Secure Optical LAN: TechNet Augusta 2015

ACCESS FOR TODAY. CONNECTED FOR TOMORROW.Passive Optical LAN &
All Secure Passive Optical LAN:
The Basics
Mike Novak
Senior Systems Engineer
Mike.Novak@Tellabs.com
703.869.6724

ACCESS FOR TODAY. CONNECTED FOR TOMORROW.
Agenda
Passive Optical LAN 101: The Basics
Fundamentals of Optical LAN
 High Level Overview
 Components of an Optical LAN
Why is Optical LAN so Popular
 Business Proposition
 Green Aspects
Sample Optical LAN Layouts
Network Support and Bandwidth
Passive Optical LAN 102: Advanced Concepts
Optical LAN Protocol Support
Optical LAN Standards Update (TIA, BICSI, DoD)
Optical LAN Campus Design Considerations
Remote Powering Concepts
Optical LAN Redundancy Options
Future of Optical LAN: XGPON1 and XGPON2
“All-Secure PONTM” – Optical LAN for SIPR and other
Classified/High Security Applications
2

Passive Optical LAN 101:
The Basics

Fundamentals of Optical LAN
Completely Single Mode fiber solution
 Multimode fiber will not support the 20 – 30Km reach
 Multimode cannot support multiple wavelengths allowing for both upstream/downstream traffic
on a single filament
 Single mode supports over 101 TB. of throughput, making it a ‘future proof‘ transport medium
 GPON connections are all simplex SC-APC connectors
(That’s Angled Physical Contact, not Angled Polished Connector)
 Communications closets (IDF/TR) become passive spaces for the fiber
splitter, or simply a fiber pass thru.
 A single strand of fiber (with a 2:32 splitter) can provided up to 128 GbE end user ports
 Benefits of fiber plant vs. copper:
– Not susceptible to EMI, unmatched security
– Lower material and installation cost
– Non corrosive, great for shipboard applications
– Smaller cable footprint than a copper infrastructure
Turn this:
Into this:
 Splitters are completely passive, and able to be placed in nearly any
accessible space (floor, ceiling box, closet, manholes)
4

POLAN Layer-1 cabling and splitters on average cost 50% less than traditional fiber
based solutions
Legacy LAN to POLAN Comparison
WAN/
Internet
Layer-3 Dist.
Single or Multi
Mode Fiber Riser
Fiber Access
Layer witches
Horizontal Copper
WAN/
Internet
GPON OLT
SM Fiber Riser
1:8 Splitter
(Closet Based Design)
Wall Outlet ONT
(32 per Splitter)
Legacy LAN (4-9s Available or 52.56mins/year) Passive Optical LAN (6-9s Available or 31.5secs/year)
2:32 Splitter or FDT
(Zone Based Design)
Redundant SM
Fiber Riser
1RU 24 GbE ONT
5

Optical
Splitter
(2:32)
Optical Network
Terminals (ONT)
Optical Line
Terminal (OLT)
1490nm
1310nm
The Optical Line Terminal (OLT)
• Acts as the central aggregation element
• Located in the Core Data Center
• Replaces multiple L2 switches
• Can aggregate over 8,000 GbE Ports
• Some offer Layer-3 Capabilities
20km
1, 10 or
40G
Network
Uplinks
Passive Optical LAN
Optical Infrastructure for Enterprise Customers
2:32
6

Passive Optical LAN
Passive Optical Network (PON)
• Completely passive infrastructure
• Single fiber carries multiple wavelengths
• 2.48 Gbps downstream
• 1.24 Gbps upstream
• Serve Remote Buildings 20-30Km
Optical
Splitter
(2:32)
Optical Network
Terminals (ONT)
1490nm
1310nm
20km
1, 10 or
40G
Network
Uplinks
2:32
Optical Line
Terminal (OLT)
7

Passive Optical LAN
Passive Optical Splitter Feeding FDH
• Completely passive components
• Rack Mounted or Cassette Based
• Splits single fiber up to 32 ways
• Typically located where workgroup switches are deployed
• Can be dual homed to redundant OLT chassis for failover
Optical Network
Terminals (ONT)
1490nm
1310nm
20km
1, 10 or
40G
Network
Uplinks
2:32
Optical Line
Terminal (OLT)
8
Optical
Splitter
(2:32)

Passive Optical LAN
Optical Network Terminals (ONT)
• Terminates the fiber at the end user
• Provides Data, VoIP, IP Video services
• Some models also provide native POTS
• Desktop, In Wall, Cubicle and Rack Mount Unit models
Optical
Splitter
(2:32)
Optical Network
Terminals (ONT)
1490nm
1310nm
20km
1, 10 or
40G
Network
Uplinks
2:32
Optical Line
Terminal (OLT)
9

Why Optical LAN is so Popular
10

72 Equipment Racks
Legacy Ethernet
Up to 8,064end users
Passive Optical LAN
can offer 90% greater
density compared to
Active Ethernet
 Lower electronics cost: up to 50%
 Lower energy consumption: up to 80%
 Lower space consumption: up to 90%
(floor, rack, pathway, closet space)
Legacy Copper vs. Passive Optical LAN
Passive Optical LAN
8,192 end users
Tellabs Optical LAN
1 Rack
11

