Upload
mohsin-raza
View
154
Download
1
Tags:
Embed Size (px)
Citation preview
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 1
Cisco Service Control Engine (SCE) For Mobile Technical Overview
July 2009
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 2
Agenda
Market Challenges and Opportunities
Service Control Engine Fundamentals
Peer-to-Peer Management and Network Optimization
Network Insertion Management and Integration
Traffic Analysis and Business Intelligence
Tiered Services and Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 3
Over 750 Customers Worldwide
Customer wins are confidential Check with AMs if you want to use these as reference
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 4
Service Control ndashAdvancing Broadband Services
Over 750 Service Providers Deployed
ANY broadband Network xDSL FTTx Cable Mobile 3G Fixed-Wireless
Significant rollouts in live networks
Largest Service Control deployments in the world ndash over 100 million subscribers served
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 5
Market Challenges amp Opportunities
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 6
Value Add to Commodity Product
Commodity Good Service Experience
Prevailing prices forvarious coffee offerings
$01ndash$02Per Cup
$05ndash$25Per Cup
$75ndash$150Per Cup
$200ndash$500Per Cup
bullGraphic BusinessWeek 2005
bullSource Pine and Gilmore The Experience Economy 1999
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 7
Application
bullIncreasing Value of Broadband CurrencyBandwidth
A Bulletin BoardBrowsing
Music Gaming File Sharing
Web 20IP TV
Whatlsquos Next1 Terabyte
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 8
Expectations Have Changed
From Mobile Data To Mobile BB
Pay per kilo-
bit plans
Mobile phone
with data
Access and SMS-
based services
Average
96kbps
Full HTML-based
browsing
Mobile
computer
On-demand video
and content
Closed OS and
browser
All-u-can eat
service plans
Broadband data
rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 9
iPhone Launch
1 million customers within 2 monthlsquos
gt40 new ATampT customers
Revenue sharing with Apple
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 10
gPhone
inside
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 11
TV on your Mobile Phone
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 12
Skype goes Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 13
Alex Day AKA Nerimon (19 years old)
Nerimon
Number 1 Most Popular
Britainlsquos Youtubers has 30000 subscribers tune into him everyday
European Operator
ldquoVideo is number 1 application that is
killing our networkrdquo
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 14
bullSource Cisco IBSG Analysis March 2006
ContentApplicationProviders
AggregatorsIntegratorsOver the Top (OTT)
NetworkBased Operators
VirtualNetworkOperators
DeviceServices
Who Will Capture the Value
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 15
OTTs Create Three Areas of Concern for SPshellip
Un-monetised Traffic Growth
ServiceSubstitution
Changing User Behaviour ndash New Sources of Revenue
Source Cisco IBSG
While remaining innovative acquisitive and highly valued
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 16
Service Control Engine (SCE) Fundamentals
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 17
DPI allows Mobile service providers to cope with the dynamic nature of the net
permits SPrsquos to classify all IP applications
provides subscriber awareness to manage traffic streams based on individual subscriber state and policy
DPI provides usage analysis and reporting
DPI enables Mobile SPs to implement capacity management and fair-use policies
to gain visibility into network activities
to optimize network bandwidth and improve network performance
to guarantee a consistent QoE over RAN and backhaul
DPI enables Mobile SPrsquos to create new per-subscriber service offerings and other differentiated services (such as parental control advanced per-application charging and quota)
DPI empowers Mobile SPrsquos implement advanced targeted advertising schemes
Deep Packet Inspection (DPI) Critical To Managing Todayrsquos Mobile Networks
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 18
Application Architecture of the FutureSCE enables User Experience
Service Provider Network
Service Control PointFixed
Wireless
DSL
CellularWiFi MeshWiMAX
Enterprise
Cable
Gaming
Messaging
BroadbandAccess
Voice
IPTVVoD
Music
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 19
Application Awareness
Subscriber Intelligence
Real-Time Control
Service Velocity
Technology
Rapidly ProgrammableRapidly re-tasked to support new protocols or applications
Stateful Deep Packet Inspection Instead of processing packets as individual events the SCE fully reconstructs flows up through Layer 7
Application Session-Level Bandwidth ShapingBlocking Redirecting (HTTP RSTP SIP)
Subscriber State Managementwith Per-Subscriber BW Management and Quotas
Extensible Platform amp Open Architecture Based upon a flexible purpose-built platform
Modular and scalable HW accelerationEasy-to-use with open APIs for seamless OSS Integration
Carrier Class Designed for carrier-grade deployments requiring
High Performance for Multi-Gigabit and 10 Gigabit SpeedsHigh Availability amp Reliability with stateful failover
What Is the Service Control Engine
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 20
Intelligent Inspection and Control of IP Packets Classify to end-user application determine application semantics
Map to subscriber identity policy and state
Select action based on conditions - time of day congestion usage other concurrent activities
Take action and reportBlock
Redirect
Set QoS
Mark
Service Control Engine
Report
Process of Service Control
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 21
Co
st M
an
ag
em
en
tR
even
ue
Gen
era
tio
n
Traffic Anomaly Detection and DDOS Protection
Anti-X (SPAMWorms)
Safe Harbor and Quarantine Services
Traffic Mix Optimization
Fair Use Policy Enforcement
QoS assurance
Traffic Analysis and Reporting
Quality of Experience Monitoring
Usage Demographics
Service Self Selection
Volume and Time Based Tiering of Services
Bandwidth on Demand (Turbo Button)
Over-The-Top Application Partnership Services
Multimedia (VoiceVideo) Traffic Prioritization
Volume and Time Based Billing Services
Parental Control amp Content Filtering
Premium
Service
Enablement
Usage
Analysis
Content
Charging Service Control
Technology
Traffic
Optimization
Tiering amp
Access
Control
Service
Security
Service Control EngineFunctional Examples
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 22
Category
Interfaces2-GBE
(Fiber SXLX)
4-GBE
(Fiber SXLX)
2-10G 4-10G
8-GBE 16-GBE
(Fiber SXLXZX)
Mgmt Interface 2 x 101001000 Eth 2 x 101001000 Eth 2 x 101001000 Eth
Max Concurrent Unidirectional Application Flows
2M 2M16M
(Can grow up to 32M)
Max Subscriber-Contexts
200000 200000 1M
Network ConfigurationOut of Line
Inline
Out of Line
Inline
Clustering
Out of Line
Inline
Clustering
Service Control Platforms
SCE1000 SCE2000 SCE8000
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 23
SCE ProductFamily and Milestones
Capacity
(Concurrent Subscribers)
200K
Performance
5Gbps 40Gbps
SCE 1000
SCE 2000
SCE 8000
2x10 G 4x10G amp 8xGBE 16xGBE Ethernet interfaces Classification of up to 32 million concurrent
unidirectional application flows Total throughput of 15 Gbps (30+ Gbps by
end 09) Up to 1M concurrent subscribers Complete modularity - FRU AC or DC power
supplies fans cards interfaces optics
1M
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 24
3GPP Compliance
Content Filtering
Content Charging
Traffic Optimization
Usage Analysis
DPI
Industry leading Deep Packet Inspection
Rich set of IP services
3GPP Compliant
Cisco SCE In Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 2
Agenda
Market Challenges and Opportunities
Service Control Engine Fundamentals
Peer-to-Peer Management and Network Optimization
Network Insertion Management and Integration
Traffic Analysis and Business Intelligence
Tiered Services and Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 3
Over 750 Customers Worldwide
Customer wins are confidential Check with AMs if you want to use these as reference
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 4
Service Control ndashAdvancing Broadband Services
Over 750 Service Providers Deployed
ANY broadband Network xDSL FTTx Cable Mobile 3G Fixed-Wireless
Significant rollouts in live networks
Largest Service Control deployments in the world ndash over 100 million subscribers served
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 5
Market Challenges amp Opportunities
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 6
Value Add to Commodity Product
Commodity Good Service Experience
Prevailing prices forvarious coffee offerings
$01ndash$02Per Cup
$05ndash$25Per Cup
$75ndash$150Per Cup
$200ndash$500Per Cup
bullGraphic BusinessWeek 2005
bullSource Pine and Gilmore The Experience Economy 1999
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 7
Application
bullIncreasing Value of Broadband CurrencyBandwidth
A Bulletin BoardBrowsing
Music Gaming File Sharing
Web 20IP TV
Whatlsquos Next1 Terabyte
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 8
Expectations Have Changed
From Mobile Data To Mobile BB
Pay per kilo-
bit plans
Mobile phone
with data
Access and SMS-
based services
Average
96kbps
Full HTML-based
browsing
Mobile
computer
On-demand video
and content
Closed OS and
browser
All-u-can eat
service plans
Broadband data
rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 9
iPhone Launch
1 million customers within 2 monthlsquos
gt40 new ATampT customers
Revenue sharing with Apple
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 10
gPhone
inside
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 11
TV on your Mobile Phone
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 12
Skype goes Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 13
Alex Day AKA Nerimon (19 years old)
Nerimon
Number 1 Most Popular
Britainlsquos Youtubers has 30000 subscribers tune into him everyday
European Operator
ldquoVideo is number 1 application that is
killing our networkrdquo
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 14
bullSource Cisco IBSG Analysis March 2006
ContentApplicationProviders
AggregatorsIntegratorsOver the Top (OTT)
NetworkBased Operators
VirtualNetworkOperators
DeviceServices
Who Will Capture the Value
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 15
OTTs Create Three Areas of Concern for SPshellip
Un-monetised Traffic Growth
ServiceSubstitution
Changing User Behaviour ndash New Sources of Revenue
Source Cisco IBSG
While remaining innovative acquisitive and highly valued
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 16
Service Control Engine (SCE) Fundamentals
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 17
DPI allows Mobile service providers to cope with the dynamic nature of the net
permits SPrsquos to classify all IP applications
provides subscriber awareness to manage traffic streams based on individual subscriber state and policy
DPI provides usage analysis and reporting
DPI enables Mobile SPs to implement capacity management and fair-use policies
to gain visibility into network activities
to optimize network bandwidth and improve network performance
to guarantee a consistent QoE over RAN and backhaul
DPI enables Mobile SPrsquos to create new per-subscriber service offerings and other differentiated services (such as parental control advanced per-application charging and quota)
DPI empowers Mobile SPrsquos implement advanced targeted advertising schemes
Deep Packet Inspection (DPI) Critical To Managing Todayrsquos Mobile Networks
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 18
Application Architecture of the FutureSCE enables User Experience
Service Provider Network
Service Control PointFixed
Wireless
DSL
CellularWiFi MeshWiMAX
Enterprise
Cable
Gaming
Messaging
BroadbandAccess
Voice
IPTVVoD
Music
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 19
Application Awareness
Subscriber Intelligence
Real-Time Control
Service Velocity
Technology
Rapidly ProgrammableRapidly re-tasked to support new protocols or applications
Stateful Deep Packet Inspection Instead of processing packets as individual events the SCE fully reconstructs flows up through Layer 7
Application Session-Level Bandwidth ShapingBlocking Redirecting (HTTP RSTP SIP)
Subscriber State Managementwith Per-Subscriber BW Management and Quotas
Extensible Platform amp Open Architecture Based upon a flexible purpose-built platform
Modular and scalable HW accelerationEasy-to-use with open APIs for seamless OSS Integration
Carrier Class Designed for carrier-grade deployments requiring
High Performance for Multi-Gigabit and 10 Gigabit SpeedsHigh Availability amp Reliability with stateful failover
What Is the Service Control Engine
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 20
Intelligent Inspection and Control of IP Packets Classify to end-user application determine application semantics
Map to subscriber identity policy and state
Select action based on conditions - time of day congestion usage other concurrent activities
Take action and reportBlock
Redirect
Set QoS
Mark
Service Control Engine
Report
Process of Service Control
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 21
Co
st M
an
ag
em
en
tR
even
ue
Gen
era
tio
n
Traffic Anomaly Detection and DDOS Protection
Anti-X (SPAMWorms)
Safe Harbor and Quarantine Services
Traffic Mix Optimization
Fair Use Policy Enforcement
QoS assurance
Traffic Analysis and Reporting
Quality of Experience Monitoring
Usage Demographics
Service Self Selection
Volume and Time Based Tiering of Services
Bandwidth on Demand (Turbo Button)
Over-The-Top Application Partnership Services
Multimedia (VoiceVideo) Traffic Prioritization
Volume and Time Based Billing Services
Parental Control amp Content Filtering
Premium
Service
Enablement
Usage
Analysis
Content
Charging Service Control
Technology
Traffic
Optimization
Tiering amp
Access
Control
Service
Security
Service Control EngineFunctional Examples
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 22
Category
Interfaces2-GBE
(Fiber SXLX)
4-GBE
(Fiber SXLX)
2-10G 4-10G
8-GBE 16-GBE
(Fiber SXLXZX)
Mgmt Interface 2 x 101001000 Eth 2 x 101001000 Eth 2 x 101001000 Eth
Max Concurrent Unidirectional Application Flows
2M 2M16M
(Can grow up to 32M)
Max Subscriber-Contexts
200000 200000 1M
Network ConfigurationOut of Line
Inline
Out of Line
Inline
Clustering
Out of Line
Inline
Clustering
Service Control Platforms
SCE1000 SCE2000 SCE8000
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 23
SCE ProductFamily and Milestones
Capacity
(Concurrent Subscribers)
200K
Performance
5Gbps 40Gbps
SCE 1000
SCE 2000
SCE 8000
2x10 G 4x10G amp 8xGBE 16xGBE Ethernet interfaces Classification of up to 32 million concurrent
unidirectional application flows Total throughput of 15 Gbps (30+ Gbps by
end 09) Up to 1M concurrent subscribers Complete modularity - FRU AC or DC power
supplies fans cards interfaces optics
1M
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 24
3GPP Compliance
Content Filtering
Content Charging
Traffic Optimization
Usage Analysis
DPI
Industry leading Deep Packet Inspection
Rich set of IP services
3GPP Compliant
Cisco SCE In Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 3
Over 750 Customers Worldwide
Customer wins are confidential Check with AMs if you want to use these as reference
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 4
Service Control ndashAdvancing Broadband Services
Over 750 Service Providers Deployed
ANY broadband Network xDSL FTTx Cable Mobile 3G Fixed-Wireless
Significant rollouts in live networks
Largest Service Control deployments in the world ndash over 100 million subscribers served
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 5
Market Challenges amp Opportunities
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 6
Value Add to Commodity Product
Commodity Good Service Experience
Prevailing prices forvarious coffee offerings
$01ndash$02Per Cup
$05ndash$25Per Cup
$75ndash$150Per Cup
$200ndash$500Per Cup
bullGraphic BusinessWeek 2005
bullSource Pine and Gilmore The Experience Economy 1999
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 7
Application
bullIncreasing Value of Broadband CurrencyBandwidth
A Bulletin BoardBrowsing
Music Gaming File Sharing
Web 20IP TV
Whatlsquos Next1 Terabyte
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 8
Expectations Have Changed
From Mobile Data To Mobile BB
Pay per kilo-
bit plans
Mobile phone
with data
Access and SMS-
based services
Average
96kbps
Full HTML-based
browsing
Mobile
computer
On-demand video
and content
Closed OS and
browser
All-u-can eat
service plans
Broadband data
rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 9
iPhone Launch
1 million customers within 2 monthlsquos
gt40 new ATampT customers
Revenue sharing with Apple
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 10
gPhone
inside
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 11
TV on your Mobile Phone
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 12
Skype goes Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 13
Alex Day AKA Nerimon (19 years old)
Nerimon
Number 1 Most Popular
Britainlsquos Youtubers has 30000 subscribers tune into him everyday
European Operator
ldquoVideo is number 1 application that is
killing our networkrdquo
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 14
bullSource Cisco IBSG Analysis March 2006
ContentApplicationProviders
AggregatorsIntegratorsOver the Top (OTT)
NetworkBased Operators
VirtualNetworkOperators
DeviceServices
Who Will Capture the Value
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 15
