Re: Builiding Scalable Network using 802.1q & PPPoE

g.ghir · ‎02-17-2006

I am looking to create a WiMax network, the WiMax components (Base station and CPE devices) that I have to work with are 802.1q & PPPoE capable respectively. 1 WiMax base station will be able to support 6 CPE’s in our case, so my understanding is that the Base station will perform 802.1q and trunk the individual point-to-point connections down an Long Reach Ethernet service that we will purchase from a local provider. On the Aggregation side I was thinking of initially using a 2600 to terminate the 802.1q trunks (eventually moving up to a 7304 or something else more suitable) and interface this with a Radius/Tacacs+ server. The backend of the Aggregation device would then be linked to an ISP who will offer us a /23 subnet (which we can assign dynamically or statically to our customers) as well internet access.

Phew… there… I hope this make sense. I am pretty confident that this will work but I thought I would ask the experts.

damirs · ‎02-18-2006

It should work just fine. I have same setup but with Cisco Aironet 1200 series access points and 350 and 1300 series bridges. Separate VLAN for every site and aggregation is done on 7401 since there is over 1000 pppoe sessions at same time. If your network gets larger you can just add another VLAN without service interruption and also you can add cable or metro Ethernet type access (as it is with me). I suggest that you try cisco SSG (service selection gateway) feature on 7300 series which can add some features to your network like self care, personal firewall, in service bandwidth change and so on. My programmers and I made our own software to replace Cisco Subscriber Edge Manager and now can offer services that other ISP’s dream of. Customers are pleased.

If you have any other question shoot away.

Best luck.

g.ghir · ‎02-19-2006

Thanks Damir,

So good to have some positive feedback. I really appreciate your help and will do some more research on the 7401 (although I think it may EOS). It sounds like your network is very scalable (over 1000 PPPoE users) hopefully mine will be too! Because of the nature of this particular WiMax network every CPE device will be static but a later date I believe roaming will become more prevalent. I was thinking of going to BBSM at a later date (for roaming users) what is your view on this? I noticed that you are using SSG, how is that working out for you? How did you address the issue of IP addressing? Did you give out Public IP’s? In my case, because CPE’s are going to be treated as non-roaming we may give out static public IP’s. Do you use IP unnumbered? I am trying to get my head round how i can give out addresses (static for now, DHCP later).

How do you also handle redundancy? I was thinking HSRP but am unsure how that will work on 2 routers?

Finally is there any recommended reading? I am reading articules on PPPoE and it seems pretty straight forward, is there any nasty surprises?

Once again, many thanks Damir you have given me a good vote of confidence!

damirs · ‎02-20-2006

Regarding 7401 it is EOS but 7301 can replace it and with 1GB ram it can support up to 16000 pppoe sessions. Redundancy is also easy with hsrp (I have tried it).

My network is made that way that there is no difference between static and roaming users since access method is the same. Only difference are hotspot sites that are not using pppoe but SSG tcp redirect feature which directs them to logon page and after they log on (username password or pin or something else) they have internet access. BBSM is good piece of software but it hard to adapt to specific needs since it is built for hotels and airports usage. For me SSG has solved all problems that other technologies have, it has more features than BBSM. Problem is supporting software Subscriber Edge Service Manager which can be costly to implement. We have developed our version with required elements and it it working fine. Radius server is Cisco ACS as it support SSG radius parameters.

With addressing only pppoe sessions should have public ip addresses and everything else private. You can work with 2:1 ratio (users:ip addresses) without any problems.

Configuration of pppoe is very easy and SSG feature set ios has a little shortcut for that. It is called bba-group and it simplifies vpdn-group setup, everything is else. You need virtual template and local ip pool for addresses.

I hope I have answered your questions. If you need more help just ask.

Regards.

g.ghir · ‎02-20-2006

Thanks Damir,

You have been very helpful. Your comments on BBSM make a lot of sense. I think we will go for a 7300 series router; my thinking was that for every base station we would order a 10 or 100 Meg Ethernet service. This would backhaul to our Co-lo it would take the sum of all the VLAN’s over an 802.1q trunk which would go straight into a physical port on our router. I would then build up more and more sites using this method. This method (which I think should work fine) maybe costly on Ethernet ports, what is your opinion? Is there a more cost effective way?

I will find out the cost of SESM today, unfortunately we do not have the luxury of a lot of cash at this time but if we need it than we need it!

As for the IP addressing, because this is more like DSL or Cable in terms of Service Delivery we may have to offer Public usable IP addresses to our customers. I know of one ISP who offers a /29 to its users, over a DSL service. It uses the IP Unnumbered command and you have 5 usable IP addresses (1 used by the router). I was looking for something similar, but unsure on how to do this? I am thinking that even if the links are Unnumbered they still route, it seems that this ISP has got away from providing IP addresses for there Point-to-Point links. Guess I will have to do more reading on IP Unnumbered

I am going to build a test lab using 2900 switches to simulate the WiMax base stations, a 2600 {will have a look for SSG on 2600 IOS but I am not holding my breath} for the aggregation device and 1700 for the CPE’s. Just to prove the concept

Once again thanks for all your input, it is nice to know that there are people willing to help out there

Regards

George Ghir

damirs · ‎02-20-2006

When you think about it Ethernet is cheapest port. Imagine that you need serial or E1/T1 links? If service provider can aggregate VLAN’s on a single gigE trunk that would be simplest solution. My company is offering metroethernet and if customer needs it we aggregate on gigE trunk. But if they give you ethernet port for every site that can be a problem. Then you will need switch for aggregation, something like 3550-48 with two gigE uplinks or even cheaper 2950G-48 also with two gigE uplinks.

SESM can be very costly. I have solution for you but contact me privately on damir@logosoft.ba

Unfortunately ethernet port cannot be IP unnumbered.  That is why private addressing is better for this usage to preserve address space. You will have to find other solutions. Post a network diagram of your idea and we will work with it to give you something workable.

Make up the lab. If you can play with it you will learn more and see more solutions.

tony.costa · ‎03-23-2006

The problems I experienced when testing such solutions based on SSG/SESM scenarios are:

1) how can you manage IP phones authentication? Till now you don't have HTTP capabilities in the simple IP phones that allows authentication and authorization for services.

2) what about the accounting of IP phone services?

This problem is real when you deal with BroadBand access (such as DSL or WiMAX), because operators could require this kind of services...Of course, when you deal with WiFi it is unlikely to have this problems...

damirs · ‎03-23-2006

What kind of IP phones are you using? On Wi-Fi environment you just add another SSID with LEAP, PEAP, EAP-TLS or EAP-FAST depending on IP phone type.

When dealing with SSG/SESM you can add another service that will account for IP phones. In any case you will have SIP proxy/registrar and/or H.323 gateway/gatekeeper that will do authentication/accounting purpose for VoIP calls. SSG/SESM can only let that traffic thru without accounting since you will do accounting for calls and not for amount of traffic generated.

If you have experience with SSG/SESM adding another service that will be auto active and not visible to customer is very easy. For that service as destination put SIP or H.323 server and gateway that will be configured as IP-to-IP gateway. You will have fixed ip addresses to exclude from SSG/SESM accounting and traffic will pass-through without problems. For failsafe add access list in other services to exclude ip addresses of SIP/H.323 server and IP-to-IP gateway and, in case that is purpose, for SIP/H.323 protocol so customers must use your servers to generate calls.

I do not know what final design might be but there is always solution.

Regards,

tony.costa · ‎03-23-2006

Hi,

actually I just found a solution in that situation, but I'm not sure it's the most elegant one and it needs some further deployment:

I used a RADIUS plugin inside the SIP Proxy/Registrar and I used the SIP Digest Authentication between the SIP Clients (Phones) and the Proxy/Registrar. The SIP Server doesn't have the database of all the accounts and so it needs to send a RADIUS Access Request to a RADIUS Server...

So I configured the SSG with a service (like PhoneService) and I made him act as a RADIUS Proxy, between the SIP Server/RADIUS Client and an External RADIUS Server (where all the SIP Users are listed).

So the exchange is the following:

SIP UA| --- SIP Register --------------->|SIP Server

| <--- Challenge ----------------- |

| ---- User Credentials (Digest)-->|

------ -----------

|

RADIUS Access Request with

(USer Credentials - Digest) +

Cisco VSAs

|

v

------- -----------

RADIUS | <-- RADIUS Access Request ---- | SSG

Server | |(RADIUS

-------- --- RADIUS Access Accept ---> | Proxy)

------------

| A |

| | |

Service |

Authorized |

|

------------ |

| SIP UA | <----- SIP OK ---- | SIP Server | <-

The SIP Server can be on a default network for the SSG.

The authorized service can allow the IP addresses of the SIP client to go to some specific.

When a SIP invite is performed....the RADIUS Accounting request can be performed by the SIP Proxy as well.

I hope to have been clear....

Regards

Antonio

tony.costa · ‎03-23-2006

Sorry...

this format should be OK...

SIP UA|

------

|

SIP Register

with

User

Credentials

|

V

----------

|SIP Server|

| |

| RADIUS |

| Client |

-----------

|

RADIUS Access

Request w/

(USer Credentials

- Digest) +

Cisco VSAs

|

v

----------

| SSG |

|(RADIUS |

| Proxy) |

------------

|

RADIUS

Access

Req +

User Cred.

|

V

-----------

| RADIUS |

| Server |

-----------

|

RADIUS

Access Accept

|

V

---------- Service Auth

| SSG | ---

|(RADIUS | |

| Proxy) | <--

------------

|

RADIUS

Access Accept

|

V

----------

|SIP Server|

| |

| RADIUS |

| Client |

-----------

|

SIP OK

|

v

----------

| SIP UA |

------------

damirs · ‎03-23-2006

It is a solution.

I am trying something different.

First solution contains IP phones that are supporting PPPOE and SIP so IP phone will register to PPPOE server which is different device than SSG router (distinction is done with PPPOE service parameter) so bandwidth control can be done. In that case VoIP traffic is not passing through SSG router and problem is solved.

Second solution is using subnet to 802.1q vlan mapping which cable and wireless devices support so IP phones have static IP address and their traffic is routed to isolated vlan.

Of course users cannot access management functions on IP phones.

I believe that there is more solutions to the problem and other people will find different solution. Thing is what works for you and what is easy for your support staff to maintain.