 Lower energy consumption: up to 80%
 Lower space consumption: up to 90% (floor, rack, pathway, closet space)
Fiber on J-HooksCopper on Ladder Racks
12

 Lower power consumption: up to 80%
• Passive Splitter Device
• Ceiling, Floor or Closet
• Zero power required
• Zero HVAC required
BEFORE: Legacy IDF/TR After: Zone Based Passive Splitter
13

 Lower power consumption: up to 80%
 Lower cable cost: up to 60% (fiber vs. copper)
 Lower cabling installation cost: up to 60%
250 ports copper/Ethernet
2000 ports fiber/optical 128 ports fiber
128 ports copper
14

World’s
largest
copper mine
Chile
Chuquicamata
depth: 850 m
area: 4 km x 3
km
Planned depth
1,3 km
Mining:
Copper destroys 100 to 200x more environment than
glass1)
–1 kg of copper consumes 500 kg of environment
 2 kg of copper per 200 ft cable
– 1 kg of glass consumes 3 kg of environment
 0.02 kg of glass per 200 ft cable
Institute f. Climate, Environment and Energy, GmbH, Wuppertal
http://www.wupperinst.org/en/publications/wuppertal_spezial/index.html
1) Schmidt-Bleek „ Der ökologische Rucksack“ – 1984, q.v.
Courtesy of Corning Cable Solutions
Green Aspects of Fiber Optic Cables
15

Optical LAN: a Value Network for Real Estate
Lower Energy
Consumption
• Unmatched HD video quality
• High capacity data downloading
• All smart-building systems on 1 IP network
• Easy, “hitless” modular upgrades for higher BW
Gain Productive
Floor Space
Recapture up to 90% of IT closet and MDF
square footage required for old-style copper &
Ethernet switch networks
Reduce Building
Materials
• Fiber vs copper – cost & space reduction
• Reduced structural reinforcement requirements
due to dramatically lower weight of cabling
• Fewer & smaller penetrations
• Reduce up to 80% of the energy required to
power an equivalent copper network
• Eliminate up to 70% of the A/C required to
cool IT closets
Place IP Super-
highway in Building
Lower Lifecycle
Costs
• Fewer and lower skilled technicians needed
• Remotely managed via remote GUI
• Dispatch to the premise rarely needed
• Replace premise cabling in 30+ years…
TELLABS CONFIDENTIAL PROPRIETARY 16

2,000 User CapEx Comparison
• OLAN Basis of Design
– 2 Gbe PoE Ports per User
– Reduced Layer-3 Core w/ Virtual Chassis Lag
and 40G of uplink
– Mixture of desktop, closet and face-plate ONTs
– Zone based fiber distribution
• Legacy Copper LAN Basis of Design:
– 2 Gbe PoE Ports per User
– Dual Layer-3 core with meshed uplinks to
each access layer switch
– 48-port access layer switches
– Dual Cat6 CMP to each desk
TELLABS CONFIDENTIAL PROPRIETARY 17

2,000 User OpEx Comparison
• Reduced HVAC Consumption and Sizing
• Reduced Annual Support
• Reduced 7-10 Year Re-Cabling
• $.125/KwH Rate
• Compares Equal PoE Load
18

Sample Optical LAN Layouts
and Loss Calculations
19

Zone Based Cabling
Multi Strand SMF from the horizontal-backbone fiber patch panel to each zone
20

Closet Based Optical Splitter
Dedicated run from each ONT back to the IDF closet where the splitter is housed
21

Fiber Hub and Fiber Terminal Deployment
MPO-MPO (Pre-terminated trunk) from the FDH to the Fiber Terminal
22

Optical LAN Link Budgets
The maximum PON distance is limited primarily by optical attenuation. Contributors are fiber
loss attenuation and PON splitter attenuation.
Optical LAN loss budges must be between 8dB and 28dB; meaning smaller split ratios
may require an inline attenuator to insert more loss.
PON
Splitter
Fiber loss per km
is 0.35 dB (1260 - 1360 nm)
Every time the signal is split two ways,
half the power goes one way and half
goes the other. So each direction gets
half the power, or the signal is reduced
by
10log(0.5)=3 dB
Practical loss is 3.5 dB nominal, so
every two-way split costs about 10 km
distance @ 1310 nm
Half
Power
Half
Power
Attenuator Loss Unit
Optical Loss 1310 nm 0.35 dB / Km
Splice Loss per unit 0.05 dB
Connector Loss 0.35 dB
1X32 PON Splitter 16.7 dB
1:2 split ratio
GPON Optical Budget –
• Splitter (1:32) = 16.7 dB
• Fiber loss (20km) = 7.0 dB
• Connector / Splice loss = 3.5 dB
27.2 dB
23