OTTs Create Three Areas of Concern for SPshellip
Un-monetised Traffic Growth
ServiceSubstitution
Changing User Behaviour ndash New Sources of Revenue
Source Cisco IBSG
While remaining innovative acquisitive and highly valued
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 16
Service Control Engine (SCE) Fundamentals
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 17
DPI allows Mobile service providers to cope with the dynamic nature of the net
permits SPrsquos to classify all IP applications
provides subscriber awareness to manage traffic streams based on individual subscriber state and policy
DPI provides usage analysis and reporting
DPI enables Mobile SPs to implement capacity management and fair-use policies
to gain visibility into network activities
to optimize network bandwidth and improve network performance
to guarantee a consistent QoE over RAN and backhaul
DPI enables Mobile SPrsquos to create new per-subscriber service offerings and other differentiated services (such as parental control advanced per-application charging and quota)
DPI empowers Mobile SPrsquos implement advanced targeted advertising schemes
Deep Packet Inspection (DPI) Critical To Managing Todayrsquos Mobile Networks
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 18
Application Architecture of the FutureSCE enables User Experience
Service Provider Network
Service Control PointFixed
Wireless
DSL
CellularWiFi MeshWiMAX
Enterprise
Cable
Gaming
Messaging
BroadbandAccess
Voice
IPTVVoD
Music
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 19
Application Awareness
Subscriber Intelligence
Real-Time Control
Service Velocity
Technology
Rapidly ProgrammableRapidly re-tasked to support new protocols or applications
Stateful Deep Packet Inspection Instead of processing packets as individual events the SCE fully reconstructs flows up through Layer 7
Application Session-Level Bandwidth ShapingBlocking Redirecting (HTTP RSTP SIP)
Subscriber State Managementwith Per-Subscriber BW Management and Quotas
Extensible Platform amp Open Architecture Based upon a flexible purpose-built platform
Modular and scalable HW accelerationEasy-to-use with open APIs for seamless OSS Integration
Carrier Class Designed for carrier-grade deployments requiring
High Performance for Multi-Gigabit and 10 Gigabit SpeedsHigh Availability amp Reliability with stateful failover
What Is the Service Control Engine
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 20
Intelligent Inspection and Control of IP Packets Classify to end-user application determine application semantics
Map to subscriber identity policy and state
Select action based on conditions - time of day congestion usage other concurrent activities
Take action and reportBlock
Redirect
Set QoS
Mark
Service Control Engine
Report
Process of Service Control
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 21
Co
st M
an
ag
em
en
tR
even
ue
Gen
era
tio
n
Traffic Anomaly Detection and DDOS Protection
Anti-X (SPAMWorms)
Safe Harbor and Quarantine Services
Traffic Mix Optimization
Fair Use Policy Enforcement
QoS assurance
Traffic Analysis and Reporting
Quality of Experience Monitoring
Usage Demographics
Service Self Selection
Volume and Time Based Tiering of Services
Bandwidth on Demand (Turbo Button)
Over-The-Top Application Partnership Services
Multimedia (VoiceVideo) Traffic Prioritization
Volume and Time Based Billing Services
Parental Control amp Content Filtering
Premium
Service
Enablement
Usage
Analysis
Content
Charging Service Control
Technology
Traffic
Optimization
Tiering amp
Access
Control
Service
Security
Service Control EngineFunctional Examples
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 22
Category
Interfaces2-GBE
(Fiber SXLX)
4-GBE
(Fiber SXLX)
2-10G 4-10G
8-GBE 16-GBE
(Fiber SXLXZX)
Mgmt Interface 2 x 101001000 Eth 2 x 101001000 Eth 2 x 101001000 Eth
Max Concurrent Unidirectional Application Flows
2M 2M16M
(Can grow up to 32M)
Max Subscriber-Contexts
200000 200000 1M
Network ConfigurationOut of Line
Inline
Out of Line
Inline
Clustering
Out of Line
Inline
Clustering
Service Control Platforms
SCE1000 SCE2000 SCE8000
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 23
SCE ProductFamily and Milestones
Capacity
(Concurrent Subscribers)
200K
Performance
5Gbps 40Gbps
SCE 1000
SCE 2000
SCE 8000
2x10 G 4x10G amp 8xGBE 16xGBE Ethernet interfaces Classification of up to 32 million concurrent
unidirectional application flows Total throughput of 15 Gbps (30+ Gbps by
end 09) Up to 1M concurrent subscribers Complete modularity - FRU AC or DC power
supplies fans cards interfaces optics
1M
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 24
3GPP Compliance
Content Filtering
Content Charging
Traffic Optimization
Usage Analysis
DPI
Industry leading Deep Packet Inspection
Rich set of IP services
3GPP Compliant
Cisco SCE In Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 4
Service Control ndashAdvancing Broadband Services
Over 750 Service Providers Deployed
ANY broadband Network xDSL FTTx Cable Mobile 3G Fixed-Wireless
Significant rollouts in live networks
Largest Service Control deployments in the world ndash over 100 million subscribers served
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 5
Market Challenges amp Opportunities
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 6
Value Add to Commodity Product
Commodity Good Service Experience
Prevailing prices forvarious coffee offerings
$01ndash$02Per Cup
$05ndash$25Per Cup
$75ndash$150Per Cup
$200ndash$500Per Cup
bullGraphic BusinessWeek 2005
bullSource Pine and Gilmore The Experience Economy 1999
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 7
Application
bullIncreasing Value of Broadband CurrencyBandwidth
A Bulletin BoardBrowsing
Music Gaming File Sharing
Web 20IP TV
Whatlsquos Next1 Terabyte
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 8
Expectations Have Changed
From Mobile Data To Mobile BB
Pay per kilo-
bit plans
Mobile phone
with data
Access and SMS-
based services
Average
96kbps
Full HTML-based
browsing
Mobile
computer
On-demand video
and content
Closed OS and
browser
All-u-can eat
service plans
Broadband data
rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 9
iPhone Launch
1 million customers within 2 monthlsquos
gt40 new ATampT customers
Revenue sharing with Apple
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 10
gPhone
inside
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 11
TV on your Mobile Phone
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 12
Skype goes Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 13
Alex Day AKA Nerimon (19 years old)
Nerimon
Number 1 Most Popular
Britainlsquos Youtubers has 30000 subscribers tune into him everyday
European Operator
ldquoVideo is number 1 application that is
killing our networkrdquo
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 14
bullSource Cisco IBSG Analysis March 2006
ContentApplicationProviders
AggregatorsIntegratorsOver the Top (OTT)
NetworkBased Operators
VirtualNetworkOperators
DeviceServices
Who Will Capture the Value
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 15
OTTs Create Three Areas of Concern for SPshellip
Un-monetised Traffic Growth
ServiceSubstitution
Changing User Behaviour ndash New Sources of Revenue
Source Cisco IBSG
While remaining innovative acquisitive and highly valued
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 16
Service Control Engine (SCE) Fundamentals
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 17
DPI allows Mobile service providers to cope with the dynamic nature of the net
permits SPrsquos to classify all IP applications
provides subscriber awareness to manage traffic streams based on individual subscriber state and policy
DPI provides usage analysis and reporting
DPI enables Mobile SPs to implement capacity management and fair-use policies
to gain visibility into network activities
to optimize network bandwidth and improve network performance
to guarantee a consistent QoE over RAN and backhaul
DPI enables Mobile SPrsquos to create new per-subscriber service offerings and other differentiated services (such as parental control advanced per-application charging and quota)
DPI empowers Mobile SPrsquos implement advanced targeted advertising schemes
Deep Packet Inspection (DPI) Critical To Managing Todayrsquos Mobile Networks
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 18
Application Architecture of the FutureSCE enables User Experience
Service Provider Network
Service Control PointFixed
Wireless
DSL
CellularWiFi MeshWiMAX
Enterprise
Cable
Gaming
Messaging
BroadbandAccess
Voice
IPTVVoD
Music
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 19
Application Awareness
Subscriber Intelligence
Real-Time Control
Service Velocity
Technology
Rapidly ProgrammableRapidly re-tasked to support new protocols or applications
Stateful Deep Packet Inspection Instead of processing packets as individual events the SCE fully reconstructs flows up through Layer 7
Application Session-Level Bandwidth ShapingBlocking Redirecting (HTTP RSTP SIP)
Subscriber State Managementwith Per-Subscriber BW Management and Quotas
Extensible Platform amp Open Architecture Based upon a flexible purpose-built platform
Modular and scalable HW accelerationEasy-to-use with open APIs for seamless OSS Integration
Carrier Class Designed for carrier-grade deployments requiring
High Performance for Multi-Gigabit and 10 Gigabit SpeedsHigh Availability amp Reliability with stateful failover
What Is the Service Control Engine
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 20
Intelligent Inspection and Control of IP Packets Classify to end-user application determine application semantics
Map to subscriber identity policy and state
Select action based on conditions - time of day congestion usage other concurrent activities
Take action and reportBlock
Redirect
Set QoS
Mark
Service Control Engine
Report
Process of Service Control
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 21
Co
st M
an
ag
em
en
tR
even
ue
Gen
era
tio
n
Traffic Anomaly Detection and DDOS Protection
Anti-X (SPAMWorms)
Safe Harbor and Quarantine Services
Traffic Mix Optimization
Fair Use Policy Enforcement
QoS assurance
Traffic Analysis and Reporting
Quality of Experience Monitoring
Usage Demographics
Service Self Selection
Volume and Time Based Tiering of Services
Bandwidth on Demand (Turbo Button)
Over-The-Top Application Partnership Services
Multimedia (VoiceVideo) Traffic Prioritization
Volume and Time Based Billing Services
Parental Control amp Content Filtering
Premium
Service
Enablement
Usage
Analysis
Content
Charging Service Control
Technology
Traffic
Optimization
Tiering amp
Access
Control
Service
Security
Service Control EngineFunctional Examples
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 22
Category
Interfaces2-GBE
(Fiber SXLX)
4-GBE
(Fiber SXLX)
2-10G 4-10G
8-GBE 16-GBE
(Fiber SXLXZX)
Mgmt Interface 2 x 101001000 Eth 2 x 101001000 Eth 2 x 101001000 Eth
Max Concurrent Unidirectional Application Flows
2M 2M16M
(Can grow up to 32M)
Max Subscriber-Contexts
200000 200000 1M
Network ConfigurationOut of Line
Inline
Out of Line
Inline
Clustering
Out of Line
Inline
Clustering
Service Control Platforms
SCE1000 SCE2000 SCE8000
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 23
SCE ProductFamily and Milestones
Capacity
(Concurrent Subscribers)
200K
Performance
5Gbps 40Gbps
SCE 1000
SCE 2000
SCE 8000
2x10 G 4x10G amp 8xGBE 16xGBE Ethernet interfaces Classification of up to 32 million concurrent
unidirectional application flows Total throughput of 15 Gbps (30+ Gbps by
end 09) Up to 1M concurrent subscribers Complete modularity - FRU AC or DC power
supplies fans cards interfaces optics
1M
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 24
3GPP Compliance
Content Filtering
Content Charging
Traffic Optimization
Usage Analysis
DPI
Industry leading Deep Packet Inspection
Rich set of IP services
3GPP Compliant
Cisco SCE In Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 5
Market Challenges amp Opportunities
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 6
Value Add to Commodity Product
Commodity Good Service Experience
Prevailing prices forvarious coffee offerings
$01ndash$02Per Cup
$05ndash$25Per Cup
$75ndash$150Per Cup
$200ndash$500Per Cup
bullGraphic BusinessWeek 2005
bullSource Pine and Gilmore The Experience Economy 1999
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 7
Application
bullIncreasing Value of Broadband CurrencyBandwidth
A Bulletin BoardBrowsing
Music Gaming File Sharing
Web 20IP TV
Whatlsquos Next1 Terabyte
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 8
Expectations Have Changed
From Mobile Data To Mobile BB
Pay per kilo-
bit plans
Mobile phone
with data
Access and SMS-
based services
Average
96kbps
Full HTML-based
browsing
Mobile
computer
On-demand video
and content
Closed OS and
browser
All-u-can eat
service plans
Broadband data
rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 9
iPhone Launch
1 million customers within 2 monthlsquos
gt40 new ATampT customers
Revenue sharing with Apple
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 10
gPhone
inside
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 11
TV on your Mobile Phone
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 12
Skype goes Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 13
Alex Day AKA Nerimon (19 years old)
Nerimon
Number 1 Most Popular
Britainlsquos Youtubers has 30000 subscribers tune into him everyday
European Operator
ldquoVideo is number 1 application that is
killing our networkrdquo
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 14
bullSource Cisco IBSG Analysis March 2006
ContentApplicationProviders
AggregatorsIntegratorsOver the Top (OTT)
NetworkBased Operators
VirtualNetworkOperators
DeviceServices
Who Will Capture the Value
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 15
OTTs Create Three Areas of Concern for SPshellip
Un-monetised Traffic Growth
ServiceSubstitution
Changing User Behaviour ndash New Sources of Revenue
Source Cisco IBSG
While remaining innovative acquisitive and highly valued
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 16
Service Control Engine (SCE) Fundamentals
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 17
DPI allows Mobile service providers to cope with the dynamic nature of the net
permits SPrsquos to classify all IP applications
provides subscriber awareness to manage traffic streams based on individual subscriber state and policy
DPI provides usage analysis and reporting
DPI enables Mobile SPs to implement capacity management and fair-use policies
to gain visibility into network activities
to optimize network bandwidth and improve network performance
to guarantee a consistent QoE over RAN and backhaul
DPI enables Mobile SPrsquos to create new per-subscriber service offerings and other differentiated services (such as parental control advanced per-application charging and quota)
DPI empowers Mobile SPrsquos implement advanced targeted advertising schemes
Deep Packet Inspection (DPI) Critical To Managing Todayrsquos Mobile Networks
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 18
Application Architecture of the FutureSCE enables User Experience
Service Provider Network
Service Control PointFixed
Wireless
DSL
CellularWiFi MeshWiMAX
Enterprise
Cable
Gaming
Messaging
BroadbandAccess
Voice
IPTVVoD
Music
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 19
Application Awareness
Subscriber Intelligence
Real-Time Control
Service Velocity
Technology
Rapidly ProgrammableRapidly re-tasked to support new protocols or applications
Stateful Deep Packet Inspection Instead of processing packets as individual events the SCE fully reconstructs flows up through Layer 7
Application Session-Level Bandwidth ShapingBlocking Redirecting (HTTP RSTP SIP)
Subscriber State Managementwith Per-Subscriber BW Management and Quotas
Extensible Platform amp Open Architecture Based upon a flexible purpose-built platform
Modular and scalable HW accelerationEasy-to-use with open APIs for seamless OSS Integration
Carrier Class Designed for carrier-grade deployments requiring
High Performance for Multi-Gigabit and 10 Gigabit SpeedsHigh Availability amp Reliability with stateful failover
What Is the Service Control Engine
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 20
Intelligent Inspection and Control of IP Packets Classify to end-user application determine application semantics
Map to subscriber identity policy and state
Select action based on conditions - time of day congestion usage other concurrent activities
Take action and reportBlock
Redirect
Set QoS
Mark
Service Control Engine
Report
Process of Service Control
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 21
Co
st M
an
ag
em
en
tR
even
ue
Gen
era
tio
n
Traffic Anomaly Detection and DDOS Protection
Anti-X (SPAMWorms)
Safe Harbor and Quarantine Services
Traffic Mix Optimization
Fair Use Policy Enforcement
QoS assurance
Traffic Analysis and Reporting
Quality of Experience Monitoring
Usage Demographics
Service Self Selection
Volume and Time Based Tiering of Services
Bandwidth on Demand (Turbo Button)
Over-The-Top Application Partnership Services
Multimedia (VoiceVideo) Traffic Prioritization
Volume and Time Based Billing Services
Parental Control amp Content Filtering
Premium
Service
Enablement
Usage
Analysis
Content
Charging Service Control
Technology
Traffic
Optimization
Tiering amp
Access
Control
Service
Security
Service Control EngineFunctional Examples
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 22
Category
Interfaces2-GBE
(Fiber SXLX)
4-GBE
(Fiber SXLX)
2-10G 4-10G
8-GBE 16-GBE
(Fiber SXLXZX)
Mgmt Interface 2 x 101001000 Eth 2 x 101001000 Eth 2 x 101001000 Eth
Max Concurrent Unidirectional Application Flows
2M 2M16M
(Can grow up to 32M)
Max Subscriber-Contexts
