Intel and IP Infusion Deliver Deterministic NFV Performance
Netaxess - Technical document for sify
1. Technical document for ISP
First of all we would like to thanks you for giving us opportunity to test our product
more, I am just briefing you what more we have on the product and how you can use the
same for various application .for various Indian telecom operator we have developed
special feature Like VRRP and IPSEC and GRE and VLAN, content-filtering (domain
filtering and URL filtering and again we have developed concept for failover based on
keep alive.
I am briefing you just about telexcell what we used to do and how old we are??
In one sentence what we can say we mainly used to work with ISP and always prefer the
case also to route through ISP.
Again we have already experience of working with Various ISP, so we have experience
of support and services what ISP used to hope and again .
“We align technology to business goals.
That's the solution, not the technology itself "
Mahendra Lalwani | MD
TelExcell Information Systems Ltd. is one of the leading Value Added Distributor with track record
of launching industries most innovative wireless, access control, security and networking
products. We are one of the pioneers to introduce Networking and Communication Products in
the country.
TelExcell main focus is Wireless & Security, which is implied in all of our innovative and often
unique leading solutions which meet the common and specialist requirements of customers.
Where possible TelExcell have a direct relationship with manufacturers, avoiding many of the
issues that can occur if a distribution company is used. The direct relationship ensures the
highest quality logistics, technical knowledge and technical support across the entire sales cycle.
TelExcell reviews the security environment as a whole and advises organizations on the best
practices and applications to meet legal and company obligations. It constantly reviews new
technologies to satisfy the emerging customer requirements.
We have the best choice of voice and data solutions available to successfully excel your
business.
TelExcell are renowned for introducing unique and emerging technologies into India. We are one
of the pioneers in introducing Networking and Communication Products in the country starting our
operations way back in 1993.
2. Our business is focused on three solutions areas:
------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------
Communications
TelExcell installs, and maintains communications solutions, such as the latest in unified
communications, contact center, network security, wireless, IP & traditional telephony, and more.
We offer a complete services portfolio, including system maintenance plans and remote
monitoring services.
Infrastructure
TelExcell provides planning, installation, and maintenance services for all types of data
infrastructures from structured cabling to wireless networks to CATV, and the latest in integrated
networking solutions such as routers, switches, and security applications.
Products
Telexcell’ portfolio includes all the key technologies required to build today’s high performance
networks including:
Switching IP Telephony
Routing Unified Communications
Wireless Mobility
Access Network Security
RF Connectivity Access Storage
3. Coming to product overview I am just listing down the application where we can do
the same and again brief overview of what we used to support and how can we use
the same to design the solution
1. IPSEC site to site application
4. WAN
WAN Internet
LAN
LAN
`
`
`
Brief about IPSec
VPN Settings are settings that are used to create virtual private tunnels to remote VPN gateways. The
tunnel technology supports data confidentiality, data origin authentication and data integrity of network
information by utilizing encapsulation protocols, encryption algorithms, and hashing algorithms.
• VPN enable item
VPN protects network information from ill network inspectors. But it greatly degrades network throughput.
Enable it when you really need a security tunnel. It is disabled for default.
• Max. Number of tunnels item
Since VPN greatly degrades network throughput, the allowable maximum number of tunnels is limited. Be
careful to set the value for allowing the number of tunnels can be created simultaneously. Its value ranges
from 1 to 80.
• Tunnel name
Indicate which tunnel that is focused now.
• Method
IPSec VPN supports two kinds of key-obtained methods: manual key and automatic key exchange. Manual
key approach indicates that two end VPN gateways setup authenticator and encryption key by system
managers manually. However, IKE approach will perform automatic Internet key exchange. System
managers of both end gateways only need set the same pre-shared key.
Function of Buttons
More... To setup detailer configuration for manual key or IKE approaches by clicking
the "More" button.
IPSEC consist of two phase
1. IKE Phase I: the parameter are used to encrypted the Key and to start the
communication between two site and again that key does not get decrypted by any
5. third party , we used to configure how encrypted and which method we need to
follow for authentication etc
2. IKE Phase II
The parameter which we used to configure is used to encrypt the data.
To create a IPSec tunnel between two location both IKE 1 and Ike II phase need
to be same on both side.
Configuration parameter
a.
b.