Will End Users Connectivity
Change from Legacy Copper/Ethernet?
24

Network Protocols Supported by Most
Passive Optical LAN Platforms
Network Integration
Multiple 1G and 10G Ethernet Uplinks
IEEE 802.3ad Link Aggregation Control
Protocol (LACP)
IEEE 802.1Q VLAN Encapsulation
IEEE 802.1w Rapid Spanning Tree (RSTP)
IEEE 802.1s Multiple Spanning Tree (MSTP)
Virtual Router-to-Router Redundancy (VRRP)
IPv4 / IPv6
IGMPv2 / IGMPv3
Network Access Control (NAC)
IEEE 802.1x (Port-based Authentication)
Dynamic Host Control Protocol (DHCP)
DHCP Snooping and Option 82 insertion
Port Security, Sticky MACs
RFC-2267 (Denial of Service)
Traffic Storm Control
Bridge Protocol Data Unit (BPDU) Guard
Layer-3 Routing/Switch (OSPF/BGP)
Service Delivery
802.1p: Class of Service
IP differentiated services code point (DSCP)
Quality of Service: Per-VLAN, Per-Port,
Per-Service queuing / scheduling *
Sophisticated QoS and Traffic Management
Eight Queues per VLAN
Policing, Scheduling, Shaping per Queue
Congestion and Flow Control
Hardware Based ACLs: L2, L3, L4
Hardware Based Multicast Management
IEEE 802.3af, 802.3at (PoE)
Link Layer Discovery Protocol (LLDP)
Monitoring / Management
SNMP v1, v2, v3
CLI Console Port
Remote Monitoring (RMON) software agent
RMON I & II
Enhanced SNMP MIB support
RFC 1213-MIB (MIB II)
Extended MIB support
Network Timing Protocol (NTP)
RADIUS based authentication
SSH v1, v2
VMWare Support for EMS
OLT SysLog
Ethernet Port MACSEC (Encryption)
Note – This is not an exhaustive list of supported
protocols supported by either Optical LAN or
Ethernet Switch solutions
Some solutions support certain protocols that
others may or may not.
25

Bandwidth & QoS in the Passive Optical LAN
Burst Bandwidth
Guaranteed Bandwidth
Rate Limit
 802.1p & DSCP Mappings for per profile/per port QoS
 Each Service Profile (broken up by broadcast domain/VLAN) receives its own values:
 VLAN
 CDP/LLDP Type (Link Layer Discovery Protocol)
 L2 – L4 Access Control Lists
 Committed and Burst Bandwidth Rates (each and every ONT port is able to provide Gbe speeds
 IGMP/Multicast
 Profiles are assigned (manually, auto-prov, or via NAC) to each ONT Ethernet port
Excess Information Rate (EIR)
Committed Information Rate (CIR)
QoS per
VLAN per
Port
5 Mbps
1 Gbps
Passive Optical LAN = more effective & efficient management of oversubscription
26

Typical Data Consumption in the Enterprise
 Typ. Data User: < 1Mbps Avg.
 Typ. VoIP Handset: < 512kbps
 Typ VDI: < 768kbps Constant
 Typ VDI HD Video: < 1.5Mbps Constant
 Typ. IP Camera: <5Mbps
 HD NefFlix: <6Mpbs
 Typ. Power User: <20Mbps Avg
 HD VTC ‘Room’: 16.75Mbps Avg
 Max Win7 Download: 420Mbps
 Max Win7 Upload: 380Mbps
Why Current ITU G.984 GPON is Beyond
Sufficient for Nearly All Applications
 Are 1Gbps user interfaces used to their capacity today?
 Users see a 1Gbps link, however their effective utilization is
typically sub 1Mbps with ‘bursts’ to the typical 10Mbps
range.
 Full 1Gbps is not available in Windows desktop
environments (See table to the right)
 Virtual Desktop (VDI) drives bandwidth to a flat rate in the
sub 1Mbps range
 Gartner 2013 Estimates of Bandwidth needs through 2017
shows Super Users with a maximum requirement of sub-
7Mbps
“Superior User” Category
 2012: 1.820Mbps.
 2013: 2.333Mbps
 2014: 3.013Mbps
 2015: 3.911Mbps
 2016: 5.090Mbps
 2017: 6.643Mbps
Gartner March 2013 “Network Capacity per Connected
Device” Trend
“Standard User” Category
 2012: .145Mbps.
 2013: .182Mbps
 2014: .232Mbps
 2015: .2971Mbps
 2016: .285Mbps
 2017: .504Mbps
Source: Gartner Research Article ID:G00247697
 How Passive Optical LAN Exceeds 2017
Requirements:
 32 Users + 32 VoIP handsets:
(32 x (6.643Mbps + .512Mbps) ) = 228.96Mbps
 PON provides 2.38Gbps/1.18Gbps useable
bandwidth
 2.15Gbps of downstream burst capacity remains
 951Mbps of upstream burst capacity remains
27

• Access Switching is a $10B-20B a year business
• OLAN faces fierce competition and pushback from Legacy
Ethernet manufacturers in the way of false statements
Why Optical LAN is the Right Choice
Common Legacy
Mis-Statements on OLAN
No Quality of Service (QoS)
No Power over Ethernet (PoE)
No Port Authentication (802.1x)
Fiber is more Expensive
Fiber is more Difficult to Install
Inadequate Bandwidth in OLAN
OLAN is not Standards Based
Too Dramatic of a Change from Copper
Optical LAN Reality
Superior QoS through 802.1p, DSCP and CoS marking
802.3af and 802.3at compliant PoE on almost every ONT
Extensive 802.1x based Port Control, NAC and Dynamic Services
Fiber LANs prove to cost 50% less than legacy copper networks
Pre-term and field-term fiber installs require less skill and less time than copper
networks
OLAN provides a more granular and efficient utilization of bandwidth than Legacy
Ethernet solutions on a future proof medium
Optical LAN is an ITU standard with support from BICSI and TIA
Much like the switch from digital PBXs to VoIP, change is good in the end, and most
integrators and customers are for a positive, cost saving solution
28