200000 200000 1M
Network ConfigurationOut of Line
Inline
Out of Line
Inline
Clustering
Out of Line
Inline
Clustering
Service Control Platforms
SCE1000 SCE2000 SCE8000
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 23
SCE ProductFamily and Milestones
Capacity
(Concurrent Subscribers)
200K
Performance
5Gbps 40Gbps
SCE 1000
SCE 2000
SCE 8000
2x10 G 4x10G amp 8xGBE 16xGBE Ethernet interfaces Classification of up to 32 million concurrent
unidirectional application flows Total throughput of 15 Gbps (30+ Gbps by
end 09) Up to 1M concurrent subscribers Complete modularity - FRU AC or DC power
supplies fans cards interfaces optics
1M
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 24
3GPP Compliance
Content Filtering
Content Charging
Traffic Optimization
Usage Analysis
DPI
Industry leading Deep Packet Inspection
Rich set of IP services
3GPP Compliant
Cisco SCE In Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 6
Value Add to Commodity Product
Commodity Good Service Experience
Prevailing prices forvarious coffee offerings
$01ndash$02Per Cup
$05ndash$25Per Cup
$75ndash$150Per Cup
$200ndash$500Per Cup
bullGraphic BusinessWeek 2005
bullSource Pine and Gilmore The Experience Economy 1999
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 7
Application
bullIncreasing Value of Broadband CurrencyBandwidth
A Bulletin BoardBrowsing
Music Gaming File Sharing
Web 20IP TV
Whatlsquos Next1 Terabyte
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 8
Expectations Have Changed
From Mobile Data To Mobile BB
Pay per kilo-
bit plans
Mobile phone
with data
Access and SMS-
based services
Average
96kbps
Full HTML-based
browsing
Mobile
computer
On-demand video
and content
Closed OS and
browser
All-u-can eat
service plans
Broadband data
rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 9
iPhone Launch
1 million customers within 2 monthlsquos
gt40 new ATampT customers
Revenue sharing with Apple
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 10
gPhone
inside
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 11
TV on your Mobile Phone
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 12
Skype goes Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 13
Alex Day AKA Nerimon (19 years old)
Nerimon
Number 1 Most Popular
Britainlsquos Youtubers has 30000 subscribers tune into him everyday
European Operator
ldquoVideo is number 1 application that is
killing our networkrdquo
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 14
bullSource Cisco IBSG Analysis March 2006
ContentApplicationProviders
AggregatorsIntegratorsOver the Top (OTT)
NetworkBased Operators
VirtualNetworkOperators
DeviceServices
Who Will Capture the Value
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 15
OTTs Create Three Areas of Concern for SPshellip
Un-monetised Traffic Growth
ServiceSubstitution
Changing User Behaviour ndash New Sources of Revenue
Source Cisco IBSG
While remaining innovative acquisitive and highly valued
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 16
Service Control Engine (SCE) Fundamentals
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 17
DPI allows Mobile service providers to cope with the dynamic nature of the net
permits SPrsquos to classify all IP applications
provides subscriber awareness to manage traffic streams based on individual subscriber state and policy
DPI provides usage analysis and reporting
DPI enables Mobile SPs to implement capacity management and fair-use policies
to gain visibility into network activities
to optimize network bandwidth and improve network performance
to guarantee a consistent QoE over RAN and backhaul
DPI enables Mobile SPrsquos to create new per-subscriber service offerings and other differentiated services (such as parental control advanced per-application charging and quota)
DPI empowers Mobile SPrsquos implement advanced targeted advertising schemes
Deep Packet Inspection (DPI) Critical To Managing Todayrsquos Mobile Networks
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 18
Application Architecture of the FutureSCE enables User Experience
Service Provider Network
Service Control PointFixed
Wireless
DSL
CellularWiFi MeshWiMAX
Enterprise
Cable
Gaming
Messaging
BroadbandAccess
Voice
IPTVVoD
Music
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 19
Application Awareness
Subscriber Intelligence
Real-Time Control
Service Velocity
Technology
Rapidly ProgrammableRapidly re-tasked to support new protocols or applications
Stateful Deep Packet Inspection Instead of processing packets as individual events the SCE fully reconstructs flows up through Layer 7
Application Session-Level Bandwidth ShapingBlocking Redirecting (HTTP RSTP SIP)
Subscriber State Managementwith Per-Subscriber BW Management and Quotas
Extensible Platform amp Open Architecture Based upon a flexible purpose-built platform
Modular and scalable HW accelerationEasy-to-use with open APIs for seamless OSS Integration
Carrier Class Designed for carrier-grade deployments requiring
High Performance for Multi-Gigabit and 10 Gigabit SpeedsHigh Availability amp Reliability with stateful failover
What Is the Service Control Engine
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 20
Intelligent Inspection and Control of IP Packets Classify to end-user application determine application semantics
Map to subscriber identity policy and state
Select action based on conditions - time of day congestion usage other concurrent activities
Take action and reportBlock
Redirect
Set QoS
Mark
Service Control Engine
Report
Process of Service Control
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 21
Co
st M
an
ag
em
en
tR
even
ue
Gen
era
tio
n
Traffic Anomaly Detection and DDOS Protection
Anti-X (SPAMWorms)
Safe Harbor and Quarantine Services
Traffic Mix Optimization
Fair Use Policy Enforcement
QoS assurance
Traffic Analysis and Reporting
Quality of Experience Monitoring
Usage Demographics
Service Self Selection
Volume and Time Based Tiering of Services
Bandwidth on Demand (Turbo Button)
Over-The-Top Application Partnership Services
Multimedia (VoiceVideo) Traffic Prioritization
Volume and Time Based Billing Services
Parental Control amp Content Filtering
Premium
Service
Enablement
Usage
Analysis
Content
Charging Service Control
Technology
Traffic
Optimization
Tiering amp
Access
Control
Service
Security
Service Control EngineFunctional Examples
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 22
Category
Interfaces2-GBE
(Fiber SXLX)
4-GBE
(Fiber SXLX)
2-10G 4-10G
8-GBE 16-GBE
(Fiber SXLXZX)
Mgmt Interface 2 x 101001000 Eth 2 x 101001000 Eth 2 x 101001000 Eth
Max Concurrent Unidirectional Application Flows
2M 2M16M
(Can grow up to 32M)
Max Subscriber-Contexts
200000 200000 1M
Network ConfigurationOut of Line
Inline
Out of Line
Inline
Clustering
Out of Line
Inline
Clustering
Service Control Platforms
SCE1000 SCE2000 SCE8000
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 23
SCE ProductFamily and Milestones
Capacity
(Concurrent Subscribers)
200K
Performance
5Gbps 40Gbps
SCE 1000
SCE 2000
SCE 8000
2x10 G 4x10G amp 8xGBE 16xGBE Ethernet interfaces Classification of up to 32 million concurrent
unidirectional application flows Total throughput of 15 Gbps (30+ Gbps by
end 09) Up to 1M concurrent subscribers Complete modularity - FRU AC or DC power
supplies fans cards interfaces optics
1M
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 24
3GPP Compliance
Content Filtering
Content Charging
Traffic Optimization
Usage Analysis
DPI
Industry leading Deep Packet Inspection
Rich set of IP services
3GPP Compliant
Cisco SCE In Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 7
Application
bullIncreasing Value of Broadband CurrencyBandwidth
A Bulletin BoardBrowsing
Music Gaming File Sharing
Web 20IP TV
Whatlsquos Next1 Terabyte
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 8
Expectations Have Changed
From Mobile Data To Mobile BB
Pay per kilo-
bit plans
Mobile phone
with data
Access and SMS-
based services
Average
96kbps
Full HTML-based
browsing
Mobile
computer
On-demand video
and content
Closed OS and
browser
All-u-can eat
service plans
Broadband data
rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 9
iPhone Launch
1 million customers within 2 monthlsquos
gt40 new ATampT customers
Revenue sharing with Apple
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 10
gPhone
inside
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 11
TV on your Mobile Phone
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 12
Skype goes Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 13
Alex Day AKA Nerimon (19 years old)
Nerimon
Number 1 Most Popular
Britainlsquos Youtubers has 30000 subscribers tune into him everyday
European Operator
ldquoVideo is number 1 application that is
killing our networkrdquo
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 14
bullSource Cisco IBSG Analysis March 2006
ContentApplicationProviders
AggregatorsIntegratorsOver the Top (OTT)
NetworkBased Operators
VirtualNetworkOperators
DeviceServices
Who Will Capture the Value
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 15
OTTs Create Three Areas of Concern for SPshellip
Un-monetised Traffic Growth
ServiceSubstitution
Changing User Behaviour ndash New Sources of Revenue
Source Cisco IBSG
While remaining innovative acquisitive and highly valued
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 16
Service Control Engine (SCE) Fundamentals
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 17
DPI allows Mobile service providers to cope with the dynamic nature of the net
permits SPrsquos to classify all IP applications
provides subscriber awareness to manage traffic streams based on individual subscriber state and policy
DPI provides usage analysis and reporting
DPI enables Mobile SPs to implement capacity management and fair-use policies
to gain visibility into network activities
to optimize network bandwidth and improve network performance
to guarantee a consistent QoE over RAN and backhaul
DPI enables Mobile SPrsquos to create new per-subscriber service offerings and other differentiated services (such as parental control advanced per-application charging and quota)
DPI empowers Mobile SPrsquos implement advanced targeted advertising schemes
Deep Packet Inspection (DPI) Critical To Managing Todayrsquos Mobile Networks
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 18
Application Architecture of the FutureSCE enables User Experience
Service Provider Network
Service Control PointFixed
Wireless
DSL
CellularWiFi MeshWiMAX
Enterprise
Cable
Gaming
Messaging
BroadbandAccess
Voice
IPTVVoD
Music
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 19
Application Awareness
Subscriber Intelligence
Real-Time Control
Service Velocity
Technology
Rapidly ProgrammableRapidly re-tasked to support new protocols or applications
Stateful Deep Packet Inspection Instead of processing packets as individual events the SCE fully reconstructs flows up through Layer 7
Application Session-Level Bandwidth ShapingBlocking Redirecting (HTTP RSTP SIP)
Subscriber State Managementwith Per-Subscriber BW Management and Quotas
Extensible Platform amp Open Architecture Based upon a flexible purpose-built platform
Modular and scalable HW accelerationEasy-to-use with open APIs for seamless OSS Integration
Carrier Class Designed for carrier-grade deployments requiring
High Performance for Multi-Gigabit and 10 Gigabit SpeedsHigh Availability amp Reliability with stateful failover
What Is the Service Control Engine
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 20
Intelligent Inspection and Control of IP Packets Classify to end-user application determine application semantics
Map to subscriber identity policy and state
Select action based on conditions - time of day congestion usage other concurrent activities
Take action and reportBlock
Redirect
Set QoS
Mark
Service Control Engine
Report
Process of Service Control
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 21
Co
st M
an
ag
em
en
tR
even
ue
Gen
era
tio
n
Traffic Anomaly Detection and DDOS Protection
Anti-X (SPAMWorms)
Safe Harbor and Quarantine Services
Traffic Mix Optimization
Fair Use Policy Enforcement
QoS assurance
Traffic Analysis and Reporting
Quality of Experience Monitoring
Usage Demographics
Service Self Selection
Volume and Time Based Tiering of Services
Bandwidth on Demand (Turbo Button)
Over-The-Top Application Partnership Services
Multimedia (VoiceVideo) Traffic Prioritization
Volume and Time Based Billing Services
Parental Control amp Content Filtering
Premium
Service
Enablement
Usage
Analysis
Content
Charging Service Control
Technology
Traffic
Optimization
Tiering amp
Access
Control
Service
Security
Service Control EngineFunctional Examples
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 22
Category
Interfaces2-GBE
(Fiber SXLX)
4-GBE
(Fiber SXLX)
2-10G 4-10G
8-GBE 16-GBE
(Fiber SXLXZX)
Mgmt Interface 2 x 101001000 Eth 2 x 101001000 Eth 2 x 101001000 Eth
Max Concurrent Unidirectional Application Flows
2M 2M16M
(Can grow up to 32M)
Max Subscriber-Contexts
200000 200000 1M
Network ConfigurationOut of Line
Inline
Out of Line
Inline
Clustering
Out of Line
Inline
Clustering
Service Control Platforms
SCE1000 SCE2000 SCE8000
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 23
SCE ProductFamily and Milestones
Capacity
(Concurrent Subscribers)
200K
Performance
5Gbps 40Gbps
SCE 1000
SCE 2000
SCE 8000
2x10 G 4x10G amp 8xGBE 16xGBE Ethernet interfaces Classification of up to 32 million concurrent
unidirectional application flows Total throughput of 15 Gbps (30+ Gbps by
end 09) Up to 1M concurrent subscribers Complete modularity - FRU AC or DC power
supplies fans cards interfaces optics
1M
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 24
3GPP Compliance
Content Filtering
Content Charging
Traffic Optimization
Usage Analysis
DPI
Industry leading Deep Packet Inspection
Rich set of IP services
3GPP Compliant
Cisco SCE In Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 8
Expectations Have Changed
From Mobile Data To Mobile BB
Pay per kilo-
bit plans
Mobile phone
with data
Access and SMS-
based services
Average
96kbps
Full HTML-based
browsing
Mobile
computer
On-demand video
and content
Closed OS and
browser
All-u-can eat
service plans
Broadband data
rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 9
iPhone Launch
1 million customers within 2 monthlsquos
gt40 new ATampT customers
Revenue sharing with Apple
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 10
gPhone
inside
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 11
TV on your Mobile Phone
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 12
Skype goes Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 13
Alex Day AKA Nerimon (19 years old)
Nerimon
Number 1 Most Popular
Britainlsquos Youtubers has 30000 subscribers tune into him everyday
European Operator
ldquoVideo is number 1 application that is
killing our networkrdquo
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 14
bullSource Cisco IBSG Analysis March 2006
ContentApplicationProviders
AggregatorsIntegratorsOver the Top (OTT)
NetworkBased Operators
VirtualNetworkOperators
DeviceServices
Who Will Capture the Value
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 15
OTTs Create Three Areas of Concern for SPshellip
Un-monetised Traffic Growth
ServiceSubstitution
Changing User Behaviour ndash New Sources of Revenue
Source Cisco IBSG
While remaining innovative acquisitive and highly valued
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 16
Service Control Engine (SCE) Fundamentals
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 17
DPI allows Mobile service providers to cope with the dynamic nature of the net
permits SPrsquos to classify all IP applications
provides subscriber awareness to manage traffic streams based on individual subscriber state and policy
DPI provides usage analysis and reporting
DPI enables Mobile SPs to implement capacity management and fair-use policies
to gain visibility into network activities
to optimize network bandwidth and improve network performance
to guarantee a consistent QoE over RAN and backhaul
DPI enables Mobile SPrsquos to create new per-subscriber service offerings and other differentiated services (such as parental control advanced per-application charging and quota)
DPI empowers Mobile SPrsquos implement advanced targeted advertising schemes
Deep Packet Inspection (DPI) Critical To Managing Todayrsquos Mobile Networks
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 18
Application Architecture of the FutureSCE enables User Experience
Service Provider Network
Service Control PointFixed
Wireless
DSL
CellularWiFi MeshWiMAX
Enterprise
Cable
Gaming
Messaging
BroadbandAccess
Voice
IPTVVoD
Music
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 19
Application Awareness
Subscriber Intelligence
Real-Time Control
Service Velocity
Technology
Rapidly ProgrammableRapidly re-tasked to support new protocols or applications
Stateful Deep Packet Inspection Instead of processing packets as individual events the SCE fully reconstructs flows up through Layer 7
Application Session-Level Bandwidth ShapingBlocking Redirecting (HTTP RSTP SIP)
Subscriber State Managementwith Per-Subscriber BW Management and Quotas
Extensible Platform amp Open Architecture Based upon a flexible purpose-built platform
Modular and scalable HW accelerationEasy-to-use with open APIs for seamless OSS Integration
Carrier Class Designed for carrier-grade deployments requiring
High Performance for Multi-Gigabit and 10 Gigabit SpeedsHigh Availability amp Reliability with stateful failover
What Is the Service Control Engine
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 20
Intelligent Inspection and Control of IP Packets Classify to end-user application determine application semantics