7. chennai HYd
Ipsec client
Ipsec client software software
WAN Bangalore
NA-3G-VWR
NA-3G-VWR
delhi WAN Internet
LAN
LAN
IPSEC server
`
Ipsec client
software
`
Jaipur
`
For retail segment we can use netaxcess router and then we can configure the same as
IPsec server and mean dynamic access server and for remote site we can use same
netaxcess boxes or we can ask customer to use IPSEC client software for the same to
reduce the CAPEX and OPEX.
9. 3. For customer having at central side firewall and behind that mapped private
ip addressed on IPSec server for security purpose.
As customer like Bank normally what they used to do they used to IPSec devices
behind firewall and again from firewall to IPSec server that used to map public ip
address to private ip address for security reason. As in this case normally for remote
site used to have user between 20 to 30, so for that kind of customer we can use
Netaxcess router to reduce the cost and we can at remote site.
delhi
WAN Bangalore
192.168.1.177
203.110.80. NA-3G-VWR
Cisco router 67
switch 192.168.1.1 firewall 115.80.x.x
WAN
Internet
192.168.123.25
4
IPSEC server LAN
LAN 192.168.8.1 On firewall customer used to
map 203.110.84.69 to
192.168.1.177
`
`
192.168.8.2
192.168.8.3
192.168.8.4
`
Configuration detail
On netaxcess router
10.
11. On Cisco router
Current configuration : 4084 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot system flash c1841-advipservicesk9-mz.124-13b.bin
boot-end-marker
!
logging buffered 51200 warnings
enable password cisco
!
no aaa new-model
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.8.1 192.168.8.9
ip dhcp excluded-address 192.168.8.101 192.168.8.254
12. !
ip dhcp pool ccp-pool1
network 192.168.8.0 255.255.255.0
domain-name cisco.com
default-router 192.168.8.1
!
!
ip domain name yourdomain.com
ip name-server 4.2.2.2
ip name-server 8.8.8.8
!
!
!
username cisco123 privilege 15 secret 5 $1$6DW6$G6JVPN9Uqyoo6/vddSGzL.
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ankit esp-3des esp-md5-hmac
!
crypto dynamic-map dynamic 11
set security-association lifetime seconds 28800
set transform-set ankit
set pfs group2
match address 103
!
!
crypto map remotesite 11 ipsec-isakmp dynamic dynamic
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 192.168.1.177 255.255.255.0
duplex auto
speed auto
crypto map remotesite
13. !
interface FastEthernet0/1
description $ES_LAN$
ip address 192.168.8.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no keepalive
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet0/0 overload
!
access-list 101 deny ip 192.168.8.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.8.0 0.0.0.255 any
access-list 103 permit ip 192.168.8.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 103 deny ip 192.168.8.0 0.0.0.255 any
no cdp run
!
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
14. username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
password cisco
login
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
login local
15. transport input telnet
!
scheduler allocate 20000 1000
end
yourname#
4. GRE solution based for site to site and again for hub and Spoke location
16.
17. 5. Solution Based on L2TP and PPTP
We used for this protocol to design solution who does not used to make so much expense
and again they do not want separate client software and want to use window Xp VPN
client to connect
18. L2TP Client using XP
client software
HYD
L2TP Tunnel
L2TP
client
delhi
Internet WAN
LNS server Bangalore
NA-3G-VWR
NA-3G-VWR L2TP tunnel/PPTP
203.110.80. 115.80.x.x
67
WAN
192.168.123.25
4
LAN
LAN 192.168.8.1
L2TP Tunnel
L2TP client
` using XP or
vista or 7
`
192.168.8.2 Jaipur
192.168.8.3
192.168.8.4
`
6. For backup solution where Cisco router or any other router is their.
Let say customer is having Cisco router or any router and have terminated bandwidth on
Ethernet or E1 and in that case let say his link got some problem then all his services will
going to be get affected and many time what happen customer cannot afford ISDN as
backup and cost and again NT1 boxes cost too much and again it cost to much on him
and again many time what happen ISP does not used to have feasibility and he cannot
provide ISDN connectivity and in that case we can use 3 G technology as hardware cost
is less than ISDN and again cost of charges of 3 G is also less then ISDN and again
customer is going to get hardware level redundancy also .
19.
20. In above case let say E1 or Ethernet used to get down then all traffic will automatically
going to be route through 3 G router.
We used to support VRRP on our router, so using that functionality we can make the
thing workable.