Passive Optical LAN 102:
Advanced Concepts
Mike Novak
Senior Systems Engineer
Mike.Novak@Tellabs.com
703.869.6724

Agenda
PON 101 Recap
Optical LAN Protocol Support
Optical LAN Standards Update (TIA, BICSI, DoD)
Optical LAN Campus Design Considerations
Future of Optical LAN: XGPON1 and XGPON2
30

PON 101 Recap
 Completely Single Mode fiber solution using SC-APC connectors on the
hardware
 20 – 30 Km system reach
 Saves 50% in equipment and cabling cost
 Saves 80% in power consumption
 Saves 90% in space utilization (cable tray, rack units, pathways)
 Splitters are passive devices and available in rack mounted, cassette, fiber
distribution terminals, etc.
 Optical LAN has an overall 28dB loss budget from Optical Line Terminal (OLT)
to Optical Network Terminal (ONT)
28dB
31

Optical LAN Hardware &
Protocol Support
32

Different Systems, Different Options
Like buying a tablet, there are lots of options:
 Some offer 8” screens
 Some offer 10” screens
 Some plug in at the top, others at the bottom
 Some have extra memory slots, others don’t
 Some have WiFi or 4G services
 Some have a front facing camera while others only rear facing
They all get you online in one way or another; certain features are a
personal preference
33

Network Protocols Supported by Most
Network Integration
Multiple 1G and 10G Ethernet Uplinks
IEEE 802.3ad Link Aggregation Control
Protocol (LACP)
IEEE 802.1Q VLAN Encapsulation
IEEE 802.1w Rapid Spanning Tree (RSTP)
IEEE 802.1s Multiple Spanning Tree (MSTP)
Virtual Router-to-Router Redundancy (VRRP)
IPv4 / IPv6
IGMPv2 / IGMPv3
Network Access Control (NAC)
IEEE 802.1x (Port-based Authentication)
Dynamic Host Control Protocol (DHCP)
DHCP Snooping and Option 82 insertion
Port Security, Sticky MACs
RFC-2267 (Denial of Service)
Traffic Storm Control
Bridge Protocol Data Unit (BPDU) Guard
Layer-3 Routing/Switch (OSPF/BGP)
Service Delivery
802.1p: Class of Service
IP differentiated services code point (DSCP)
Quality of Service: Per-VLAN, Per-Port,
Per-Service queuing / scheduling *
Sophisticated QoS and Traffic Management
Eight Queues per VLAN
Policing, Scheduling, Shaping per Queue
Congestion and Flow Control
Hardware Based ACLs: L2, L3, L4
Hardware Based Multicast Management
IEEE 802.3af, 802.3at (PoE)
Link Layer Discovery Protocol (LLDP)
Monitoring / Management
SNMP v1, v2, v3
CLI Console Port
Remote Monitoring (RMON) software agent
RMON I & II
Enhanced SNMP MIB support
RFC 1213-MIB (MIB II)
Extended MIB support
Network Timing Protocol (NTP)
RADIUS based authentication
SSH v1, v2
VMWare Support for EMS
OLT SysLog
Ethernet Port MACSEC (Encryption)
Note – This is not an exhaustive list of supported
protocols supported by either Optical LAN or
Ethernet Switch solutions
Some solutions support certain protocols that
others may or may not.
34

Hardware Features Supported by Most
Form Factor
Rack Mounted ONTs
Desktop ONTs
Face Plate or Mini ONTs
Small Form Pluggable (SFP) based ONTs
ONT Options
Integrated Battery Backup
ONT Remote Powering
802.3AZ Power Sensing
802.3AE MACSEC Encryption
Every manufacturer provides Enterprise transport for the user; certain
features are the decision of the customer
ONT Interfaces
10/100 Fast Ethernet Ports
10/100/1000 Gbe Ethernet Ports
75-Ohm RF Video Ports
RJ11 POTS Ports
24-Pair POTS Interfaces
PoE (15.4W) Interfaces
PoE+ (25.5W) Interfaces
35

Standards Updates:
BICSI, TIA & US DoD
36

Recent Standards Updates
• BICSI TDMM 13th edition provides a sub-chapter on Optical LAN under the Horizontal
Distribution Systems chapter.
• TIA 568-C.2, Generic Cabling Standards provides loss budgets and distances for the
various Optical LAN flavors.
• To stay compliant with TIA 568-C, Generic Cabling Standards, the solution shall install a
duplex fiber to each fiber work area outlet to maintain the ‘generic’ nature of the 568
standard.
• Such that the system is in compliance with the TIA 568-C, a PON system can be
considered compliant with TIA 1179 as well.
• DoD updates have created Optical LAN inclusion for the:
• Unified Capabilities Requirements (UCR)
• Defense Information Systems Agency (DISA) Joint Interoperability Testing (JITC)
• US Army Installation and Campus Area Network Design Guide (ICAN)
37