Map to subscriber identity policy and state
Select action based on conditions - time of day congestion usage other concurrent activities
Take action and reportBlock
Redirect
Set QoS
Mark
Service Control Engine
Report
Process of Service Control
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 21
Co
st M
an
ag
em
en
tR
even
ue
Gen
era
tio
n
Traffic Anomaly Detection and DDOS Protection
Anti-X (SPAMWorms)
Safe Harbor and Quarantine Services
Traffic Mix Optimization
Fair Use Policy Enforcement
QoS assurance
Traffic Analysis and Reporting
Quality of Experience Monitoring
Usage Demographics
Service Self Selection
Volume and Time Based Tiering of Services
Bandwidth on Demand (Turbo Button)
Over-The-Top Application Partnership Services
Multimedia (VoiceVideo) Traffic Prioritization
Volume and Time Based Billing Services
Parental Control amp Content Filtering
Premium
Service
Enablement
Usage
Analysis
Content
Charging Service Control
Technology
Traffic
Optimization
Tiering amp
Access
Control
Service
Security
Service Control EngineFunctional Examples
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 22
Category
Interfaces2-GBE
(Fiber SXLX)
4-GBE
(Fiber SXLX)
2-10G 4-10G
8-GBE 16-GBE
(Fiber SXLXZX)
Mgmt Interface 2 x 101001000 Eth 2 x 101001000 Eth 2 x 101001000 Eth
Max Concurrent Unidirectional Application Flows
2M 2M16M
(Can grow up to 32M)
Max Subscriber-Contexts
200000 200000 1M
Network ConfigurationOut of Line
Inline
Out of Line
Inline
Clustering
Out of Line
Inline
Clustering
Service Control Platforms
SCE1000 SCE2000 SCE8000
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 23
SCE ProductFamily and Milestones
Capacity
(Concurrent Subscribers)
200K
Performance
5Gbps 40Gbps
SCE 1000
SCE 2000
SCE 8000
2x10 G 4x10G amp 8xGBE 16xGBE Ethernet interfaces Classification of up to 32 million concurrent
unidirectional application flows Total throughput of 15 Gbps (30+ Gbps by
end 09) Up to 1M concurrent subscribers Complete modularity - FRU AC or DC power
supplies fans cards interfaces optics
1M
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 24
3GPP Compliance
Content Filtering
Content Charging
Traffic Optimization
Usage Analysis
DPI
Industry leading Deep Packet Inspection
Rich set of IP services
3GPP Compliant
Cisco SCE In Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 9
iPhone Launch
1 million customers within 2 monthlsquos
gt40 new ATampT customers
Revenue sharing with Apple
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 10
gPhone
inside
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 11
TV on your Mobile Phone
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 12
Skype goes Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 13
Alex Day AKA Nerimon (19 years old)
Nerimon
Number 1 Most Popular
Britainlsquos Youtubers has 30000 subscribers tune into him everyday
European Operator
ldquoVideo is number 1 application that is
killing our networkrdquo
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 14
bullSource Cisco IBSG Analysis March 2006
ContentApplicationProviders
AggregatorsIntegratorsOver the Top (OTT)
NetworkBased Operators
VirtualNetworkOperators
DeviceServices
Who Will Capture the Value
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 15
OTTs Create Three Areas of Concern for SPshellip
Un-monetised Traffic Growth
ServiceSubstitution
Changing User Behaviour ndash New Sources of Revenue
Source Cisco IBSG
While remaining innovative acquisitive and highly valued
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 16
Service Control Engine (SCE) Fundamentals
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 17
DPI allows Mobile service providers to cope with the dynamic nature of the net
permits SPrsquos to classify all IP applications
provides subscriber awareness to manage traffic streams based on individual subscriber state and policy
DPI provides usage analysis and reporting
DPI enables Mobile SPs to implement capacity management and fair-use policies
to gain visibility into network activities
to optimize network bandwidth and improve network performance
to guarantee a consistent QoE over RAN and backhaul
DPI enables Mobile SPrsquos to create new per-subscriber service offerings and other differentiated services (such as parental control advanced per-application charging and quota)
DPI empowers Mobile SPrsquos implement advanced targeted advertising schemes
Deep Packet Inspection (DPI) Critical To Managing Todayrsquos Mobile Networks
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 18
Application Architecture of the FutureSCE enables User Experience
Service Provider Network
Service Control PointFixed
Wireless
DSL
CellularWiFi MeshWiMAX
Enterprise
Cable
Gaming
Messaging
BroadbandAccess
Voice
IPTVVoD
Music
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 19
Application Awareness
Subscriber Intelligence
Real-Time Control
Service Velocity
Technology
Rapidly ProgrammableRapidly re-tasked to support new protocols or applications
Stateful Deep Packet Inspection Instead of processing packets as individual events the SCE fully reconstructs flows up through Layer 7
Application Session-Level Bandwidth ShapingBlocking Redirecting (HTTP RSTP SIP)
Subscriber State Managementwith Per-Subscriber BW Management and Quotas
Extensible Platform amp Open Architecture Based upon a flexible purpose-built platform
Modular and scalable HW accelerationEasy-to-use with open APIs for seamless OSS Integration
Carrier Class Designed for carrier-grade deployments requiring
High Performance for Multi-Gigabit and 10 Gigabit SpeedsHigh Availability amp Reliability with stateful failover
What Is the Service Control Engine
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 20
Intelligent Inspection and Control of IP Packets Classify to end-user application determine application semantics
Map to subscriber identity policy and state
Select action based on conditions - time of day congestion usage other concurrent activities
Take action and reportBlock
Redirect
Set QoS
Mark
Service Control Engine
Report
Process of Service Control
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 21
Co
st M
an
ag
em
en
tR
even
ue
Gen
era
tio
n
Traffic Anomaly Detection and DDOS Protection
Anti-X (SPAMWorms)
Safe Harbor and Quarantine Services
Traffic Mix Optimization
Fair Use Policy Enforcement
QoS assurance
Traffic Analysis and Reporting
Quality of Experience Monitoring
Usage Demographics
Service Self Selection
Volume and Time Based Tiering of Services
Bandwidth on Demand (Turbo Button)
Over-The-Top Application Partnership Services
Multimedia (VoiceVideo) Traffic Prioritization
Volume and Time Based Billing Services
Parental Control amp Content Filtering
Premium
Service
Enablement
Usage
Analysis
Content
Charging Service Control
Technology
Traffic
Optimization
Tiering amp
Access
Control
Service
Security
Service Control EngineFunctional Examples
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 22
Category
Interfaces2-GBE
(Fiber SXLX)
4-GBE
(Fiber SXLX)
2-10G 4-10G
8-GBE 16-GBE
(Fiber SXLXZX)
Mgmt Interface 2 x 101001000 Eth 2 x 101001000 Eth 2 x 101001000 Eth
Max Concurrent Unidirectional Application Flows
2M 2M16M
(Can grow up to 32M)
Max Subscriber-Contexts
200000 200000 1M
Network ConfigurationOut of Line
Inline
Out of Line
Inline
Clustering
Out of Line
Inline
Clustering
Service Control Platforms
SCE1000 SCE2000 SCE8000
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 23
SCE ProductFamily and Milestones
Capacity
(Concurrent Subscribers)
200K
Performance
5Gbps 40Gbps
SCE 1000
SCE 2000
SCE 8000
2x10 G 4x10G amp 8xGBE 16xGBE Ethernet interfaces Classification of up to 32 million concurrent
unidirectional application flows Total throughput of 15 Gbps (30+ Gbps by
end 09) Up to 1M concurrent subscribers Complete modularity - FRU AC or DC power
supplies fans cards interfaces optics
1M
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 24
3GPP Compliance
Content Filtering
Content Charging
Traffic Optimization
Usage Analysis
DPI
Industry leading Deep Packet Inspection
Rich set of IP services
3GPP Compliant
Cisco SCE In Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 10
gPhone
inside
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 11
TV on your Mobile Phone
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 12
Skype goes Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 13
Alex Day AKA Nerimon (19 years old)
Nerimon
Number 1 Most Popular
Britainlsquos Youtubers has 30000 subscribers tune into him everyday
European Operator
ldquoVideo is number 1 application that is
killing our networkrdquo
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 14
bullSource Cisco IBSG Analysis March 2006
ContentApplicationProviders
AggregatorsIntegratorsOver the Top (OTT)
NetworkBased Operators
VirtualNetworkOperators
DeviceServices
Who Will Capture the Value
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 15
OTTs Create Three Areas of Concern for SPshellip
Un-monetised Traffic Growth
ServiceSubstitution
Changing User Behaviour ndash New Sources of Revenue
Source Cisco IBSG
While remaining innovative acquisitive and highly valued
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 16
Service Control Engine (SCE) Fundamentals
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 17
DPI allows Mobile service providers to cope with the dynamic nature of the net
permits SPrsquos to classify all IP applications
provides subscriber awareness to manage traffic streams based on individual subscriber state and policy
DPI provides usage analysis and reporting
DPI enables Mobile SPs to implement capacity management and fair-use policies
to gain visibility into network activities
to optimize network bandwidth and improve network performance
to guarantee a consistent QoE over RAN and backhaul
DPI enables Mobile SPrsquos to create new per-subscriber service offerings and other differentiated services (such as parental control advanced per-application charging and quota)
DPI empowers Mobile SPrsquos implement advanced targeted advertising schemes
Deep Packet Inspection (DPI) Critical To Managing Todayrsquos Mobile Networks
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 18
Application Architecture of the FutureSCE enables User Experience
Service Provider Network
Service Control PointFixed
Wireless
DSL
CellularWiFi MeshWiMAX
Enterprise
Cable
Gaming
Messaging
BroadbandAccess
Voice
IPTVVoD
Music
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 19
Application Awareness
Subscriber Intelligence
Real-Time Control
Service Velocity
Technology
Rapidly ProgrammableRapidly re-tasked to support new protocols or applications
Stateful Deep Packet Inspection Instead of processing packets as individual events the SCE fully reconstructs flows up through Layer 7
Application Session-Level Bandwidth ShapingBlocking Redirecting (HTTP RSTP SIP)
Subscriber State Managementwith Per-Subscriber BW Management and Quotas
Extensible Platform amp Open Architecture Based upon a flexible purpose-built platform
Modular and scalable HW accelerationEasy-to-use with open APIs for seamless OSS Integration
Carrier Class Designed for carrier-grade deployments requiring
High Performance for Multi-Gigabit and 10 Gigabit SpeedsHigh Availability amp Reliability with stateful failover
What Is the Service Control Engine
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 20
Intelligent Inspection and Control of IP Packets Classify to end-user application determine application semantics
Map to subscriber identity policy and state
Select action based on conditions - time of day congestion usage other concurrent activities
Take action and reportBlock
Redirect
Set QoS
Mark
Service Control Engine
Report
Process of Service Control
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 21
Co
st M
an
ag
em
en
tR
even
ue
Gen
era
tio
n
Traffic Anomaly Detection and DDOS Protection
Anti-X (SPAMWorms)
Safe Harbor and Quarantine Services
Traffic Mix Optimization
Fair Use Policy Enforcement
QoS assurance
Traffic Analysis and Reporting
Quality of Experience Monitoring
Usage Demographics
Service Self Selection
Volume and Time Based Tiering of Services
Bandwidth on Demand (Turbo Button)
Over-The-Top Application Partnership Services
Multimedia (VoiceVideo) Traffic Prioritization
Volume and Time Based Billing Services
Parental Control amp Content Filtering
Premium
Service
Enablement
Usage
Analysis
Content
Charging Service Control
Technology
Traffic
Optimization
Tiering amp
Access
Control
Service
Security
Service Control EngineFunctional Examples
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 22
Category
Interfaces2-GBE
(Fiber SXLX)
4-GBE
(Fiber SXLX)
2-10G 4-10G
8-GBE 16-GBE
(Fiber SXLXZX)
Mgmt Interface 2 x 101001000 Eth 2 x 101001000 Eth 2 x 101001000 Eth
Max Concurrent Unidirectional Application Flows
2M 2M16M
(Can grow up to 32M)
Max Subscriber-Contexts
200000 200000 1M
Network ConfigurationOut of Line
Inline
Out of Line
Inline
Clustering
Out of Line
Inline
Clustering
Service Control Platforms
SCE1000 SCE2000 SCE8000
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 23
SCE ProductFamily and Milestones
Capacity
(Concurrent Subscribers)
200K
Performance
5Gbps 40Gbps
SCE 1000
SCE 2000
SCE 8000
2x10 G 4x10G amp 8xGBE 16xGBE Ethernet interfaces Classification of up to 32 million concurrent
unidirectional application flows Total throughput of 15 Gbps (30+ Gbps by
end 09) Up to 1M concurrent subscribers Complete modularity - FRU AC or DC power
supplies fans cards interfaces optics
1M
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 24
3GPP Compliance
Content Filtering
Content Charging
Traffic Optimization
Usage Analysis
DPI
Industry leading Deep Packet Inspection
Rich set of IP services
3GPP Compliant
Cisco SCE In Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 11
TV on your Mobile Phone
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 12
Skype goes Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 13
Alex Day AKA Nerimon (19 years old)
Nerimon
Number 1 Most Popular
Britainlsquos Youtubers has 30000 subscribers tune into him everyday
European Operator
ldquoVideo is number 1 application that is
killing our networkrdquo
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 14
bullSource Cisco IBSG Analysis March 2006
ContentApplicationProviders
AggregatorsIntegratorsOver the Top (OTT)
NetworkBased Operators
VirtualNetworkOperators
DeviceServices
Who Will Capture the Value
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 15
OTTs Create Three Areas of Concern for SPshellip
Un-monetised Traffic Growth
ServiceSubstitution
Changing User Behaviour ndash New Sources of Revenue
Source Cisco IBSG
While remaining innovative acquisitive and highly valued
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 16
Service Control Engine (SCE) Fundamentals
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 17
DPI allows Mobile service providers to cope with the dynamic nature of the net
permits SPrsquos to classify all IP applications
provides subscriber awareness to manage traffic streams based on individual subscriber state and policy
DPI provides usage analysis and reporting
DPI enables Mobile SPs to implement capacity management and fair-use policies
to gain visibility into network activities
to optimize network bandwidth and improve network performance
to guarantee a consistent QoE over RAN and backhaul
DPI enables Mobile SPrsquos to create new per-subscriber service offerings and other differentiated services (such as parental control advanced per-application charging and quota)
DPI empowers Mobile SPrsquos implement advanced targeted advertising schemes
Deep Packet Inspection (DPI) Critical To Managing Todayrsquos Mobile Networks
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 18
Application Architecture of the FutureSCE enables User Experience
Service Provider Network
Service Control PointFixed
Wireless
DSL
CellularWiFi MeshWiMAX
Enterprise
Cable
Gaming
Messaging
BroadbandAccess
Voice
IPTVVoD
Music
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 19
Application Awareness
Subscriber Intelligence
Real-Time Control
Service Velocity
Technology
Rapidly ProgrammableRapidly re-tasked to support new protocols or applications
Stateful Deep Packet Inspection Instead of processing packets as individual events the SCE fully reconstructs flows up through Layer 7
Application Session-Level Bandwidth ShapingBlocking Redirecting (HTTP RSTP SIP)
Subscriber State Managementwith Per-Subscriber BW Management and Quotas
Extensible Platform amp Open Architecture Based upon a flexible purpose-built platform
Modular and scalable HW accelerationEasy-to-use with open APIs for seamless OSS Integration
Carrier Class Designed for carrier-grade deployments requiring
High Performance for Multi-Gigabit and 10 Gigabit SpeedsHigh Availability amp Reliability with stateful failover
What Is the Service Control Engine
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 20
Intelligent Inspection and Control of IP Packets Classify to end-user application determine application semantics
Map to subscriber identity policy and state
Select action based on conditions - time of day congestion usage other concurrent activities
Take action and reportBlock
Redirect
Set QoS
Mark
Service Control Engine
Report
Process of Service Control
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 21
Co
st M
an
ag
em
en
tR
even
ue
Gen
era
tio
n
Traffic Anomaly Detection and DDOS Protection
Anti-X (SPAMWorms)
Safe Harbor and Quarantine Services
Traffic Mix Optimization
Fair Use Policy Enforcement
QoS assurance
Traffic Analysis and Reporting
Quality of Experience Monitoring
Usage Demographics
Service Self Selection
Volume and Time Based Tiering of Services
Bandwidth on Demand (Turbo Button)
Over-The-Top Application Partnership Services
Multimedia (VoiceVideo) Traffic Prioritization