21. 7.let say customer want to terminated VSAT or Ethernet link on same router and
want to use 3 G technology as backup , for failover we have developed a special feature
for Failover and again these failover is based on keep alive and as what used to happen in
normal case Ethernet port does not used to get down and but let say there is problem in
network or fiber cut or any thing , for these type of scenario to over come with these what
we can do we can configure any ip address on router so that it can ping on regular
interval and so if router will not get ping response through Ethernet path and it will dial 3
G backup and then it will connect and get connect and so all traffic will move through 3
G.
22.
23.
24. 3G wireless
CDMA
Internet
Backup
NA-3G-VWR
203.110.80.
67
primary
WAN
ethernet
LAN 192.168.8.1
l
`
192.168.8.2
192.168.8.3
192.168.8.4
25. 3G wireless
CDMA
VSAT DISH
Internet
Backup
NA-3G-VWR
203.110.80.
67
primary WAN
ethernet
LAN 192.168.8.1
l
`
192.168.8.2
192.168.8.3
192.168.8.4
26. For ATM Connectivity
The following security is built in the proposed solution for ISP using CDMA technology
as ISP used to have LNS and AAA in network, so we can use the infrastructure to
design the solution.
The LNS also acts like a firewall and basic firewall policies can be defined in the
LNS.
The Remote Terminal communicates directly with the Host in an IP call through the
Customer Firewall and their router. The Access Control List (ACL) is setup in the
Bank router and adds to the security.
The AN-AAA user id and AN-AAA password gets authenticated at the AN-AAA to
assign UATI to the AT. UATI is Unicast Access Terminal Identifier that uniquely
identifies the AT during data call.
27. PPP user id and PPP password gets authenticated at PDSN to assign IP to the AT
and also subnet locking is implemented to avoid misutilization of EVDO HSD+
network.
Since the communication is using IP addresses, there is no need for TPDU handling.
Different type of Authentications in 3 G technology which customer can
1) IS 856 air interface Authentication.
2) IS 856 RAN Authentication (performed by RAN)
3) ISP Authentication (between the user and PDSN)
4) Home Agent Authentication (between the user and home agent)
IS 856 Air Interface Authentication
Air Interface Authentication eliminates the need to perform authentication with the AAA
servers (i.e., Access Authentication) every time the AT opens a connection.
It works as follows:
Perform ephemeral session key establishment-- Diffie-Hellman algorithm is used for
session key exchange.
Authenticate the Access Atempts—The AT signs the access channel packets to prove it
is the true owner of the session. SHA-1 is applied to the AC packet, the authentication
key and a time stamp to generate the signature.
IS 856 RAN Authentication
28. IS 856 RAN Authentication is also called as AN-AAA Authentication. In the AN-AAA
authentication AN-AAA credentials (i.e., AN-AAA username and AN-AAA password) has
to be configured both in the AT and AN-AAA. When ever the AT wants to establish
session, AN-AAA requests for username and password. AN-AAA authenticates the
username and password by using CHAP algorithm and AN-AAA returns the IMSI that
has been configured against the username and password.
ISP Authentication
ISP Authentication is also called as PPP Authentication. PDSN Authenticates the AT
before going to assign IP to the User.
Home Agent Authentication
The HA Authenticates the registration request using the Mobile Number-Home agent
shared key. The following figure shows the Broadband+ Authentications all together.
Hardware ID Authentication
Hardware ID Authentication is based on ESN/MEID of the device. Hardware ID is
unique to the user device so this type of Authentication is useful in avoiding the cloning
problems.
End-to-End Security
True data protection should be implemented from data owner to data owner (for example
a remote access employee computer to employer’s server.) A Broadband+ 1xRTT
network protects data over the air, but once outside the carrier’s network, public
information network systems (i.e. the internet) carry data unprotected. Broadband+
1xRTT security should be complemented with a VPN security protocol for true data
protection. Qualcomm’s MSM software provides direct support for SSL. VPN software
support is available for both laptops and PDAs.
29. Now let say BANK have taken Already VSAT Link for ATM connectivity for Backup
purpose we can propose 3 G technology and in this way we can achieve 99.9 % uptime.
30. 8. For customer who wants to block specify web site and want to block based on
content or word we can use netaxcess router for the same.
a. Domain Filter let you prevent users under this device from accessing specific URLs.
b. URL Blocking will block LAN computers to connect to pre-define Web.
c. Packet filtering is also their, so we can communication not to happen between A and B
computer.