Optical LAN Campus Design
Considerations
38

Passive Optical LAN
Configuration
 QoS via 802.1P and DSCP
mapping
 ONTs support Voice, Data
and Video
̶ End Building
 Splitters are fed with dual inputs from ADN #1 and
ADN #2 to provide failover
 Provides rack mounted 72xGP ONTs to feed out
legacy copper drops (Cat5/5e/6) from the IDF/TR to
provide Gbe PoE+ and POTS ports
 Provides wall and desktop ONTs via fiber to the
desk/outlet to provide ONTs w/ Gbe PoE+ services at
the desktop level
OLT in the Campus Environment
(Universities, Hospital Campus, Corp Business Park, Mixed Use Development)
̶ Dist. Node
 Legacy core
router/switches
 Provide 10G interfaces
to the OLTs to be dual
homed (802.3ad)
 Each splitter will require
1 strand of OSP fiber to
each ADN #1 and ADN
#2
OLT
FOPP
FOPP
24STSMF
6ST SMF 2x2 Zone Box w/
2:32 Splitter
1ST SMF
Legacy CatX
ADN #1
ADN #2
OLT
DWDM
DWDM ONTs
39

ONT Remote Powering & Backup
Comm Closet
MainDistribution
Frame(MDF)
Walls and Ceiling –
Structured Cabling Office Environment
  
Bulk AC-DC Rectifier
Fiber and Power
Solution provided in
conjunction with
infrastructure partner
Desktop ONT
w/ 48Vdc input
Provides 48Vdc to existing Cat5
cables or hybrid fiber/copper cable
10/2LowVoltageCable
SMF and #22/2
Copper Pair
Ceiling Zone Box:
1. Splitter: 2x32 1RU Splitter or FDT
2. PDU: Power distribution unit
(32x 48Vdc outputs)
OLAN OLT
Zone Box
Face-plate ONT
w/ 48Vdc input
Mini ONT
w/ 48Vdc input
Multi-StrandSMFRiser
Desktop ONT
w/ local BBU
Benefits of Remote Powering:
1) Eliminates a local AC plug at the ONT
2) Centralizes battery backup at the closet
Benefits of Local Battery Backup Unit
1) Battery is monitored for failures
2) Does not require any copper in the horizontal for DC power
41

Calculating Cabling for Network Powering
 R (resistance of copper) = 11.1 Ohms/1,000-ft
 I = Amps required at the device (Calc out load of
ONT, PoE requirements and sparing) Watts/Volts
 D = Distance (1-way) in ft
 V = Voltage drop allowed in span
 CM = Circular Mills (to convert to Gauge)
𝐶𝑀 =
𝑅 𝑥 𝐼 𝑥 𝐷 𝑥 2
𝑉
Perform a Rectifier to PDU calc and a PDU to ONT calc to
determine appropriate wire size based on requirements and
distance
CM Value Corresponding
Gauge #
404 – 642 #22
642 – 1020 #20
1020 – 1620 #18
1621 – 2580 #16
2581 – 4110 #14
4111 – 6350 #12
6351 – 10380 #10
10381 – 16510 #8
 ** Note the R value is not fixed,
however this average works well
with the distances and power
consumption for the ONT remote
powering concepts defined here **
42

Remote Powering Considerations
• System must maintain NEC Class-2 compliance for 100VA rate limiting
• For most applications, a #22/2 is the correct PDU to ONT wire size to support ONTs between 50 and 300
feet away
• Systems integrators are responsible for basic calculations to ensure wire gauge is correct for an
application
• Understanding the power draw on the ONT and accounting for sparing is critical:
• If a VoIP handset today consumes only 6W of power, account for potential future video phone
applications
• As XGPON is more commonly deployed, account for higher power utilization of 10Gbe interfaces on
ONTs
• Coordinate the architecture with the Division 26 and 27 engineering firms in advance:
• Bulk rectifiers in a closet may require special 208V breakers and UPS power
• Active zone boxes will require generator/UPS fed AC outlets to feed the remote powering solution
• Work closely with the design firm to ensure the connector types at the remote ends are both
aesthetically pleasing, standards compliant, and the correct fit for the manufacturer and plug type of
the ONT
• While a hybrid cable provides advantages on physical cable pulls, the cost of
such cables can be prohibitive.
43

Optical LAN Redundancy Basics
• Per the ITU G.984.1 Section 14.2.1 protection in an Optical LAN solution is defined as:
• Type-B protection: dual fed optical splitter with two inputs
• Type-C protection: dual fed optical splitter with two inputs and dual fed optics on the
ONT fed from two dual fed splitters
• Availability is a relative term:
• Standard dual fed Legacy access switches are 4-
9s (52.56mins of downtime) available
• OLAN has been field proven to over 5-9s
(5.26mins of downtime) availability with no
redundancy
• OLAN with Type-B protection is proven at over 6-
9s (31.5secs) availability
• It is suggested to design for 2:x splitters day-1, even if redundancy is not
desired; extra splitter cost is negligible
• Ensure OSP is designed for diverse/redundant pathways in a campus
environment
• Certain manufacturers support protection in a single OLT chassis, other
support protection between OLT chassis for facility protection.
AnnualDowntimeinSeconds
Backup OLT
2:32
Splitter
Primary OLT
45