Volume and Time Based Billing Services
Parental Control amp Content Filtering
Premium
Service
Enablement
Usage
Analysis
Content
Charging Service Control
Technology
Traffic
Optimization
Tiering amp
Access
Control
Service
Security
Service Control EngineFunctional Examples
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 22
Category
Interfaces2-GBE
(Fiber SXLX)
4-GBE
(Fiber SXLX)
2-10G 4-10G
8-GBE 16-GBE
(Fiber SXLXZX)
Mgmt Interface 2 x 101001000 Eth 2 x 101001000 Eth 2 x 101001000 Eth
Max Concurrent Unidirectional Application Flows
2M 2M16M
(Can grow up to 32M)
Max Subscriber-Contexts
200000 200000 1M
Network ConfigurationOut of Line
Inline
Out of Line
Inline
Clustering
Out of Line
Inline
Clustering
Service Control Platforms
SCE1000 SCE2000 SCE8000
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 23
SCE ProductFamily and Milestones
Capacity
(Concurrent Subscribers)
200K
Performance
5Gbps 40Gbps
SCE 1000
SCE 2000
SCE 8000
2x10 G 4x10G amp 8xGBE 16xGBE Ethernet interfaces Classification of up to 32 million concurrent
unidirectional application flows Total throughput of 15 Gbps (30+ Gbps by
end 09) Up to 1M concurrent subscribers Complete modularity - FRU AC or DC power
supplies fans cards interfaces optics
1M
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 24
3GPP Compliance
Content Filtering
Content Charging
Traffic Optimization
Usage Analysis
DPI
Industry leading Deep Packet Inspection
Rich set of IP services
3GPP Compliant
Cisco SCE In Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 12
Skype goes Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 13
Alex Day AKA Nerimon (19 years old)
Nerimon
Number 1 Most Popular
Britainlsquos Youtubers has 30000 subscribers tune into him everyday
European Operator
ldquoVideo is number 1 application that is
killing our networkrdquo
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 14
bullSource Cisco IBSG Analysis March 2006
ContentApplicationProviders
AggregatorsIntegratorsOver the Top (OTT)
NetworkBased Operators
VirtualNetworkOperators
DeviceServices
Who Will Capture the Value
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 15
OTTs Create Three Areas of Concern for SPshellip
Un-monetised Traffic Growth
ServiceSubstitution
Changing User Behaviour ndash New Sources of Revenue
Source Cisco IBSG
While remaining innovative acquisitive and highly valued
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 16
Service Control Engine (SCE) Fundamentals
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 17
DPI allows Mobile service providers to cope with the dynamic nature of the net
permits SPrsquos to classify all IP applications
provides subscriber awareness to manage traffic streams based on individual subscriber state and policy
DPI provides usage analysis and reporting
DPI enables Mobile SPs to implement capacity management and fair-use policies
to gain visibility into network activities
to optimize network bandwidth and improve network performance
to guarantee a consistent QoE over RAN and backhaul
DPI enables Mobile SPrsquos to create new per-subscriber service offerings and other differentiated services (such as parental control advanced per-application charging and quota)
DPI empowers Mobile SPrsquos implement advanced targeted advertising schemes
Deep Packet Inspection (DPI) Critical To Managing Todayrsquos Mobile Networks
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 18
Application Architecture of the FutureSCE enables User Experience
Service Provider Network
Service Control PointFixed
Wireless
DSL
CellularWiFi MeshWiMAX
Enterprise
Cable
Gaming
Messaging
BroadbandAccess
Voice
IPTVVoD
Music
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 19
Application Awareness
Subscriber Intelligence
Real-Time Control
Service Velocity
Technology
Rapidly ProgrammableRapidly re-tasked to support new protocols or applications
Stateful Deep Packet Inspection Instead of processing packets as individual events the SCE fully reconstructs flows up through Layer 7
Application Session-Level Bandwidth ShapingBlocking Redirecting (HTTP RSTP SIP)
Subscriber State Managementwith Per-Subscriber BW Management and Quotas
Extensible Platform amp Open Architecture Based upon a flexible purpose-built platform
Modular and scalable HW accelerationEasy-to-use with open APIs for seamless OSS Integration
Carrier Class Designed for carrier-grade deployments requiring
High Performance for Multi-Gigabit and 10 Gigabit SpeedsHigh Availability amp Reliability with stateful failover
What Is the Service Control Engine
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 20
Intelligent Inspection and Control of IP Packets Classify to end-user application determine application semantics
Map to subscriber identity policy and state
Select action based on conditions - time of day congestion usage other concurrent activities
Take action and reportBlock
Redirect
Set QoS
Mark
Service Control Engine
Report
Process of Service Control
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 21
Co
st M
an
ag
em
en
tR
even
ue
Gen
era
tio
n
Traffic Anomaly Detection and DDOS Protection
Anti-X (SPAMWorms)
Safe Harbor and Quarantine Services
Traffic Mix Optimization
Fair Use Policy Enforcement
QoS assurance
Traffic Analysis and Reporting
Quality of Experience Monitoring
Usage Demographics
Service Self Selection
Volume and Time Based Tiering of Services
Bandwidth on Demand (Turbo Button)
Over-The-Top Application Partnership Services
Multimedia (VoiceVideo) Traffic Prioritization
Volume and Time Based Billing Services
Parental Control amp Content Filtering
Premium
Service
Enablement
Usage
Analysis
Content
Charging Service Control
Technology
Traffic
Optimization
Tiering amp
Access
Control
Service
Security
Service Control EngineFunctional Examples
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 22
Category
Interfaces2-GBE
(Fiber SXLX)
4-GBE
(Fiber SXLX)
2-10G 4-10G
8-GBE 16-GBE
(Fiber SXLXZX)
Mgmt Interface 2 x 101001000 Eth 2 x 101001000 Eth 2 x 101001000 Eth
Max Concurrent Unidirectional Application Flows
2M 2M16M
(Can grow up to 32M)
Max Subscriber-Contexts
200000 200000 1M
Network ConfigurationOut of Line
Inline
Out of Line
Inline
Clustering
Out of Line
Inline
Clustering
Service Control Platforms
SCE1000 SCE2000 SCE8000
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 23
SCE ProductFamily and Milestones
Capacity
(Concurrent Subscribers)
200K
Performance
5Gbps 40Gbps
SCE 1000
SCE 2000
SCE 8000
2x10 G 4x10G amp 8xGBE 16xGBE Ethernet interfaces Classification of up to 32 million concurrent
unidirectional application flows Total throughput of 15 Gbps (30+ Gbps by
end 09) Up to 1M concurrent subscribers Complete modularity - FRU AC or DC power
supplies fans cards interfaces optics
1M
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 24
3GPP Compliance
Content Filtering
Content Charging
Traffic Optimization
Usage Analysis
DPI
Industry leading Deep Packet Inspection
Rich set of IP services
3GPP Compliant
Cisco SCE In Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 13
Alex Day AKA Nerimon (19 years old)
Nerimon
Number 1 Most Popular
Britainlsquos Youtubers has 30000 subscribers tune into him everyday
European Operator
ldquoVideo is number 1 application that is
killing our networkrdquo
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 14
bullSource Cisco IBSG Analysis March 2006
ContentApplicationProviders
AggregatorsIntegratorsOver the Top (OTT)
NetworkBased Operators
VirtualNetworkOperators
DeviceServices
Who Will Capture the Value
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 15
OTTs Create Three Areas of Concern for SPshellip
Un-monetised Traffic Growth
ServiceSubstitution
Changing User Behaviour ndash New Sources of Revenue
Source Cisco IBSG
While remaining innovative acquisitive and highly valued
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 16
Service Control Engine (SCE) Fundamentals
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 17
DPI allows Mobile service providers to cope with the dynamic nature of the net
permits SPrsquos to classify all IP applications
provides subscriber awareness to manage traffic streams based on individual subscriber state and policy
DPI provides usage analysis and reporting
DPI enables Mobile SPs to implement capacity management and fair-use policies
to gain visibility into network activities
to optimize network bandwidth and improve network performance
to guarantee a consistent QoE over RAN and backhaul
DPI enables Mobile SPrsquos to create new per-subscriber service offerings and other differentiated services (such as parental control advanced per-application charging and quota)
DPI empowers Mobile SPrsquos implement advanced targeted advertising schemes
Deep Packet Inspection (DPI) Critical To Managing Todayrsquos Mobile Networks
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 18
Application Architecture of the FutureSCE enables User Experience
Service Provider Network
Service Control PointFixed
Wireless
DSL
CellularWiFi MeshWiMAX
Enterprise
Cable
Gaming
Messaging
BroadbandAccess
Voice
IPTVVoD
Music
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 19
Application Awareness
Subscriber Intelligence
Real-Time Control
Service Velocity
Technology
Rapidly ProgrammableRapidly re-tasked to support new protocols or applications
Stateful Deep Packet Inspection Instead of processing packets as individual events the SCE fully reconstructs flows up through Layer 7
Application Session-Level Bandwidth ShapingBlocking Redirecting (HTTP RSTP SIP)
Subscriber State Managementwith Per-Subscriber BW Management and Quotas
Extensible Platform amp Open Architecture Based upon a flexible purpose-built platform
Modular and scalable HW accelerationEasy-to-use with open APIs for seamless OSS Integration
Carrier Class Designed for carrier-grade deployments requiring
High Performance for Multi-Gigabit and 10 Gigabit SpeedsHigh Availability amp Reliability with stateful failover
What Is the Service Control Engine
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 20
Intelligent Inspection and Control of IP Packets Classify to end-user application determine application semantics
Map to subscriber identity policy and state
Select action based on conditions - time of day congestion usage other concurrent activities
Take action and reportBlock
Redirect
Set QoS
Mark
Service Control Engine
Report
Process of Service Control
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 21
Co
st M
an
ag
em
en
tR
even
ue
Gen
era
tio
n
Traffic Anomaly Detection and DDOS Protection
Anti-X (SPAMWorms)
Safe Harbor and Quarantine Services
Traffic Mix Optimization
Fair Use Policy Enforcement
QoS assurance
Traffic Analysis and Reporting
Quality of Experience Monitoring
Usage Demographics
Service Self Selection
Volume and Time Based Tiering of Services
Bandwidth on Demand (Turbo Button)
Over-The-Top Application Partnership Services
Multimedia (VoiceVideo) Traffic Prioritization
Volume and Time Based Billing Services
Parental Control amp Content Filtering
Premium
Service
Enablement
Usage
Analysis
Content
Charging Service Control
Technology
Traffic
Optimization
Tiering amp
Access
Control
Service
Security
Service Control EngineFunctional Examples
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 22
Category
Interfaces2-GBE
(Fiber SXLX)
4-GBE
(Fiber SXLX)
2-10G 4-10G
8-GBE 16-GBE
(Fiber SXLXZX)
Mgmt Interface 2 x 101001000 Eth 2 x 101001000 Eth 2 x 101001000 Eth
Max Concurrent Unidirectional Application Flows
2M 2M16M
(Can grow up to 32M)
Max Subscriber-Contexts
200000 200000 1M
Network ConfigurationOut of Line
Inline
Out of Line
Inline
Clustering
Out of Line
Inline
Clustering
Service Control Platforms
SCE1000 SCE2000 SCE8000
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 23
SCE ProductFamily and Milestones
Capacity
(Concurrent Subscribers)
200K
Performance
5Gbps 40Gbps
SCE 1000
SCE 2000
SCE 8000
2x10 G 4x10G amp 8xGBE 16xGBE Ethernet interfaces Classification of up to 32 million concurrent
unidirectional application flows Total throughput of 15 Gbps (30+ Gbps by
end 09) Up to 1M concurrent subscribers Complete modularity - FRU AC or DC power
supplies fans cards interfaces optics
1M
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 24
3GPP Compliance
Content Filtering
Content Charging
Traffic Optimization
Usage Analysis
DPI
Industry leading Deep Packet Inspection
Rich set of IP services
3GPP Compliant
Cisco SCE In Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 14
bullSource Cisco IBSG Analysis March 2006
ContentApplicationProviders
AggregatorsIntegratorsOver the Top (OTT)
NetworkBased Operators
VirtualNetworkOperators
DeviceServices
Who Will Capture the Value
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 15
OTTs Create Three Areas of Concern for SPshellip
Un-monetised Traffic Growth
ServiceSubstitution
Changing User Behaviour ndash New Sources of Revenue
Source Cisco IBSG
While remaining innovative acquisitive and highly valued
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 16
Service Control Engine (SCE) Fundamentals
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 17
DPI allows Mobile service providers to cope with the dynamic nature of the net
permits SPrsquos to classify all IP applications
provides subscriber awareness to manage traffic streams based on individual subscriber state and policy
DPI provides usage analysis and reporting
DPI enables Mobile SPs to implement capacity management and fair-use policies
to gain visibility into network activities
to optimize network bandwidth and improve network performance
to guarantee a consistent QoE over RAN and backhaul
DPI enables Mobile SPrsquos to create new per-subscriber service offerings and other differentiated services (such as parental control advanced per-application charging and quota)
DPI empowers Mobile SPrsquos implement advanced targeted advertising schemes
Deep Packet Inspection (DPI) Critical To Managing Todayrsquos Mobile Networks
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 18
Application Architecture of the FutureSCE enables User Experience
Service Provider Network
Service Control PointFixed
Wireless
DSL
CellularWiFi MeshWiMAX
Enterprise
Cable
Gaming
Messaging
BroadbandAccess
Voice
IPTVVoD
Music
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 19
Application Awareness
Subscriber Intelligence
Real-Time Control
Service Velocity
Technology
Rapidly ProgrammableRapidly re-tasked to support new protocols or applications
Stateful Deep Packet Inspection Instead of processing packets as individual events the SCE fully reconstructs flows up through Layer 7
Application Session-Level Bandwidth ShapingBlocking Redirecting (HTTP RSTP SIP)
Subscriber State Managementwith Per-Subscriber BW Management and Quotas
Extensible Platform amp Open Architecture Based upon a flexible purpose-built platform
Modular and scalable HW accelerationEasy-to-use with open APIs for seamless OSS Integration
Carrier Class Designed for carrier-grade deployments requiring
High Performance for Multi-Gigabit and 10 Gigabit SpeedsHigh Availability amp Reliability with stateful failover
What Is the Service Control Engine
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 20
Intelligent Inspection and Control of IP Packets Classify to end-user application determine application semantics
Map to subscriber identity policy and state
Select action based on conditions - time of day congestion usage other concurrent activities
Take action and reportBlock
Redirect
Set QoS
Mark
Service Control Engine
Report
Process of Service Control
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 21
Co
st M
an
ag
em
en
tR
even
ue
Gen
era
tio
n
Traffic Anomaly Detection and DDOS Protection
Anti-X (SPAMWorms)
Safe Harbor and Quarantine Services
Traffic Mix Optimization
Fair Use Policy Enforcement
QoS assurance
Traffic Analysis and Reporting
Quality of Experience Monitoring
Usage Demographics
Service Self Selection
Volume and Time Based Tiering of Services
Bandwidth on Demand (Turbo Button)
Over-The-Top Application Partnership Services
Multimedia (VoiceVideo) Traffic Prioritization
Volume and Time Based Billing Services
Parental Control amp Content Filtering
Premium
Service
Enablement
Usage
Analysis
Content
Charging Service Control
Technology
Traffic
Optimization
Tiering amp
Access
Control
Service
Security
Service Control EngineFunctional Examples
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 22
Category
Interfaces2-GBE
(Fiber SXLX)
4-GBE
(Fiber SXLX)
2-10G 4-10G
8-GBE 16-GBE
(Fiber SXLXZX)
Mgmt Interface 2 x 101001000 Eth 2 x 101001000 Eth 2 x 101001000 Eth
Max Concurrent Unidirectional Application Flows
2M 2M16M
(Can grow up to 32M)
Max Subscriber-Contexts
200000 200000 1M
Network ConfigurationOut of Line
Inline
Out of Line
Inline
Clustering
Out of Line
Inline
Clustering
Service Control Platforms
SCE1000 SCE2000 SCE8000
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 23
SCE ProductFamily and Milestones
Capacity
(Concurrent Subscribers)
200K
Performance
5Gbps 40Gbps
SCE 1000
SCE 2000
SCE 8000
2x10 G 4x10G amp 8xGBE 16xGBE Ethernet interfaces Classification of up to 32 million concurrent
unidirectional application flows Total throughput of 15 Gbps (30+ Gbps by
end 09) Up to 1M concurrent subscribers Complete modularity - FRU AC or DC power
supplies fans cards interfaces optics
1M
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 24
3GPP Compliance
Content Filtering
Content Charging
Traffic Optimization
Usage Analysis
DPI
Industry leading Deep Packet Inspection
Rich set of IP services
3GPP Compliant
Cisco SCE In Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 15
OTTs Create Three Areas of Concern for SPshellip
Un-monetised Traffic Growth
ServiceSubstitution
Changing User Behaviour ndash New Sources of Revenue
Source Cisco IBSG
While remaining innovative acquisitive and highly valued
