Design av pålitelighet i Telenors IP nett. Redundans og reserveleggingsmekanismer Teleforum 2015 - Ove Tøien

Design av pålitelighet i Telenors IP nett Redundans og reserveleggingsmekanismer Teleforum 2015 - Ove Tøien 1

Telenor IP Network (BRUT 2.0) Services Residential /Business Internet Services Business L3-VPN Services L2 VPN Services Packet Voice Wholesale E-Line service Vula service Packet Voice Gateway Core Mobile base station backhole PS Core CS Core Broadcasting

BRUT 2.0 A NON STOP NETWORK BRUT 2.0 is designed to be a Non Stop Network by implementing a hole range of measures to reduce Service downtime caused by nodal HW / SW faults, infrastructure faults or security attacks. Highlights Infrastructure redundancy Nodal redundancy Thorough Hardware testing and Inspection Thorough SW testing Network Scaling testing (signaling and performance) Non Stop Routing functionality In Service Software Upgrade Security defense mechanism 3 00 Month 0000

IP NETWORKS DEPENDS ON LAYER1 L1 AND IP NETWORK IS DESIGNED TOGETHER Core DWDM network 2 independent networks 40 x 100Gbit/s channels Connectivity between larger city's Connected to Nordic Bodø DWDM-network Bergen Ålesund Stavanger Trondheim Skien 4 00 Month 0000 Kristiansand Oslo Tønsberg Tromsø Fauske Core nodes collocated with Core DWDM Edge nodes collocated with Metro DWDM BERGEN STAVANGER BRYNE STORD HAUGESUND KOPERVIK MÅLØY FLORØ RUTLEDAL LINDÅS EGERSUND ÅLESUND ULSTEINVIK FØRDE KYRKJEBØ DALEKVAM FLEKKEFJORD VOSS MOLDE NAMSOS LERKENDAL TRONDHEIMSTEINKJER LEVANGER AURE KYRKSÆTERØRA TRONDHEIM KRISTIANSUND ORKANGER LEVANGER TRONDHEIM RENSVIK MELDAL SOGNDAL ÅROLIA SUNNDALSØRA FAGERNES GOL ARENDAL GRIMSTAD LILLESAND KRISTIANSAND STØREN SURNADAL OTTA LILLEHAMMER GJØVIK HAMAR TYNSET RØROS TRYSIL ELVERUM JESSHEIM HUSNES ODDA HØNEFOSS RJUKAN KONGSVINGER EDLAND ØLEN HOKKSUND LILLESTRØM KONGSBERG SAND NOTODDEN OSLO DRAMMEN VINJE ASKIM HOLMESTRAND SELJORD MOSS HJELMELAND TØNSBERG SARPSBORG SKIEN FORUS VEST FREDRIKSTAD PORSGRUNN SANDEFJORD SANDNES DRANGEDAL HALDEN LARVIK EVJE BLAKSTAD KRAGERØ RISØR TVEDESTRAND FARSUND ØRSTA VOLDA NORDFJOREID SKEI HØYANGER LEIKANGER NORHEIMSUND MANDAL KINSARVIK GEILO DOMBÅS HOV OPPDAL BRANDBU TONNES NESNA SANDNESSJØEN NESNA SANDNESSJØEN BRØNNØYSUND BRØNNØYSUND NAMSOS LERKENDAL BERKÅK ALVDAL HARSTAD HARSTAD SORTLAND SORTLAND BODØ FAUSKE TROMSØ TROMSØ NARVIK SVOLVÆR HAMARØY NARVIK SVOLVÆR LEKNES LEKNES HAMSUND HAMARØY HAMSUND BODØ INNDYR INNDYR ØRNES ØRNES TONNES STEINKJER MO I RANA HEMNESBERGET MO I RANA HEMNESBERGET MOSJØEN MOSJØEN NAMSKOGAN FINNSNES FINNSNES FAUSKE ØKSFJORDNES STORSTEINNES MOEN MOEN HAVØYSUND HAMMERFEST HONNINGSVÅG ALTA KAUTOKEINO LAKSELV KJØLLEFJORD BRENNA KARASJOK TANA VARDØ VADSØ KIRKENES Metro Core DWDM network Ring structure between core node pair 40 x 100 Gbit/s channels Connectivity between core and Gives 2 independent routes to core network 24 subnet / rings

Brut 2.0 logical topologya ladder design Redundant design: blue and red side Follow DWDM redundant infrastructure Between Edge Routers connected to core sites: a ladder design! Between these routers the network will always look the same. Number of steps will vary: 1-9 There is always link-, node- and site redundancy. Delay and jitter is controllable Access Routers: Ring topology No MPLS FR, rerouting rely on protocol convergence Ladder Max 9 steps Access Edge Core Edge Access

Structure Brut 2.0 (Norway) 24 Core, 150 Unified, 34 Mobile, 26 Voice, 2 Borders, 10 RR Router Reflectors Border Internet Core CE Cisco DialUp (IP) Leid linje Unified BNG Edge (PE routers) Mobile Voice TRIP NGV Core CS core Voice WiMAX BS Access (PE routers) Fixed xdsl L2 Access Customer Connections CSS CSS Mobile

Routing and MPLS Transport - Design Principles All customer routes must be announced by BGP IP unicast traffic: All customer traffic must be MPLS switched Customer routes must not be installed on core routers All MPLS switched traffic must be protected by a fast reroute mechanism (LFA / RSVP-TE FRR) to minimize the impacts from network failures.

8 BGP Topologies Why several BGP topologies Reduce mutual negative influence of BGP poisoned routes between services There are 4 separate peering topologies, completely independent of each other: 1 for Internet Services routes 1 for Non-Internet Services routes 1 for Mobile Services routes 1 for Voice Services routes Only routes related to services covered by a specific topology are announced in that topology

BRUT 2.0 Security design Brut 2.0 Several layers of infrastructure security. Route filtering Packet filtering Protocol security Node protection Network protection Controlling routes internal and announced from and to our Autonomous system Separation of Plane Control Management Forwarding Protect infrastructure by control source and destination of packets Protect routing and switching protocols from interception and unauthorized connections. DOS/DDOS protection Scrubber Multicast security No Hairpin routing Protect nodes from unauthorized access with centralized AAA, firewall rules, control/management /forwarding plane separation Layer 2 segmentation Flow monitoring Hide infrastructure addresses, rate limiting control traffic, discard segmented control traffic These guidelines are the basis of Brut 2.0 security design

Security Shell Design Core / Access router Shell 3 Access / Border Shell 2 Shell 1 Box security (Control plane) Routing security Switcing security DOS attack Protection Box security(control plane) Routing security Switching security Layer 2 security Internet Box security(control Plane) Layer 2 security Hairpin routing Multicast security DSLAM Layer 3 security Multicast security DOS attack protection IP Core IP Edge Box security (control plane) Layer 2 security Layer 3 security Multicast security VPN Box security (Control plane) DOS attack Protection? Layer 2 security CE Access Customer network Service security DOS attack protection Packet Direcion

Thanks! ove.toien@telenor.com