Future of Optical LAN:
XGPON1 and XGPON2

10GPON: Not as Far off as Once Thought
10GUp
GPONUp
GPONDown
RFOverlay
10GDown
Allows for concurrent GPON and 10GPON over a single fiber infrastructure
• ITU G.984 GPON (2.48G/1.24G) and XGPON2 (10G Symmetrical)
• XGPON is already standardized under ITU G.987
• Manufacturers to provide XGPON2 solution for symmetrical 10GPON in the next 18-24
months
• Limited 10G user interfaces required (Intelligence, Medical imaging, etc)
• Due to separate wavelengths, both GPON and XGPON2 can run over the same fiber and
splitter plant concurrently; allowing selective deployment of 10G to users who require it
• XGPON2 solutions will provide multiple 40G interfaces to the core Layer-3 network from
the OLT switch card
• IEEE EPON standard uses the same wavelengths for EPON and 10EPON, meaning
concurrent use of fiber plant is not possible without expensive optics
47

“All-Secure PONTM” – Optical LAN for SIPR and
other Classified/High Security Applications
48

All-Secure PON Solution
 All-Secure PON combines the benefits of PON
(CAPEX/Power/Space savings) with the cost savings of
NIS Alarmed-Armored PDSTM
Up to 66% deployable savings vs. Legacy PDS
Up to 75% cost savings on moves/adds/changes
Rapid scalability and reconfiguration of networks
Support for multiple network classifications
Combined PON + PDS cost savings up to 80%
 Technology from Tellabs and NIS have been selected for
each notable “Secure PON” project within the US
Government to-date.
 Air Force, Army and DHS are deploying the solution with
other agencies currently reviewing requirements and
considering testing and pilots.
 NIS & Tellabs continue to collaborate at Industry Days and
Trade Show events at various locations for education and
training.
49

Secure Passive Optical LAN Government Adoption
U.S. Army - All-Secure PON Deployment
• NETCOM, Greely Hall, Fort Huachuca, AZ
• Fort Campbell, KY
U.S. Department of Homeland Security - All-Secure PON Deployment
• Chooses Tellabs GPON and DWDM for DHS St Elizabeth’s HQ. Over 24,000 ports
U.S. Air Force - All-Secure PON Deployment
• Chooses Tellabs GPON for multiple projects at Andrews AFB. Also deployed with Secure-PON Alarmed Fiber solution
Department of State USAID - All-Secure PON Deployment
50

2010 Department of Army Directive
Technical Guidance for Network Modernization April 23, 2010
51

2012 Department of Army Memorandum
Program Execution Requirements for Installation Information
Infrastructure Modernization Program (I3MP) Fiscal Year (FY) 13
52

Passive Optical LAN
A True Enterprise Solution
Tellabs 700 Series
Desktop Optical Network Terminal
Tellabs 72x Series
Workgroup Optical Network Terminal
Tellabs 1134
Optical Line Terminal
 Advanced VLAN capability  Network segmentation
 Advanced security at the edge –
 Network Access Control (NAC)
 Access Control Lists (ACLs)
 802.1x Port Access Control
 Trusted Host / DoD-PKI / FIPS 140-2 L1 (AS-SIP)
 Element Management System security
 Broad portfolio of enterprise ONTs with PoE
A True Enterprise Solution
Seamless replacement of Ethernet Switched Networks
 Functions very similar to current Ethernet switch model
 Reduce technology adoption challenges
 The benefits of Optical LAN, the simplicity of Ethernet
 Distributed Ethernet switching for
efficient user-to-user communication
Tellabs 1150E (19”)
Tellabs 1150 (23”)
Tellabs 120 Series
In-Wall and Cubicle ONTs
53

DoD Unified Capabilities
JITC Approved Products Lists
54

Passive Optical LAN with GPON
Passive Optical Splitter Feeding FDH
• Completely passive components
• The size of a deck of cards
• Splits single fiber up to 32 ways
• Typically located where workgroup switches are deployed
• Are mounted on the wall in Fiber Distribution Hubs (FDH)
Passive Optical Network (PON)
• Completely passive infrastructure
• Single fiber carries multiple wavelengths
• 2.48 Gbps downstream
• 1.24 Gbps upstream
•Serve Remote Bldgs Up to 20Km
Optical
Splitter
Optical Line
Terminal (OLT)
1490nm
1310nm
1G or
10G
Network
Uplinks
The Optical Line Terminal (OLT)
• Acts as the central aggregation element
• Located in the Core Data Center
• Replaces multiple L2 switches
• Can aggregate up to 8,192 end users
20km
• Terminates the fiber at the end user
• Provides Data, VoIP, IP Video services
• Some models also provide native POTS
• Desktop and MultiDesk Unit models
55

Optical LAN Topology
OLT Placement for All Secure PON
9/3/2015 9/3/2015
Network
Core Layer
Top Level
Architecture
SIPR Network and VoSIP
Network
Distribution
Layer
10G
10G
Server
Farm
Network
Access
Distribution
Layer
NMS
C2 EUB
PON
Large
EUB
10G
PON
TDM PBX
1G
T1
VGW
C2 EUB
56

57

Tellabs Confidential Proprietary 58
text
text
text
text
text
text text
Secure TR FL1-RSecure TR FL1-L
text
Coalition Secret
U.S. Secret
Zone 1-1
Zone 1-2
Zone 1-3 Zone 1-4 Zone 1-5 Zone 1-6
Zone 1-7
Zone 1-8
All-Secure Optical POD Solution