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 16
Service Control Engine (SCE) Fundamentals
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 17
DPI allows Mobile service providers to cope with the dynamic nature of the net
permits SPrsquos to classify all IP applications
provides subscriber awareness to manage traffic streams based on individual subscriber state and policy
DPI provides usage analysis and reporting
DPI enables Mobile SPs to implement capacity management and fair-use policies
to gain visibility into network activities
to optimize network bandwidth and improve network performance
to guarantee a consistent QoE over RAN and backhaul
DPI enables Mobile SPrsquos to create new per-subscriber service offerings and other differentiated services (such as parental control advanced per-application charging and quota)
DPI empowers Mobile SPrsquos implement advanced targeted advertising schemes
Deep Packet Inspection (DPI) Critical To Managing Todayrsquos Mobile Networks
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 18
Application Architecture of the FutureSCE enables User Experience
Service Provider Network
Service Control PointFixed
Wireless
DSL
CellularWiFi MeshWiMAX
Enterprise
Cable
Gaming
Messaging
BroadbandAccess
Voice
IPTVVoD
Music
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 19
Application Awareness
Subscriber Intelligence
Real-Time Control
Service Velocity
Technology
Rapidly ProgrammableRapidly re-tasked to support new protocols or applications
Stateful Deep Packet Inspection Instead of processing packets as individual events the SCE fully reconstructs flows up through Layer 7
Application Session-Level Bandwidth ShapingBlocking Redirecting (HTTP RSTP SIP)
Subscriber State Managementwith Per-Subscriber BW Management and Quotas
Extensible Platform amp Open Architecture Based upon a flexible purpose-built platform
Modular and scalable HW accelerationEasy-to-use with open APIs for seamless OSS Integration
Carrier Class Designed for carrier-grade deployments requiring
High Performance for Multi-Gigabit and 10 Gigabit SpeedsHigh Availability amp Reliability with stateful failover
What Is the Service Control Engine
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 20
Intelligent Inspection and Control of IP Packets Classify to end-user application determine application semantics
Map to subscriber identity policy and state
Select action based on conditions - time of day congestion usage other concurrent activities
Take action and reportBlock
Redirect
Set QoS
Mark
Service Control Engine
Report
Process of Service Control
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 21
Co
st M
an
ag
em
en
tR
even
ue
Gen
era
tio
n
Traffic Anomaly Detection and DDOS Protection
Anti-X (SPAMWorms)
Safe Harbor and Quarantine Services
Traffic Mix Optimization
Fair Use Policy Enforcement
QoS assurance
Traffic Analysis and Reporting
Quality of Experience Monitoring
Usage Demographics
Service Self Selection
Volume and Time Based Tiering of Services
Bandwidth on Demand (Turbo Button)
Over-The-Top Application Partnership Services
Multimedia (VoiceVideo) Traffic Prioritization
Volume and Time Based Billing Services
Parental Control amp Content Filtering
Premium
Service
Enablement
Usage
Analysis
Content
Charging Service Control
Technology
Traffic
Optimization
Tiering amp
Access
Control
Service
Security
Service Control EngineFunctional Examples
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 22
Category
Interfaces2-GBE
(Fiber SXLX)
4-GBE
(Fiber SXLX)
2-10G 4-10G
8-GBE 16-GBE
(Fiber SXLXZX)
Mgmt Interface 2 x 101001000 Eth 2 x 101001000 Eth 2 x 101001000 Eth
Max Concurrent Unidirectional Application Flows
2M 2M16M
(Can grow up to 32M)
Max Subscriber-Contexts
200000 200000 1M
Network ConfigurationOut of Line
Inline
Out of Line
Inline
Clustering
Out of Line
Inline
Clustering
Service Control Platforms
SCE1000 SCE2000 SCE8000
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 23
SCE ProductFamily and Milestones
Capacity
(Concurrent Subscribers)
200K
Performance
5Gbps 40Gbps
SCE 1000
SCE 2000
SCE 8000
2x10 G 4x10G amp 8xGBE 16xGBE Ethernet interfaces Classification of up to 32 million concurrent
unidirectional application flows Total throughput of 15 Gbps (30+ Gbps by
end 09) Up to 1M concurrent subscribers Complete modularity - FRU AC or DC power
supplies fans cards interfaces optics
1M
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 24
3GPP Compliance
Content Filtering
Content Charging
Traffic Optimization
Usage Analysis
DPI
Industry leading Deep Packet Inspection
Rich set of IP services
3GPP Compliant
Cisco SCE In Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 16
Service Control Engine (SCE) Fundamentals
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 17
DPI allows Mobile service providers to cope with the dynamic nature of the net
permits SPrsquos to classify all IP applications
provides subscriber awareness to manage traffic streams based on individual subscriber state and policy
DPI provides usage analysis and reporting
DPI enables Mobile SPs to implement capacity management and fair-use policies
to gain visibility into network activities
to optimize network bandwidth and improve network performance
to guarantee a consistent QoE over RAN and backhaul
DPI enables Mobile SPrsquos to create new per-subscriber service offerings and other differentiated services (such as parental control advanced per-application charging and quota)
DPI empowers Mobile SPrsquos implement advanced targeted advertising schemes
Deep Packet Inspection (DPI) Critical To Managing Todayrsquos Mobile Networks
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 18
Application Architecture of the FutureSCE enables User Experience
Service Provider Network
Service Control PointFixed
Wireless
DSL
CellularWiFi MeshWiMAX
Enterprise
Cable
Gaming
Messaging
BroadbandAccess
Voice
IPTVVoD
Music
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 19
Application Awareness
Subscriber Intelligence
Real-Time Control
Service Velocity
Technology
Rapidly ProgrammableRapidly re-tasked to support new protocols or applications
Stateful Deep Packet Inspection Instead of processing packets as individual events the SCE fully reconstructs flows up through Layer 7
Application Session-Level Bandwidth ShapingBlocking Redirecting (HTTP RSTP SIP)
Subscriber State Managementwith Per-Subscriber BW Management and Quotas
Extensible Platform amp Open Architecture Based upon a flexible purpose-built platform
Modular and scalable HW accelerationEasy-to-use with open APIs for seamless OSS Integration
Carrier Class Designed for carrier-grade deployments requiring
High Performance for Multi-Gigabit and 10 Gigabit SpeedsHigh Availability amp Reliability with stateful failover
What Is the Service Control Engine
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 20
Intelligent Inspection and Control of IP Packets Classify to end-user application determine application semantics
Map to subscriber identity policy and state
Select action based on conditions - time of day congestion usage other concurrent activities
Take action and reportBlock
Redirect
Set QoS
Mark
Service Control Engine
Report
Process of Service Control
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 21
Co
st M
an
ag
em
en
tR
even
ue
Gen
era
tio
n
Traffic Anomaly Detection and DDOS Protection
Anti-X (SPAMWorms)
Safe Harbor and Quarantine Services
Traffic Mix Optimization
Fair Use Policy Enforcement
QoS assurance
Traffic Analysis and Reporting
Quality of Experience Monitoring
Usage Demographics
Service Self Selection
Volume and Time Based Tiering of Services
Bandwidth on Demand (Turbo Button)
Over-The-Top Application Partnership Services
Multimedia (VoiceVideo) Traffic Prioritization
Volume and Time Based Billing Services
Parental Control amp Content Filtering
Premium
Service
Enablement
Usage
Analysis
Content
Charging Service Control
Technology
Traffic
Optimization
Tiering amp
Access
Control
Service
Security
Service Control EngineFunctional Examples
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 22
Category
Interfaces2-GBE
(Fiber SXLX)
4-GBE
(Fiber SXLX)
2-10G 4-10G
8-GBE 16-GBE
(Fiber SXLXZX)
Mgmt Interface 2 x 101001000 Eth 2 x 101001000 Eth 2 x 101001000 Eth
Max Concurrent Unidirectional Application Flows
2M 2M16M
(Can grow up to 32M)
Max Subscriber-Contexts
200000 200000 1M
Network ConfigurationOut of Line
Inline
Out of Line
Inline
Clustering
Out of Line
Inline
Clustering
Service Control Platforms
SCE1000 SCE2000 SCE8000
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 23
SCE ProductFamily and Milestones
Capacity
(Concurrent Subscribers)
200K
Performance
5Gbps 40Gbps
SCE 1000
SCE 2000
SCE 8000
2x10 G 4x10G amp 8xGBE 16xGBE Ethernet interfaces Classification of up to 32 million concurrent
unidirectional application flows Total throughput of 15 Gbps (30+ Gbps by
end 09) Up to 1M concurrent subscribers Complete modularity - FRU AC or DC power
supplies fans cards interfaces optics
1M
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 24
3GPP Compliance
Content Filtering
Content Charging
Traffic Optimization
Usage Analysis
DPI
Industry leading Deep Packet Inspection
Rich set of IP services
3GPP Compliant
Cisco SCE In Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 17
DPI allows Mobile service providers to cope with the dynamic nature of the net
permits SPrsquos to classify all IP applications
provides subscriber awareness to manage traffic streams based on individual subscriber state and policy
DPI provides usage analysis and reporting
DPI enables Mobile SPs to implement capacity management and fair-use policies
to gain visibility into network activities
to optimize network bandwidth and improve network performance
to guarantee a consistent QoE over RAN and backhaul
DPI enables Mobile SPrsquos to create new per-subscriber service offerings and other differentiated services (such as parental control advanced per-application charging and quota)
DPI empowers Mobile SPrsquos implement advanced targeted advertising schemes
Deep Packet Inspection (DPI) Critical To Managing Todayrsquos Mobile Networks
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 18
Application Architecture of the FutureSCE enables User Experience
Service Provider Network
Service Control PointFixed
Wireless
DSL
CellularWiFi MeshWiMAX
Enterprise
Cable
Gaming
Messaging
BroadbandAccess
Voice
IPTVVoD
Music
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 19
Application Awareness
Subscriber Intelligence
Real-Time Control
Service Velocity
Technology
Rapidly ProgrammableRapidly re-tasked to support new protocols or applications
Stateful Deep Packet Inspection Instead of processing packets as individual events the SCE fully reconstructs flows up through Layer 7
Application Session-Level Bandwidth ShapingBlocking Redirecting (HTTP RSTP SIP)
Subscriber State Managementwith Per-Subscriber BW Management and Quotas
Extensible Platform amp Open Architecture Based upon a flexible purpose-built platform
Modular and scalable HW accelerationEasy-to-use with open APIs for seamless OSS Integration
Carrier Class Designed for carrier-grade deployments requiring
High Performance for Multi-Gigabit and 10 Gigabit SpeedsHigh Availability amp Reliability with stateful failover
What Is the Service Control Engine
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 20
Intelligent Inspection and Control of IP Packets Classify to end-user application determine application semantics
Map to subscriber identity policy and state
Select action based on conditions - time of day congestion usage other concurrent activities
Take action and reportBlock
Redirect
Set QoS
Mark
Service Control Engine
Report
Process of Service Control
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 21
Co
st M
an
ag
em
en
tR
even
ue
Gen
era
tio
n
Traffic Anomaly Detection and DDOS Protection
Anti-X (SPAMWorms)
Safe Harbor and Quarantine Services
Traffic Mix Optimization
Fair Use Policy Enforcement
QoS assurance
Traffic Analysis and Reporting
Quality of Experience Monitoring
Usage Demographics
Service Self Selection
Volume and Time Based Tiering of Services
Bandwidth on Demand (Turbo Button)
Over-The-Top Application Partnership Services
Multimedia (VoiceVideo) Traffic Prioritization
Volume and Time Based Billing Services
Parental Control amp Content Filtering
Premium
Service
Enablement
Usage
Analysis
Content
Charging Service Control
Technology
Traffic
Optimization
Tiering amp
Access
Control
Service
Security
Service Control EngineFunctional Examples
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 22
Category
Interfaces2-GBE
(Fiber SXLX)
4-GBE
(Fiber SXLX)
2-10G 4-10G
8-GBE 16-GBE
(Fiber SXLXZX)
Mgmt Interface 2 x 101001000 Eth 2 x 101001000 Eth 2 x 101001000 Eth
Max Concurrent Unidirectional Application Flows
2M 2M16M
(Can grow up to 32M)
Max Subscriber-Contexts
200000 200000 1M
Network ConfigurationOut of Line
Inline
Out of Line
Inline
Clustering
Out of Line
Inline
Clustering
Service Control Platforms
SCE1000 SCE2000 SCE8000
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 23
SCE ProductFamily and Milestones
Capacity
(Concurrent Subscribers)
200K
Performance
5Gbps 40Gbps
SCE 1000
SCE 2000
SCE 8000
2x10 G 4x10G amp 8xGBE 16xGBE Ethernet interfaces Classification of up to 32 million concurrent
unidirectional application flows Total throughput of 15 Gbps (30+ Gbps by
end 09) Up to 1M concurrent subscribers Complete modularity - FRU AC or DC power
supplies fans cards interfaces optics
1M
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 24
3GPP Compliance
Content Filtering
Content Charging
Traffic Optimization
Usage Analysis
DPI
Industry leading Deep Packet Inspection
Rich set of IP services
3GPP Compliant
Cisco SCE In Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 18
Application Architecture of the FutureSCE enables User Experience
Service Provider Network
Service Control PointFixed
Wireless
DSL
CellularWiFi MeshWiMAX
Enterprise
Cable
Gaming
Messaging
BroadbandAccess
Voice
IPTVVoD
Music
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 19
Application Awareness
Subscriber Intelligence
Real-Time Control
Service Velocity
Technology
Rapidly ProgrammableRapidly re-tasked to support new protocols or applications
Stateful Deep Packet Inspection Instead of processing packets as individual events the SCE fully reconstructs flows up through Layer 7
Application Session-Level Bandwidth ShapingBlocking Redirecting (HTTP RSTP SIP)
Subscriber State Managementwith Per-Subscriber BW Management and Quotas
Extensible Platform amp Open Architecture Based upon a flexible purpose-built platform
Modular and scalable HW accelerationEasy-to-use with open APIs for seamless OSS Integration
Carrier Class Designed for carrier-grade deployments requiring
High Performance for Multi-Gigabit and 10 Gigabit SpeedsHigh Availability amp Reliability with stateful failover
What Is the Service Control Engine
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 20
Intelligent Inspection and Control of IP Packets Classify to end-user application determine application semantics
Map to subscriber identity policy and state
Select action based on conditions - time of day congestion usage other concurrent activities
Take action and reportBlock
Redirect
Set QoS
Mark
Service Control Engine
Report
Process of Service Control
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 21
Co
st M
an
ag
em
en
tR
even
ue
Gen
era
tio
n
Traffic Anomaly Detection and DDOS Protection
Anti-X (SPAMWorms)
Safe Harbor and Quarantine Services
Traffic Mix Optimization
Fair Use Policy Enforcement
QoS assurance
Traffic Analysis and Reporting
Quality of Experience Monitoring
Usage Demographics
Service Self Selection
Volume and Time Based Tiering of Services
Bandwidth on Demand (Turbo Button)
Over-The-Top Application Partnership Services
Multimedia (VoiceVideo) Traffic Prioritization
Volume and Time Based Billing Services
Parental Control amp Content Filtering
Premium
Service
Enablement
Usage
Analysis
Content
Charging Service Control
Technology
Traffic
Optimization
Tiering amp
Access
Control
Service
Security
Service Control EngineFunctional Examples
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 22
Category
Interfaces2-GBE
(Fiber SXLX)
4-GBE
(Fiber SXLX)
2-10G 4-10G
8-GBE 16-GBE
(Fiber SXLXZX)
Mgmt Interface 2 x 101001000 Eth 2 x 101001000 Eth 2 x 101001000 Eth
Max Concurrent Unidirectional Application Flows
2M 2M16M
(Can grow up to 32M)
Max Subscriber-Contexts
200000 200000 1M
Network ConfigurationOut of Line
Inline
Out of Line
Inline
Clustering
Out of Line
Inline
Clustering
Service Control Platforms
SCE1000 SCE2000 SCE8000
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 23
SCE ProductFamily and Milestones
Capacity
(Concurrent Subscribers)
200K
Performance
5Gbps 40Gbps
SCE 1000
SCE 2000
SCE 8000
2x10 G 4x10G amp 8xGBE 16xGBE Ethernet interfaces Classification of up to 32 million concurrent
unidirectional application flows Total throughput of 15 Gbps (30+ Gbps by
end 09) Up to 1M concurrent subscribers Complete modularity - FRU AC or DC power
supplies fans cards interfaces optics
1M
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 24
3GPP Compliance
Content Filtering
Content Charging
Traffic Optimization
Usage Analysis
DPI
Industry leading Deep Packet Inspection
Rich set of IP services
3GPP Compliant
Cisco SCE In Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 19
Application Awareness
Subscriber Intelligence
Real-Time Control
Service Velocity
Technology
Rapidly ProgrammableRapidly re-tasked to support new protocols or applications
Stateful Deep Packet Inspection Instead of processing packets as individual events the SCE fully reconstructs flows up through Layer 7
Application Session-Level Bandwidth ShapingBlocking Redirecting (HTTP RSTP SIP)
Subscriber State Managementwith Per-Subscriber BW Management and Quotas
Extensible Platform amp Open Architecture Based upon a flexible purpose-built platform
Modular and scalable HW accelerationEasy-to-use with open APIs for seamless OSS Integration
Carrier Class Designed for carrier-grade deployments requiring
High Performance for Multi-Gigabit and 10 Gigabit SpeedsHigh Availability amp Reliability with stateful failover
What Is the Service Control Engine
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 20
Intelligent Inspection and Control of IP Packets Classify to end-user application determine application semantics
Map to subscriber identity policy and state
Select action based on conditions - time of day congestion usage other concurrent activities
Take action and reportBlock
Redirect
Set QoS
Mark
Service Control Engine
Report
Process of Service Control
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 21
Co
st M
an
ag
em
en
tR
even
ue
Gen
era
tio
n
Traffic Anomaly Detection and DDOS Protection
Anti-X (SPAMWorms)
Safe Harbor and Quarantine Services
Traffic Mix Optimization
Fair Use Policy Enforcement
QoS assurance
Traffic Analysis and Reporting
Quality of Experience Monitoring
Usage Demographics
Service Self Selection
Volume and Time Based Tiering of Services
Bandwidth on Demand (Turbo Button)
Over-The-Top Application Partnership Services
Multimedia (VoiceVideo) Traffic Prioritization
Volume and Time Based Billing Services
Parental Control amp Content Filtering
Premium
Service
Enablement
Usage
Analysis
Content
Charging Service Control
Technology
Traffic
Optimization
Tiering amp
Access
Control
Service
Security
Service Control EngineFunctional Examples
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 22
Category
Interfaces2-GBE
(Fiber SXLX)
4-GBE
(Fiber SXLX)
2-10G 4-10G
8-GBE 16-GBE
(Fiber SXLXZX)
Mgmt Interface 2 x 101001000 Eth 2 x 101001000 Eth 2 x 101001000 Eth
Max Concurrent Unidirectional Application Flows
2M 2M16M
(Can grow up to 32M)
Max Subscriber-Contexts
200000 200000 1M
Network ConfigurationOut of Line
Inline
Out of Line
Inline
Clustering
Out of Line
Inline
Clustering
Service Control Platforms
SCE1000 SCE2000 SCE8000
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 23
SCE ProductFamily and Milestones
Capacity
(Concurrent Subscribers)
200K
Performance
5Gbps 40Gbps
SCE 1000
SCE 2000
SCE 8000
2x10 G 4x10G amp 8xGBE 16xGBE Ethernet interfaces Classification of up to 32 million concurrent
unidirectional application flows Total throughput of 15 Gbps (30+ Gbps by
end 09) Up to 1M concurrent subscribers Complete modularity - FRU AC or DC power
supplies fans cards interfaces optics
1M
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 24
3GPP Compliance
Content Filtering
Content Charging
Traffic Optimization
Usage Analysis
DPI
Industry leading Deep Packet Inspection
Rich set of IP services
3GPP Compliant
Cisco SCE In Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 20
Intelligent Inspection and Control of IP Packets Classify to end-user application determine application semantics
Map to subscriber identity policy and state
Select action based on conditions - time of day congestion usage other concurrent activities
Take action and reportBlock
Redirect
Set QoS
Mark
Service Control Engine
Report
Process of Service Control
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 21
Co
st M
an
ag
em
en
tR
even
ue
Gen
era
tio
n
Traffic Anomaly Detection and DDOS Protection
Anti-X (SPAMWorms)
Safe Harbor and Quarantine Services
Traffic Mix Optimization
Fair Use Policy Enforcement
QoS assurance
Traffic Analysis and Reporting
Quality of Experience Monitoring
Usage Demographics
Service Self Selection
Volume and Time Based Tiering of Services
Bandwidth on Demand (Turbo Button)
Over-The-Top Application Partnership Services
Multimedia (VoiceVideo) Traffic Prioritization
Volume and Time Based Billing Services
Parental Control amp Content Filtering
Premium
Service
Enablement
Usage
Analysis
Content
Charging Service Control
Technology
Traffic
Optimization
Tiering amp
Access
Control
Service
Security
Service Control EngineFunctional Examples
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 22
Category
Interfaces2-GBE
(Fiber SXLX)
4-GBE
(Fiber SXLX)
2-10G 4-10G
8-GBE 16-GBE
(Fiber SXLXZX)
Mgmt Interface 2 x 101001000 Eth 2 x 101001000 Eth 2 x 101001000 Eth
Max Concurrent Unidirectional Application Flows
2M 2M16M
(Can grow up to 32M)
Max Subscriber-Contexts
200000 200000 1M
Network ConfigurationOut of Line
Inline
Out of Line
Inline
Clustering
Out of Line
Inline
Clustering
Service Control Platforms
SCE1000 SCE2000 SCE8000
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 23
SCE ProductFamily and Milestones
Capacity
(Concurrent Subscribers)
200K
Performance
5Gbps 40Gbps
SCE 1000
SCE 2000
SCE 8000
2x10 G 4x10G amp 8xGBE 16xGBE Ethernet interfaces Classification of up to 32 million concurrent
unidirectional application flows Total throughput of 15 Gbps (30+ Gbps by
end 09) Up to 1M concurrent subscribers Complete modularity - FRU AC or DC power
supplies fans cards interfaces optics
1M
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 24
3GPP Compliance
Content Filtering
Content Charging
Traffic Optimization
Usage Analysis
DPI
Industry leading Deep Packet Inspection
Rich set of IP services
3GPP Compliant
Cisco SCE In Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 21
Co
st M
an
ag
em
en
tR
even
ue
Gen
era
tio
n
Traffic Anomaly Detection and DDOS Protection
Anti-X (SPAMWorms)
Safe Harbor and Quarantine Services
Traffic Mix Optimization
Fair Use Policy Enforcement
QoS assurance
Traffic Analysis and Reporting
Quality of Experience Monitoring
Usage Demographics
Service Self Selection
Volume and Time Based Tiering of Services
Bandwidth on Demand (Turbo Button)
Over-The-Top Application Partnership Services
Multimedia (VoiceVideo) Traffic Prioritization
Volume and Time Based Billing Services
Parental Control amp Content Filtering
Premium
Service
Enablement
Usage
Analysis
Content
Charging Service Control
Technology
Traffic
Optimization
Tiering amp
Access
Control
Service
Security
Service Control EngineFunctional Examples
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 22
Category
Interfaces2-GBE
(Fiber SXLX)
4-GBE
(Fiber SXLX)
2-10G 4-10G
8-GBE 16-GBE
(Fiber SXLXZX)
Mgmt Interface 2 x 101001000 Eth 2 x 101001000 Eth 2 x 101001000 Eth
Max Concurrent Unidirectional Application Flows
2M 2M16M
(Can grow up to 32M)
Max Subscriber-Contexts
200000 200000 1M
Network ConfigurationOut of Line
Inline
Out of Line
Inline
Clustering
Out of Line
Inline
Clustering
Service Control Platforms
SCE1000 SCE2000 SCE8000
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 23
SCE ProductFamily and Milestones
Capacity
(Concurrent Subscribers)
200K
Performance
5Gbps 40Gbps
SCE 1000
SCE 2000
SCE 8000
2x10 G 4x10G amp 8xGBE 16xGBE Ethernet interfaces Classification of up to 32 million concurrent
unidirectional application flows Total throughput of 15 Gbps (30+ Gbps by
end 09) Up to 1M concurrent subscribers Complete modularity - FRU AC or DC power
supplies fans cards interfaces optics
1M
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 24
3GPP Compliance
Content Filtering
Content Charging
Traffic Optimization
Usage Analysis
DPI
Industry leading Deep Packet Inspection
Rich set of IP services
3GPP Compliant
Cisco SCE In Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 22
Category
Interfaces2-GBE
(Fiber SXLX)
4-GBE
(Fiber SXLX)
2-10G 4-10G
8-GBE 16-GBE
(Fiber SXLXZX)
Mgmt Interface 2 x 101001000 Eth 2 x 101001000 Eth 2 x 101001000 Eth
Max Concurrent Unidirectional Application Flows
2M 2M16M
(Can grow up to 32M)
Max Subscriber-Contexts
200000 200000 1M
Network ConfigurationOut of Line
Inline
Out of Line
Inline
Clustering
Out of Line
Inline
Clustering
Service Control Platforms
SCE1000 SCE2000 SCE8000
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 23
SCE ProductFamily and Milestones
Capacity
(Concurrent Subscribers)
200K
Performance
5Gbps 40Gbps
SCE 1000
SCE 2000
SCE 8000
2x10 G 4x10G amp 8xGBE 16xGBE Ethernet interfaces Classification of up to 32 million concurrent
unidirectional application flows Total throughput of 15 Gbps (30+ Gbps by
end 09) Up to 1M concurrent subscribers Complete modularity - FRU AC or DC power
supplies fans cards interfaces optics
1M
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 24
3GPP Compliance
Content Filtering
Content Charging
Traffic Optimization
Usage Analysis
DPI
Industry leading Deep Packet Inspection
Rich set of IP services
3GPP Compliant
Cisco SCE In Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 23
SCE ProductFamily and Milestones
Capacity
(Concurrent Subscribers)
200K
Performance
5Gbps 40Gbps
SCE 1000
SCE 2000
SCE 8000
2x10 G 4x10G amp 8xGBE 16xGBE Ethernet interfaces Classification of up to 32 million concurrent
unidirectional application flows Total throughput of 15 Gbps (30+ Gbps by
end 09) Up to 1M concurrent subscribers Complete modularity - FRU AC or DC power
supplies fans cards interfaces optics
1M
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 24
3GPP Compliance
Content Filtering
Content Charging
Traffic Optimization
Usage Analysis
DPI
Industry leading Deep Packet Inspection
Rich set of IP services
3GPP Compliant
Cisco SCE In Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 24
3GPP Compliance
Content Filtering
Content Charging
Traffic Optimization
Usage Analysis
DPI
Industry leading Deep Packet Inspection
Rich set of IP services
3GPP Compliant
Cisco SCE In Mobile
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 25
The SCE Mobile Solution
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 26
The SCE Mobile Solution ndash 3GPP Compliance
Internet
Core
GGSNSGSN SCE
AAA
(Radius)
Policy
Server
PortalApplications
Billing amp
Charging
PCEF
GyGx
PCRF OCFSRP
AF
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 27
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
1 SCE Appliance
to view and act
on the packets
2 Collection
Manager to
collect data
records for
Reporting amp
external DBlsquos
3 Subscriber Manager
to coordinate sub
info w AAA and
control sub-level
policies
4 Policy Manager
to control multiple
devices and
sophisticated
policies
What does an SCE solution look likeSCE sits at the access or aggregation layer
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 28
Us
ag
e A
na
lys
isS
erv
ice
Cre
ati
on
Service Control Engine DeploymentApproaches
Traffic Analysis amp Business Intelligence Implement traffic monitoring analysis and reporting Determine subscriber and application usage patterns
1
Capacity Control amp Fair-Use Policies (FUPs) Manage bandwidth-intensive applications through packet flow
optimization techniques Implement Fair Usage Policies for fair allocation of network resources
2
Revenue Generating Services Implement tiered services using volume and time-base quotas Implement Service Self Selection Implement Over-The-Top (OTT) Application Strategy and
Blended Services Implement Security Services (Anti-X Quarantine etc) Innovate other Differentiated Services such as Parental
Controls Content Filtering Turbo Buttons Allowance Based Services Prioritized App Services Pay-as-you-go Services
3
Portal
DHCP
AAA
Subs Profile
Policy
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 29
Why does a Service Provider Want From SCEProfitability
URL Blacklisting Restricting sites that are blacklisted by governments
bullURL Blacklisting
Precision Advertising
Copyright Infringement
Blocking
bullFlat Rate
bullRestricted
OTT Revenue
Share Proposition
Enhanced Tiered
Services
UsageContent
Based Billing
Fair Use Policy
Demographic Information amp Per Sub Re-direction to Ad Server
Blocking Distribution of Pirated FilmMusic
Application Intercept for Internet Content Prioritisation
Product Tiers in addition to flat rate all you can eat
All HSDPA Mobile Operators
Global Migration from Flat Rate to Usage Based
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 30
Traffic Analysis and Business Intelligence
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 31
Business Intelligence Cycle
bull
bullStrategic
bullPart of
bullBusiness OpsbullCustomer
bullSales
bullCategory
bullRecognition
Act Measure
Decide Analyze
Compare
bullCisco
Service
Control
bullCisco
Service
Control
Transactions Information
Network Utilization
Service QoE
Data Aggregation
Data Mining
Correlation
Trend Analysis
Geographies Comparison
Histogram View
Service Offering
Marketing Review
Intersecting Set
Engineering Review
IT Review
Network Tuning
Cooperation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 32
Video
Reports
Which specific Video applications is consuming bandwidth
How do usage patterns vary by time of day
Who are the top video consumers
Focus on specific Video Application
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 33
Web
Reports
Insights into Web traffic
Top Domains
Top Hosts
Insights into
All popular Google Hosts
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 34
The ability to classify HTTP
requests as belonging to a
userrsquos ClickStream allows
effective extraction of
information about a user
browsing habits
ClickStream events constitute
only 1-5 of the total amount
of HTTP requests which allows
an immense reduction in the
amount of data to be analyzed
Web ReportsClickStream
Only ClickStream
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 35
Cumulative amp Average Usage Distribution
Top 1 =gt 15+ of Traffic
Top 10 =gt 60+ of Traffic
Top 20 =gt 80+ of Traffic
Setting 5G Daily Quota per Subscriber will impact on Top 2 only
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 36
PP17 [May 09] Joost (Web-based) YouTube
and Yahoo Flash new flavors
Updated Gnutella signatures
YouTube Movies - HD vs Normal
Yahoo SIP Skype 400206 Sky Player update
Service Control Engine Protocol SupportProtocol Pack Updates
Ciscolsquos SCE keeps customers on top of the game
Updated protocol packs issued once every 25 months
Enhancements for existing clientsprotocolsapplications
New protocol or application signatures
Extensible protocol signature development toolkit to roll-your-own
Rapid time to market
PP18 [Planned for Jul Aug 09] Ares 211 Cisco IPSec YouTube Shows
(RTMP based) Flavors for popular
Video services Google Phone Gaming applications Facebook IM
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 37
Behavioral Signatures
Finding new signatures becomes difficult task
Signatures are more complex (encryption)
Protocol signatures are evolving all the time (new application versions)
Many geography specific applications
In some cases almost impossible (new trend of anti-shapinglsquo)
Itrsquos both a scalability and a feasibility challenge
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 38
Behavioral ClassificationBenefits
Beh
avio
ral
Cla
ssif
icati
on
Scalability Behavioral approach is capable of recognizing the application flows based only on few signaturesOne signature per application family instead of per application signature (Behavioral P2P)
Cost-EffectiveBehavioral P2P maybe enough for some of the use cases such as Traffic Optimization In such case there is no need to recognize the specific P2P application
Time To Market ndash Zero Day ResponseBehavioral P2P signature use heuristic approach New P2P client version not necessarily requires development of new signatures
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 39
Peer-to-Peer Management amp Network Optimization
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 40
ApplicationSessions or Bandwidth
Time BasedPeakOff-Peak Hours
CongestionSelective Prioritization
SubscriberPer-Sub Limits
DestinationOn-NetPeeringTransit
Service LevelPolicy Dimensions
Policy Implementation Impact
SCErsquos Flexible ControlPolicy Implementation
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 41
Adaptive Subscriber Bandwidth AllocationImprove User Experience
peer to peerservice
webbrowsing
peer to peerservice
emailwebbrowsing
mobile tv
peer to peerservice
webbrowsing
User launches videopeer to peer
service
webbrowsing
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 42
Fair UsageThe Challenge
Bandwidth needs to be fairly distributed in real-time with equal access to network resources
Short-term windows of usage also need to be taken into account
In addition monitoring and acting on longer term violation of the subscription planlsquos acceptable usage policies to ensure a balanced community of subscribers
Two subscribers share network resources
(and the network cannot fully satisfy both)
If at 040 the MSO divides bandwidth
equally between them would that be fair
Clearly Sub A is not getting a fair share of
the resources
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 43
Fair UsageSCE ndash Intelligent Traffic Management
FairUsage is a traffic management scheme implemented with Ciscorsquos SCE DPI gear
Enabling SPs to
ndash Apply equitable distribution of network resources
ndash Improve the Quality of Experience that the network delivers
ndash Minimize service-abuse
FairUsage works only during congestion times
No Fairness ndash Some of the subscribers not getting a fair share of the BW
Fair allocation of BW with the SCErsquos FairShare
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 44
RAN Optimization And Backhaul Optimization
Addressing the inherent congestion at RAN and Backhaul levels that the booming of Mobile data is imposing
Higher and more consistent performance and a much improved end-user experience
Flexibility to generate revenue through differential billing and charging eg email only
Ability to provide SLA support or managed services for large enterprise users
InternetbullGPRS
Policy
Server
UTRAN
SCE
GGSNSGSN
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 45
Tiered Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 46
Requirement Flexible Billing Plans
Volume
Time
Bill by bandwidth
