Metropolitnísítě - Redundance a bezpečnost

Metropolitnísítě - Redundance a bezpečnost www.huawei.com Tomáš Zloch tomas.zloch@huawei.com

Kam kráčí bezdrátové sítě? Nástup LTE v roce 2013 Plné 10GHz pásmo 2,4/5 GHz nedostačuje kapacitou a... Co tedy dál? Zpátky pod zem... Page 2

Aktivnínebo pasivní? GPON vs P2P ethernet GPON v roce 2012 10GPON karta Nové řídící karty (vyšší propustnost) Vyšší hustota PON portů (16 na jedné kartě) Page 3

Ochrana na třech vrstvách pro maximální dostupnost LAG(LACP):200ms protection MSTP Ring: 1s; RRPP Ring: 50ms VRRP Dual homing 100ms Síťová vrstva LAG RRPP MSTP X VRRP VRRP X OLT OLT OLT OLT OLT OLT Normal Type B: 50ms Type B+ DUAL OLT Type C E2E záloha OLT Přístupová vrstva 50m s Active path Backup path OLT OLT 50m s Splitter Fyzická vrstva Dvě napájeci karty Plně redundantní OLT Dvě řidící karty SCUN Dvě uplink karty Page 4

Metropolitní sítě na P2P Page 5

Core vrstva BGP router BGP router NE40E-X3 (6mil routes, 40G/100G per slot) Dual MPUs 5U 3 Service Slots Power Supply 1+1 Backup FAN 1+1 Backup (In one cabinet) Page 6

Core vrstva BFD BFD Hello datagram 10ms sending intermission BFD for VRRP BFD for ISIS/OSPF BFD for BGP BFD for TE Fast Reroute BFD for PIM BFD for LSP Rich features about BFD, multiple scenarios for detection Page 7

Core vrstva firewall (VRRP) PC EudemonA Master Session Entry Trust PC Server DMZ Will be discarded Backup EudemonB Untrust Physical Connection Packet Flow Packet Flow Page 8

Core vrstva firewall (HRP) Trust FirewallA PC1 (1) (2) Master Session entry (3) Untrust (8) (7) (6) (4) (5) PC2 DMZ Backup FirewallB Actual connection Packets traffic Packets traffic Page 9

Core vrstva - firewall Page 10

AntiDDoS (nice to have ) ATIC: Abnormal Traffic Inspection & Control Network egress IP/MPLS core ATIC Solution Threats and Attacks Overview: The solution consists of the detecting center, cleaning center, and ATIC management center. Flexibly deploys at the network egress and user APs such as the MAN egress, IDC/Zone AP, and provincial network egress. Delivers functions such as traffic attack defense, application-layer attack defense, and user behavior analysis. Access layer Objective: Ensures IP telecom network SLA. Monitors and releases abnormal traffic. Provides value-added security services. Page 11

AntiDDoS (nice to have ) Core Anti-DDoS operation Optical splitting/mirroring Traffic diversion-injection Aggregate Detecting SPU Detecting log Cleaning SPU Cleaning log ATIC management center Cleaning policy Customer Intermixed device DSL IDC Enterprise Optically split/mirrored traffic Zone Differentiated defense Customer information query Diverted traffic Injected traffic Provides unidirectional anti-ddos operation services for downstream devices. The detecting SPU detects entire traffic in mirroring mode and reports anomalies to the ATIC management center upon identifying them. Then the ATIC management center delivers a traffic-diversion instruction to the cleaning SPU, which consequently advertises a traffic-diversion route to clean given traffic. This is applicable to small IDC secure broadband operation. Page 12

AntiDDoS (nice to have ) Solution: Core Detecting center Attack defense is deployed at the egress of the MAN to achieve the following goals: 1. Defends against traffic flood attacks to avoid link congestion. Router Cleaning center ATIC management center 2. Protects the key services of Zones to dispel application-layer attacks. In this scenario, the detecting device+cleaning device+atic management center networking is recommended. Page 13

Redundance L2 Protokoly pro redundanci na L2 MSTP LACP RRPP ochrana kruhových sítí SEP Rychlejší než STP 50ms Nezavislé na počtu uzlů Smart Ethernet Protection Page 14

Smart Ethernet Protection(SEP) Segment 1 Public node A STP public node B Block VLAN 1-100 Segment 2 Segment 3 Endless topology cascade expansion Primary edge port 5700 Support STP mixed Network Secondary edge port Block VLAN 101-200 Support load balance Cost-effective : SEP doesn t need special hardware support Faster convergence: SEP has faster convergence speed within 100ms. Flexible Network: SEP supports multi-level cascade and STP mixed subnet, has good scalability, suitable for large-scale deployment. High reliability : SEP supports bi-direction detection and load balance. Page 15

Koncový port Izolace koncového portu Ochrana proti BPDU rámcům Ochrana proti smyčce u uživatele Omezení počtu MAC adres Omezení počtu příjmu multicastových skupin Omezení rychlosti odesílání dat do sítě Zakázání vysílání multicastu do sítě Ochrana proti cizím DHCP serverům + 6kV zabudovaná ochrana na port Page 16

Thank you www.huawei.com Copyright 2008 Huawei Technologies Co., Ltd. All Rights Reserved. The information contained in this document is for reference purpose only, and is subject to change or withdrawal according to specific customer requirements and conditions.