The Modern Mission Drivers for All-Secure PON
Rapidly increasing requirements for SIPR (or higher) classification
network endpoints
Decreasing budgets to support increasing mission demand for
classified data
Requirements for multiple classifications at many or every desk in a
building
Modern network infrastructures must be flexible to rapidly adapt to
mission changes
Reduce O&M costs and frequency of refresh of network infrastructure
Support Green Building/Operations objectives
Technology Evolution
59

Standards & Solutions
For Secure Classified Networks
Protected Distribution Systems (PDS) standards have existed
since 1996 (NSTISSI 7003). DoD organizations implement
additional controls and SIPR cabling/installation guidelines.
Certified Technical TEMPEST Authorities (CTTA) review PDS
implementations and supports design, pre, and post-
procurement activities to ensure compliant solution and
accreditation path.
Legacy Solutions = Rigid and Very Expensive
 NSA Type 1 Encryption (including “TACLANES”)
 “Hardened” PDS: rigid, exposed conduit/raceway (EMT/”Holocom”)
 Special Compartmentalized Information Facility (SCIF): physically
hardened and secured area for processing classified information.
Modern Solution = Flexible Design and Scalable Cost
 INTERCEPTOR 24/7/365 network cable monitoring, automated routine
inspections, managed inspections for Intrusion events, low/no
construction costs, highly scalable.
 “Alarmed-Armored” PDS: INTERCEPTOR + Flexible Interlocking Armored
Cable for rapid-deployable, concealed infrastructure.
 Retro-Fit of Legacy PDS: INTERCEPTOR alarming to replace Encryption
Devices or Alarm existing Legacy PDS cables and pathways/conduits.
Modern
Approach
Legacy Options
60

Threats in the News
9/3/2015 61

INTERCEPTOR Intelligent PDSTM &
Alarmed-Armored PDSTM for Secure PON
• Network Integrity Systems has developed and delivered the
Interceptor technology for DoD & other US Government
applications since 2003 in response to post-9/11 network
security requirements.
• More than 50 million port hours of in-service operation
securing U.S. government classified networks on over 60
unique projects.
• Fifteen (16) U.S. and International patents granted to NIS for
technologies incorporated in or enabled by Interceptor.
• Sufficient dynamic range to support dozens of secure drops
per Zone (easily can support 1x32 GPON split).
• Recent government testing and validation of Alarmed-
Armored PDS, the core of the Secure PON architecture.
• Manufactured in the USA at an ISO 9001 and ITAR
registered manufacturing facility. 62

INTERCEPTOR Optical Network Security System
Standard fibers intrinsic to (inside) the cables
being protected are used to monitor intrusions
into the cables themselves
 Designed specifically for US Government data
infrastructure security, exclusive to US Government
enabling use above SECRET.
 Makes the entire cable a sensor
- Use a pair of fibers inside the cable being protected, directly
monitor single mode fibers
- When any component of the cable is abnormally handled, the
monitored fibers sense the disturbance
 Event discrimination technology
- Learns the ambient state of the network and differentiates between
benign events and real threats
- False alarms eliminated
- If an INTERCEPTOR alarms, there is a problem (perhaps not a
threat), intrusions lead to patterns of alarms that are reported to
security panels and network management systems.
 NSTISSI 7003 Compliant, CTTA Approved for projects
in each US Government Agency
– 2009 Air Force Armored Cable Validation
– 2012 Army CTTA Armored Cable Validation
– Many other non-armored cable deployments in all
agencies/branches of US Government.

How it Works
64

High Dynamic Range

Business Case:
INTERCEPTOR vs. Hardened PDS
 Lower up front System &
Installation cost: up to 66%
 Lower Maintenance/Moves/Adds
& Changes costs: up to 75%
 Increased Security: Real-Time
vs. Retro-active Human
Inspection
 Concealed and Re-configurable
Classified Network: Easily re-
deployable and expandable
66

Business Case:
INTERCEPTOR vs. Type 1 Encryption
67

Alarmed-Armored PDS History
2006-Present
Pioneered Armored Cable PDS R&D and Government Acceptance
• INTERCEPTOR’s unique capabilities (intrinsic monitoring) provided the
technical option to eliminate conduit and monitor cables directly.
• In 2006 begin evaluating and testing multiple manufacturers of Flexible
Interlocking Armored Cable in coordination with the government.
• Demonstrated the solution to the Air Force CTTA in 2007, and in 2009 the Air
Force released an ESIM (2009-1) supporting INTERCEPTOR + Armored
Cable.
• Trained its first customer implementing
Alarmed-Armored PDS in 2008 and
sold that system in 2009.
• Reviewed Alarmed-Armored PDS
with the Army CTTA in 2011 and 2012
including lab testing that resulted in acceptance of
flexible interlocking armored cable in replace of hardened conduit.
• Navy has deployed Alarmed-Armored PDS and other agencies are
working on requirements, testing and deployments for projects.
68

PON = JITC Certified
INTERCEPTOR = CTTA & DAA Approval
Each project PDS Plan must be reviewed by the agency CTTA and installation DAA.
• INTERCEPTOR does not process classified data and does not require JITC
certification.
• 95%+ of INTERCEPTOR deployments are dark fiber only
• Active fiber monitoring options exists for point-to-point applications when no
spare fibers are available, does not impact bandwidth, and does not process
classified data.
• INTERCEPTOR currently does not specifically require a Certificate of Networthiness
(CoN) as a security appliance, but software applications that INTERCEPTOR reports to
have been issued CoNs to manage alarm response procedures and notifications.
• Each PON + PDS project requires a PDS Plan that includes description of a Standard
Operating Procedure for maintaining the security system and responding to alarm
events.
• INTERCEPTOR has been approved for various types of PDS Plans within Army, Air
Force, Navy, Marine Corps, Intelligence agencies, DHS & other civilian agencies.
69

Secure PON = “The New PDS”
Flexible Interlocking Armor Fiber Optic Cable
Optical Loopback
Fiber Optic
Patch Panel
Data fiber to Tellabs GPON ONT
• Standard cable conveyance – PDS
raceway, not necessary
• Combined cost savings up to 80%
• No end-end daily inspections
required
• Cable may be concealed, above
ceiling or below floor
• Enhanced facility aesthetics
GPON
Alarmed-
Armored
PDS
Secure PON
“The New
PDS”
+
GPON OLT
GPON ONT
INTERCEPTOR
Spare/expansion data fiber
2 dark
monitoring fibers
70

All-Secure PON Component Architecture
Thin/Zero Client and Cross Domain technologies can help further reduce the network
infrastructure onto a single PON, single ONT at the desk to support multiple classifications.
71

Zone Box Example
This example shows one SIPR user and one NIPR user.
The SIPR user would have a Secure Lockbox at their desk/endpoint.
72

Supporting Moves/Adds/Changes
This example shows converting User 2 to have both NIPR and SIPR access.
User 2 now requires a Secure Lockbox would be required to terminate the alarm loop.
73

All-Secure PON Thin/Zero Client
Architecture
Thin/Zero Client and Cross Domain technologies can help further reduce the network
infrastructure onto a single PON, single ONT at the desk to support multiple classifications.

Intelligent PDS: Secure PON Zone Architecture
Logically Mapping Physical Areas as Deployable Zones
Monitor optical cables for tampering or physical intrusion attempts
Learning mode for unique characteristics of a zone (HVAC systems, aircraft/heavy
equipment, doors slamming, foot traffic, etc.) to eliminate false alarms
Optionally integrates shut down of PON Optics per Zone via integrated SNMP V3 traps
An INTERCEPTOR Zone = GPON Zone = Network Infrastructure Zone Cabling
INTERCEPTOR
Port 2
INTERCEPTOR
Port 4
INTERCEPTOR
Port 3
INTERCEPTOR
Port 1
75

Alarm Management Options
• Gov’t requires detailed SOP for responding to alarms and managing the system and
audit trail.
• These are components of a “PDS Plan” the certified systems integrator would develop,
project-by-project based on threat levels, and resources available to handle security.
• Every deployment is unique, but INTERCEPTOR is flexible to support.
76

Enterprise Management via Software Tools
INTERCEPTOR and PON Integration
77

Capturing Events
78

All-Secure PON in other Market Verticals
• Differentiated Optical LAN monitoring
technology from US Government solution
leveraging NIS patented R&D.
• Infrastructure security requirements
increasing in other market verticals where
GPON is gaining traction.
• TIA TR-42 Developing Network Infrastructure
Security/Alarming Standards.
• Secure PON Deployment now live at TIA HQ!
• Airports, Power Authorities, Hospitals.
Casinos and other opportunities currently
developing – especially markets where
interaction/integration with federal
government exists.
• Infrastructure types vary without a rigid “PDS”
specification like the government.
• Opportunities exist for Layer 1 innovation.
79 79

Long Distance & Location Detection
• Long haul fiber protection (up to 50 miles) with Intrusion
Location Detection (within 25 meters)
• Specifically engineered for single mode fiber
• Integrate alarm response from INTERCEPTOR for
ultimate ISP, OSP protection and PDS consolidation.
• Measurable cost savings compared to Hardened PDS
or managing Encryption nodes that potentially shrink
bandwidth.
80

All-Secure PON Takeaways
Proven Technologies Combined for Cost Savings, Flexibility and
Security
 All-Secure PON combines the benefits of PON (CAPEX/Power/Space savings) with
the cost savings and enhanced security of NIS Alarmed-Armored PDSTM (66%/75%
Installation/MAC savings) for a combined savings up to 80%
 Rapid scalability and reconfiguration of networks
 Support for multiple network classifications
 Support for Thin/Zero Client and Cross Domain Applications
 Easily upgrade existing INTERCEPTOR PDS environments to accommodate
PON Technology
 Easily upgrade existing PON environments to secure with INTERCEPTOR
 Tellabs and NIS offer formal training and certification for each Technology.
 Work continues with Government agencies on evaluating and implementing the
solution within network design standards and programs of record.
81

82

Secure Optical LAN: TechNet Augusta 2015

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à Secure Optical LAN: TechNet Augusta 2015

Similaire à Secure Optical LAN: TechNet Augusta 2015 (20)

Plus de AFCEA International

Plus de AFCEA International (20)

Dernier

Dernier (20)

Secure Optical LAN: TechNet Augusta 2015