer