MPLS – VPN Assessment Part 3 – Design Proposal

1. Describe the function and operation of a Virtual Private LAN Service

(VPLS). References - Juniper Junos MPLS and VPN's student guide- Chapter 17
VPLS is a type of virtual private network technology that enables the connection of one or more
local area networks (LANs) over the internet through a single bridged connection. VPLS use
internet Protocol/Multiprotocol Label Switching to provide an Ethernet interface.
VPLS can be used to transport non-IP traffic without any need for conversion or encapsulation.
A VPLS has a mesh network topology, which means it can provide point to point, multipoint
services and any to any capabilities. In effect, VPLS creates a virtualized Ethernet switch at the
service provider’s edge, linking multiple remote sites as if they were on the same physical
switch.
VPLS emulates a LAN, full mesh connectivity is required. There are two methods for full mesh
establishment for VPLS: using Border Gateway Protocol (BGP) and using Label Distribution
Protocol (LDP).
Operation of VPLS:
 PE routers: Provider edge device that connects one or more CEs to the service provider
network. A PE maps and forwards packet between private and public network tunnels.
 CE device: Customer edge device that is directly connected with the service provider
network
 P routers: Forward VPN traffic transparently over established LSPs and do not maintain
VPN-specific forwarding information.
How PE Device Learn MAC Address
The MAC learning mechanism of VPLS is identical to that of an Ethernet switch. The idea is
simple. The forwarding operation is carried out via MAC address learning and tables containing
MAC address and port information. Forwarding Databases are the names given to these tables.
MAC Addresses are related with SAPs and SDPs in FDBs. The traffic is then switched based on
the Forwarding Databases. In the Service Router, VPLS acts as a micro switch. If it knows the
Destination MAC Address, this tiny switch transmits the packets to its destination. If this is not
the case, the traffic is routed through all ports. This is a flooding technique similar to that found
in Ethernet switches. To put it another way, if a record about the destination exists in FDB, it is
transmitted straight to that destination via FDB. It is inundated if there is no record.
Consider a device in Branch A transmitting a packet to a device in Branch C.
The MAC tables (FDBs) are empty at the start. As a result, the PE-A Router delivers the packet
across all of the SAPs and SDPs involved (LSPs). This is similar to flooding in Ethernet
switches. The first packet has been sent and has been received. As a result, the Source Port and
MAC Address are stored in the MAC Tables (FDBs). Consider this: PE-C is transmitting a
packet to PE-A. The destination MAC address and port number for this interface that connects to
the customer are no longer known to the router PE-C. As a result, instead of flooding the packet,
it will transmit it directly to its intended destination. Only the genuine destination, PE-A, will
receive the packet this time. This packet is not received by PE-B. This MAC Learning technique
works and all nodes learn all of the destinations. When a packet is sent, it is no longer sent
directly to the destination.

Question 5. You are required to write a design proposal to Pacific Internet Solutions.  Your
proposal must provide the following:

 an assessment of the client’s business problems, opportunities and objectives

 an assessment of the client's current needs and possible future needs
 a detailed list of business requirements that must be met by the new network design
including the need to contain bandwidth requirements while maintaining a high level of
customer experience by providing high quality video and fast channel changes.
 an explanation of why the current network configuration does not meet the business
requirements
 a prediction future network demands and the impact of this on the proposed network
design. Determine estimated network traffic and planned growth
 a description of the network design that you propose presented in a clear and logical
fashion. Provide advice to client on reasons for your design choice. Inform the client of
design limitations, performance expectations and possible unanticipated outcomes.

Proposal
NETWORK SECURITY DESIGN

Mike Walberg

Executive VP- Operations

Spyon Technologies

Queensland, Australia

4226 Robina

Dear Mr. Walberg,

Thank you for taking the time to review my proposal. I am a networking engineer specialized in
corporation design of juniper standards security networks with more than 10 years of experience with the
confidence that I can meet your needs and deliver an exceptional product on time.
Sincerely,

Gaganpreet Singh

Network Engineer

Cyber security division

gaganpreetsingh@spyontechnogies.com

----------------------------------------------------------------------------------------------------------------------------

Description:
As a network engineer in the division of cyber security of Spyon Technologies I would like to
present the proposal to redesign the network security infrastructure for Pacific Internet Solution.

Table of contents:
Executive summary ………………………………………………………..………………. 2
Network security design proposal ……………………………………..……………..……. 3
The Solution.………………………………………………………………..………………. 4
-----------------------------------------------------------------------------------------------------------------
Executive Summary
The objective

Pacific Internet Solutions it is a multinational Internet Service Provider (ISP), offers a range of
internet services to customers, also the company offers Layer 3 VPN's and Virtual Private LAN
Services (VPLS) to corporate customers.  The company has recently secured a contract with a
major provider of pay (cable) television to deliver IPTV to its customers. 

The company has not previously provided multicast services.  The current network only supports
unicast services. To achieve support multicast service, we will need to implement layer 2 VPN’s.

The aim of Pacific Internet Solutions is to incorporate efficient delivery of IPTV services into its
delivery capabilities.

Pacific Internet Solutions expects that after IPTV is available to subscribers its number of
subscribers will increase from the present number of 20,000 to 100,000 over the next 5 years.
General Requirements:
 Network that supports multicast services.
  Minimize costs by reducing bandwidth but still be able to support subscribers increase
while maintaining a high level of customer experience.
 A virtual private LAN services.
 Provide high quality video and fast channel changes.
Detailed list of business requirements:
 Incorporate efficient delivery of IPTV into the company’s delivery capabilities.
 Multicast services.
 Increase of subscribers from 20.000 to 100.000 in 5 years.
 A virtual private LAN services.
 Layer 2 VPN’s
 MPLS core infrastructure.
 Minimize costs.
 Reduce Bandwidth.
 Maintain a high level of customer experience.
 Provide high quality video and fast channel changes.

Network design Proposal:

 Why the current network configuration does not meet the business requirements:
The present network configuration does not meet the business requirement because simply
supports unicast services. A unicast service sends IP packets from one point to another point. A
multicast transmission sends IP packets to a group of destination computers simultaneously.
Because it is required to view the stream at multiple simultaneous locations, then the best for the
business would set an efficient IPTV delivery method (Multicast IP address).
 Prediction future of the network demands and the impact of this on the proposed
network design.
A key requirement in IPTV networks is the ability to deliver high-quality video streams to
subscriber while minimizing costs and reducing bandwidth. IP multicast is used to allow the
network to copy and forward copies of the same source stream to a large number of viewers. The
set-top box (STB) sends IGMP join messages that terminate at an Access Node (AN) or
Broadband Services Router (BSR). In turn, the AN or BSR responds by forwarding the requested
multicast group (television channel) to the subscriber who made the request. Frequently, the
access network is overbuilt to ensure that every channel can be delivered to every access node.

Instead of overbuilding the network, IP multicast can preserve bandwidth by sending multicast
groups across the network where required. This is most critical in SL networks that can only
accommodate a limited number of channels due to bandwidth constraints to the subscriber. In
addition, the rise in unicast video—such as video on demand (VOD), replay TV or streaming
video downloaded from the Internet—can result in the link to the AN becoming a congestion
point where the bandwidth consumed by multicast IPTV must be restricted. Taking advantage of
this feature of IPTV requires that the network be able to prevent an interface between the AN
and BSR to become congested, which could happen if the amount of bandwidth consumed by
multicast IPTV is not bounded.

When the LAN is replicating multicast, the simplest method for traffic planning is to send a copy
of all multicast groups from the BSR to the AN, ensuring there is no congestion at the network
edge. For example, if there is 500 Mbps of offered multicast traffic, the entire 500 Mbps is sent
to the AN. This works for small multicast group counts or if there is a surplus of bandwidth to
the AN. As the network evolves, however, sending all groups to the AN becomes inefficient and
can even result in the reduction of bandwidth for revenue-generating unicast applications.

This inefficiency is highlighted in the following graphs. Figure 2 shows the offered load of
multicast received by the BSR from the core network. The average multicast load is 343 Mbps.
This is a steady average across all days of the week and is based solely on the number of
multicast groups (aka TV channels) and their corresponding bandwidths. This value only
changes based on the number of groups offered, and the encoding rate changes either lower to
optimized encoding schemes or higher based on industry adoption of HDTV. This value is
independent of user viewing.

Actual user multicast consumption was measured at the BSR MVLAN for a user base of 2000
Households as shown in Figure 3. The average bandwidth is only 141Mbps, about 40 percent of
the offered load. The peak is measured at 170 Mbps, still about 50 percent of the offered
multicast load. This highlights the bandwidth savings that can be achieved by not planning for all
multicast groups to be pushed to the AN at all times.
------------------------------------------------------------------------------------------------------------------
The solution
 Description of the network design:

We have assessed your business request and would like to present the design and implementation
of an IPTV network infrastructure using MPLS for the delivery of high quality multimedia
content that will meet your business requirements.

IPTV refers to Internet-based Protocol Television where internet is used to deliver TV programs
& Videos that are either live or on demand. IPTV is a system where digital television service is
delivered to the subscriber through Internet protocol technology via the medium of broadband or
internet connection. The packet network protocol is based on the same standard used on the
internet and the best way to offer Multicast VPN services while leveraging the strength and
scalability of the existing BGP/MPLS VPN technology is Multiprotocol BGP Multicast VPN
(BGP MVPN).

BGP MVPN is a method by which a Service Provider may use an IP backbone to provide IP
Virtual Private Networks (VPNs) for its customers. This method uses a peer model, in which the
customer’s edge routers (CE routers) send their routes to the service providers edge router. CE
routers at different sites do not peer with each other. Data packed are tunnelled through the
backbone, so that the core Provider routers (P routers) do not need to know the VPN routes. The
primary goal of this method is to support the outsourcing of IP backbone services for enterprise
networks. It does so in a manner which is simple for the enterprise, while still scalable and
flexible for the Service Provider, and while allowing the service provider to add value.

The core network infrastructure will be built in MPLS. The requirement for supporting
multiple services, including voice and video, on converged IP and Multiprotocol Label switching
(IP/MPLS) networks have promoted developments in quality of services (Qos). Resiliency,
availability, and scalability. As a result, IP/MPLS networks can now deliver the service quality
demanded by the highest-quality video services.

The multicast will be set up in an existent VPLS to optimize multicast transport and assure
Quality of service while reducing wasted bandwidth. Multicast in VPLS is used for IPTV when
more than one person requests the same program at the same time. As the routing protocol PIM-
SSM is recommended. SSM is the IP multicast model used where the network builds a separate
distribution tree for each multicast source and clients immediately receive content directly from
the source. We advise SSM because it offers benefits to IPTV over ASM, with one or more
senders whose identifies are known before the application sessions start, that provides
simplification, security and scalability. We also identified that you currently use Layer 3 VPN,
we suggest the implementation of layer 2 aggregation because the channels are directly
available (IGMP snooping), there is no need to signal “join” and “leave” up to the source, it
shares resources to handle multicast and decrease zapping time.

We suggest setting up caches; this will decrease network bandwidth usages by removing
repetitive download for the same content from various clients. Reducing costs by mitigating the
growing need for more bandwidth. For the customer, reduces the time necessary to download the
request content. And also can improve audio/video quality by reducing the chance that packets
are dropped or delayed.

The MPLS platform is designed and built using advanced Label Switch Routers (LSRs). These
LSRs are responsible for establishing connection-oriented paths to specific destinations on the
IPTV network. These virtual paths are called Label Switched Paths (LSPs) and are configured
with enough resources to ensure the smooth transition of IPTV traffic through an MPLS
network. The use of LSPs simplifies and speeds up the routing of packets through the network
because deep packet inspection only occurs at the ingress to the network and is not required at
each router hop.

In an MPLS scenario, bandwidth is usually not a concern. Typically, you allocate the appropriate
amount of bandwidth between each server based on call volume, device type, and number of
devices. This bandwidth is in addition to any additional bandwidth available on the network for
other applications, such as audio and video traffic between the sites. To provide prioritisation and
scheduling for different types of traffic, the bandwidth given must have QoS enabled. When it
comes to bandwidth, the basic guideline is to over-provision and under-subscribe.

Why go for IPTV?

 The widespread adoption and usability of broadband.

 The internet accessibility has become very easy and user-friendly.
 The dynamic competition between traditional telephone service providers and cable
service providers to provide a combined service of data, voice, video, and
communication.
Advantages of IPTV:

 Capability to get easily integrated with other IP-based services such as VOIP or high-
speed internet.
 It uses the existing computer network. Hence, no use of cable and is hassle free.
 Content remains in the network and only the content that the consumer selects gets
delivered to the customer.
 One of the most interesting features of IPTV in the Electronic Program Guide (EPG) and
the Personal Video Recorder (PVR) which is fully interactive to the consumer’s personal
needs.
 All these Features make IPTV more cost-effective, robust and scalable.
 Virtual private LAN services

Limitations of IPTV:

One of the limitations of IPTV is that it is sensitive to packet loss and delays if the streamed data
is unreliable. IPTV has strict minimum speed requirements in order to facilitate the right number
of frames per second to deliver moving pictures. This means that the limited connection speed
and bandwidth available for a large IPTV customer base can reduce the service quality delivered.

Streaming IPTV across wireless links within the home has proved troublesome; not due to
bandwidth limitations as many assume, but due to issues with multipath and reflections of the RF
signal carrying the IP data packets. An IPTV stream is sensitive to packets arriving at the right
time and in the right order. Improvements in wireless technology are now starting to provide
equipment to solve the problem.

Due to the limitations of wireless, most IPTV service providers today use wired home
networking technologies instead of wireless technologies like IEEE 802.11. Service providers
such as AT&T (which makes extensive use of wireline home networking as part of its AT&T U-
verse IPTV service) have expressed support for the work done in this direction by ITU-T, which
has adopted Recommendation G.hn (also known as G.9960), which is a next-generation home
networking standard that specifies a common PHY/MAC that can operate over any home wiring
(power lines, phone lines or coaxial cables).

In other hand, MBGP adds features to BGP to enable multicast routing between BGP
autonomous systems. MBGP would not be used for the content distribution network unless the
content distribution network consisted of multiple autonomous systems. Since the content
distribution network connects regional head ends and the content management system located in
the national head end, it is conceivable that the content distribution network is composed of
multiple autonomous systems. Vulnerabilities in MBGP are mainly due to the susceptibility of
the underlying BGP protocol.
Malformed MBGP packets could be created by an attacker and sent to MBGP routers in the
national head ends or content distribution network. Malformed MBGP packets could cause a
buffer overflow or cause the MBGP router to hang/crash.

Consideration of Design

The following is a proposed network design that was presented at HLD:

 The architecture will be implemented to alleviate the strain of peering bandwidth, which
will necessitate the use of a transplant proxy and reverse proxy. In order to improve
latency, data centres and cache domains should be implemented according to geographic
and topology considerations. By constructing data centres in the manner described,
strategic insights into which channels, content, or sites are often accessed per location
will be available for future peering, channel prioritising, and routing.
 To meet bandwidth needs, the network infrastructure's backbone bandwidth allocation is
ten gigabit aggregated links. The first year's design includes 15 TenGig links that can
accommodate a total of 20000 subscribers. The backbone link is intended to be the
largest in terms of capacity, as it will likely carry the majority of the network's traffic.
 Access bandwidth allocation can be up to 1x TenGig port, depending on the MSAN or
distribution device. This MSAN(s) number will vary depending on where the termination
occurs, such as various racks or rooms/colocation.
 Lastmile links is more flexible, as so much 3rd party link provider to choose for, thus
cutting the cost comparing to laying PIS own FTTH. While it still provide better
scalability if the subscribers number is increasing to the point, it would be better to lay
PIS own FTTH. The lastmile links will presents big challenges as subscriber location is
not pre-determined, possible dismantle and new subscriptions.
The Broadband Forum has defined requirements for establishing an optimized network and
management platform for IPTV which addresses specific issues in three network realms,
Broadband Access, Broadband Control and Broadband Home. We will make sure to follow those
standards to ensure a high level of customer experience. These efforts address the following key
areas:

· Broadband Access – Defines specifications for broadband “agnostic” access network

architectures that deliver inherent quality, scalability, resiliency, and inter-working capabilities
that enable services to be delivered via multiple business models.

· Broadband Control – Creates an intelligent, programmable control layer that unifies all next
generation network assets and empowers service providers to deliver personalized services that
enhance the subscriber experience.

· Broadband Home – Unifies the home networking environment by establishing a common set
of CPE capabilities as well as automating device activation and configuration in order to simplify
the service delivery process. Collectively the Broadband Suite domains provide an end-to-end
transport architecture that gives service providers a solid foundation on which to deliver next-
generation services such as IPTV, while reducing operations costs through automated network
operations.

I trust that the proposed design meets all the business requirements, providing you with reliable
technology as IPTV which will reduce costs and reduce bandwidth.

Kind Regards,

GaganIT