usage over always on service
Time
Volume
Transaction
Content Type
Bill differently for each type of
application and content
Volume
Transaction
Content Type
Usage Pattern
Quality of Service
Bill differently for the same content
based on quality priority time of day and usage
pattern
SubscriptionSubscription
Time
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 47
Allowance or Quota Based ServicesBuy Time or Bandwidth as Needed
This Feature Allows Subscribers to Choose Volume Quota-Based or Time-Based Bandwidth for a Set Period of Time for Example on a Monthly Basis
Allowance Based Subscription
This Option Is Ideal for Subscribers Who Use the Internet Intermittently and Only Want to Buy Time or Bandwidth as Needed When Users Launch Their Browsers They Are Redirected to a Web Portal Where They Select the Two-hour ―Pay As You Go Option After Two Hours the Session Could Either Be Terminated or the User Could Purchase More Usage
Pay-as-You-Go Subscription Service
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 48
Quota Measurement Enforcement Solution
SCE Capabilities
Stateful classification of end-application regardless of port number
Subscriber-based classification for detailed demographics data
No load added on existing network infrastructure
End-to-end solution including analysis engine collection server and easy to use reporting tools
Service Control
EngineSubscribers
bullNetwork
Quota Manager BillingMediation Policy Server
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 49
Quota Measurement Flexibility
Content that has other than Access Revenues can be exempted from Quota counting
SPlsquos Content Delivery Store
P2P Technology can also be supported in the Upload direction via DPI
SPlsquos Gaming Services
SPlsquos VoIP Service
Partnership Content Delivery Services
Quota measurement rate can change during time of dayPeak Hour 1 byte of transfer = 1 byte of quota
Middle of Night 10 byte of transfer = 1 byte of quota
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 50
Application-Based Charging
Granular Charging for advanced services based on volume length of usage and application events
Standard Gy interface to Online Charging Server
Subscriber Service Control
SCE
Access Aggregation
and Service Control
Converged
Packet
Core
bullInternet
VideoVoIP
Applications and Services
1
2
GGSN
3
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 51
Gy Interface For Online Charging
Comprehensive implementation of Gy over Diameter
The SCE supports Diameter Credit Control Application (DCCA)
Integration with Online Charging Servers for Mobile prepaid and quota use cases
Multiple quota types
Volume
Time
Event driven
High availability and load-balancing between Online Charging Servers
SCE
Online Charging Server
Internet
Gy Over Diameter
The Gy interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 52
Quota Based Tiering Telenet Cable Company in Belgium
bullhttpwwwbillingworldcomrev2mainfeatureArticlecfmfeatureID=7799
Quota compliments Speed as a Tiering parameter
When a User reaches Quota his Internet service is reduced to dial-up speed
The User then has the option to upgrade his Quota Level or continue at reduced speed till the end of the month
15 of the Customers upgrade their Quota every month
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 53
View previous months
Current product and speed
Extend monthly
subscription volume
Upgrade to other product
Button to go from
pay as you go broadband
to free smallband or
the other way around
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 54
Re-direct page in case 100 of quota is reached Three options presented to subscriber Extend subscription - buy
more Pay as you go on
broadband Continue for free on
narrowband
Redirect Page
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 55
Quota Based Services - Results
15 of subscribers reaching their quota limit electing every month to move to a charge by the MBlsquo plan
Revenue increase
40 REDUCTION in service support calls relating to this service
Increased customer service satisfaction
bull15
bull40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 56
T-Mobile ndash Quota-Based With Application Control
Default WnW WnW Pro WnW WNW Plus WnW Max Post Pay Day Pass
Allowance Unlimited 2GB 2GB 1GB 3GB 10GB
VoIP radic times times times times radic times
IM radic times times times radic radic times
P2P radic times radic times radic radic times
FTP radic times radic times radic radic times
Media Stream radic times radic times radic radic times
Web Browsing radic radic radic radic radic radic radic
Downloads radic times radic radic radic radic radic
Emails radic radic radic radic radic radic radic
Handset as modem
radic times radic times radic radic times
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 57
European MobileBB Web 3G and Skype for Mobile
Take your online world with you TV PC and the web on your mobile
Business issueSkype taking mobile minutes away
Use case descriptionSCE amp PGW 2200 allows to route Skype users to mobile phones over PLMN
Business benefits Skype becomes chargeable minutes againNon IP capable phones can use Skype
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 58
European Mobile Volume Quota
bullhttpwwwvodafoneesparticularesinternet
gt 40
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 59
Advanced Services
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 60
Dynamic Personalized Services Enhanced Quality of Experience
Industrylsquos First Subscriber andor Application-Driven Solution
―Pull Enhanced Experience Is Subscriber-Driven
―Turbo Button Self-Care Parental Control
IPTVVoD
BroadbandAccess
Gaming
Messaging MusicVoice
―Push Enhanced Experience Is Application-Driven
Application Awareness
Control Bus
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 61
Service Creation SCElsquos Rich Service Creation Environment
Personalized Subscription Service Examples
Parental Controls and Content Filtering Set Internet controls for childrenincluding blocking access and imposing time limits on online use
Bandwidth-On-Demand (Turbo Button) A turbo button to boost bandwidth for a set or undetermined period of time or for the life of a specific application
Allowance-Based Subscription Services Choose volume or time-based quotasfor a set period of time as referred to as prepaid service
Copyright Infringement Validate that content distributed does not infringe copyrights
Advertisement Insertion Perform local advertisement insertions
Security Services Network-based security services to protect subscribers from attacks or mitigate risks associated with attacks emanating from the subscriber
Rich Service-Creation Environment
Application-based control on a per-subscriber basis
Integrates with AAA policy-server to deliver personalized broadband experience
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 62
Self-Subscription ServiceVia Personalized Web Portal
Enable Zero-Touch Provisioning for Full Self-Service Account Setup
Enable Customers to Self-Select and Modify Services and Features
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 63
Personalized Subscriber ManagementSelf Service Selection Example
Simplifies the end user experience
Personalize per user including self- subscription and account refresh eg new consumer service activation
Personalization via Self Selection
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 64
Bandwidth-On-DemandMeeting Subscriber Needs on Demand
Subscribers Who May Have a Standard Lower-Speed Internet Service May Visit a Web Page on the Providerlsquos Site and Click on a Turbo Button to Boost Their Bandwidth for a Set Period of Time or to Leave the Button Engaged Until They Return and Deselect It
Turbo Button
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 65
Personalized ServicesSelf Provisioned
Quota Management
Turbo (Bandwidth on Demand)
Application Prioritization
ReportingMonitoring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 66
Personalized ReportingSelf Managed
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 67
Parental ControlsGetting Involved in Your Childlsquos Experience
Adults Can Access a Web Portal and Set Internet Controls for Children Including Blocking Accessto Certain Types of Websites and Imposing Time Limits on Online Access
Parental Controls and Content Filtering
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 68
Example Content Tiering - ldquoKids Broadbandrdquo
Application and Content based access control with white-lists blacklists
Limits access to pre-defined web-sites
Limit access to pre-approved applications
http redirect to portal
Real-time policy change
Benefits
Customer loyalty and stickiness
Revenue opportunity through content provider partnership
bullContent Blocked
bullClick here to unlock all Internet sites
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 69
URL Filtering With External DB
Enhance SCE URL classification with external party databases
External database size not constrained by SCE
SCE on-board cache reduces transaction to external db
Java based API
Can be used with commercial parental control systems or proprietary databases
Current integration is with Websense amp Adaptive Mobile
URL Notin Cache
Return URL Classification
On Device URL Filtering with External Database Integration
URL Query RDR
Cache-Lookup Update
3rd Party URL Database
Subscriber-Package HTTP
DEFAULT
HTTP -List ID 1
HTTP -List ID 2
Block-none ALLOW ALLOW ALLOW
Block-all ALLOW BLOCK BLOCK
Block-and-slow ALLOW BLOCK RATE 64kbps
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 70
Parental Control and Content FilteringExample
Content Filtering
Page BlockedForbidden
Content Detected
Subscriber-managed parental control
Basic website blacklisting provided free of charge
Comprehensive filtering and security for a small monthly subscription
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 71
bullISP
Demographics
Browsing habits
Geo-location
BetterAds
Advertiser Publisher Consumer
Leveraging their intimacy with their customer base for enabling enhanced targeting
SPlsquos participating in the advertising value chain
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 72
BetterAds Cisco SCE Targeted Advertising Solution
Initially focusing on behavioral targeting
Next step would be to add demographic targeting
Good for all access types DSL Cable Mobile WiFi
Value-add on top of the SCErsquos product offering
SPs to participating in the advertising value chain
Increase ARPU through a revenue sharing model
Addressing privacy concerns through advanced Opt-in Opt-out mechanisms
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 73
BetterAds - Behavioral Targeted Advertizing
Arsenal of tools for Behavioral Targeted AdvertizingTraffic mirroring ndash sending to a 3rd party server a copy of selected HTTP traffic using VLAN marking
Reporting HTTP click-stream info in RDR records and Anonyimizing the subscriber details in RDRs records
Enhanced HTTP redirect - additional parameters in the redirected message for inserting interstitials in WiFi
3Profiling servers process traffic extract relevant attributes and compose subscriber profiles
bull Alice automotive stock trading PDAs
bull Bob cookware online gaming baby outfithellip
2SCE mirrors relevant traffic to profiling servers
1 Subscribers browse web
Behavioral Targeting through Traffic Mirroring
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 74
SubscriberNetwork
HASH DB
DB responds with file classification
Infringing legal
SCE acts based on file classification- Lets request pass for legal file- Block redirect rate-limit for infringing file
Infringing Non-InfringingP2P Identification
Subscriber initiates P2P file request
1
SCE extracts file hash and consults DB
23
4
Classifying P2P content into infringing non-infringing
Identifying and reporting infringing material per the SPlsquos policy
Using the detection and blocking to up-sell a legal copy of the
original request or a subscription to the SPlsquos Content store
Using the information to de-prioritize or control infringing material
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 75
Traffic Diversion To OTT Video Service
SCE analyzes and redirects OTT
traffic to the caching server
Cache delivers more bandwidth
to end-users using existing
network resources
Cache relieves network peering
load while improving QoE
Benefits
Saves on peering bandwidth
Clears network congestion
Increases user satisfaction
SCE
OTT
OtherOTTP2P
VoIP
OTT Video Cache
SCE redirects OTT traffic
Cache delivers requested files
Increase in demand for OTT
Best user experience ndash OTT content is delivered from within the network close
as possible to the user
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 76
Service Security Challenges
Key challenges
Open access SP cannot apply restriction on usage (eg block certain port numbers)
No mandatory security tools end-users may not have any security protection
End-users are not educated on security best practices
New ―triple-play services increase potential threat (ie VoIP viruses EPG hacking etc)
Affect on SP business
Increased cost for carrier from network management and downtime
Subscriber churn and customer support costs
Ability to Identify and Mitigate Attacks Emanating from Its Own Users
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 77
Service Security Protection
Mitigates security threats in the open broadband network
DoS DoS attacks from subscribers
Spam Spam activity from botnets or malicious users
Worms Worm infections and propagation attempts
Three-tier solution uses a combination of anomaly detection and signature matching to
Identify Threat using stateful traffic processing and alert SP operations
Protect Blockmitigate threat based on configured policy
Notify Quarantine subscriber and notify of security risk
Email Servers
Internet
Service Control
Dear Valued Subscriber
We are advising you that your PC may have become infected with an email zombie generating spam mail and could potentially cause additional security issues for you Click here for technical assistance wwwtechnicalsupportcom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 78
Reduce Administrative Costs During Outbreaks
Limit Subscriber Infection to Reduce Call Center Load
Increase Customer Loyalty and Reduce Churn
Upsell Opportunity of Security Add-on Services
Saving on Network Bandwidth
Service Security ProtectionValue to the Service Provider
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 79
VAS Server
Internet
X
Inbound Traffic
Outbound Traffic
X Traffic Blocked
1
2
3
4
SCE
Carrier EthernetMPLSIP
Subscriber 1 attempts to retrieve e-mail from a mail server or download file from Website or Peer application
The SCE identifies subscriber traffic flows matches Virus Protection Package
The VAS server receives traffic from the SCE with a VLAN tag used in communication between User 1 and the server
The server transmits the file which contains a virus or other malware VAS will detect the embedded malware and drop remaining packets so file isnlsquot loaded on user machine
1
2
3
4
Virus and Malware ProtectionRemove Malware Destined to Users
User 1
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 80
Network Insertion and Configuration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 81
Network Insertion Point
Typical insertion point - Broadband EdgeAggregation
Directly after subscriber-aggregator (B-RASCMTS Retail-LNS)
Aggregation point further down the network edge
Support for inline (active) and receive-only (monitoring) configurations
Issues to consider
Traffic visibility (engine must see all traffic it needs to control)
Network interfaces
Split-flow
Network redundancy
IPTunneling environment
Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 82
Insertion ConceptSCE is a ―Bump-on-a-Wire
Stateful Analysis Engine with application awareness sees all packets in both directions
The SCE Analysis Engine implements Business Rules via Dynamic Control Policy on a subscriber basis (ex rate policing packet drop or header rewrite actions)
Packets are not routed or switched packets from a subscriber interface always go to the corresponding network interface and vice-versa
AnalysisEngine
PDR
PDRPoliceDrop Rewrite Actions
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 83
Inline and Receive-Only ConfigurationsNon-Intrusive and Stealthy
Receive-only configuration
Using Optical SplittersPort-Span
Traffic monitoring only
Inline configuration
Engine installed in data-path
Monitor and control traffic
osplitter osplitter
Subscribers Network
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 84
High Availability Cascading Configurations
Addressing split -flows between the two links
Providing 1+1 Active-Standby failover
Slave forwards all traffic to Master for processing
Master updates Slave with subscriber policy state information
Roles switch on failure of Master
The two SCEs must have an identical configuration
Master
Slave
Active Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 85
Redundant ConfigurationsActiveStandby Schemes
1+0
ActiveStandby SCE on active link
On failure network uses alternate path
No service redundancy
Bypass config Fail opened
1+1
ActiveStandby SCE on each link
On failure network uses alternate path
Standby SCE resumes service
Bypass config Fail opened
Standby Link
Standby Link
Active Link
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 86
Optical Bypass
The SCE can be inserted through optical bypass modules
For the SCE8000 the Optical Bypass Modules are activated in the following cases
In case of a major failure in the SCE SW or HW
Manually via CLI
On boot
SCE8000
Optical
Bypass
Default bypass state (no power)None default bypass state
Optical
Bypass
10
30
00
20
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 87
MGSCP Cluster Insertion ndash N+1 SCEsbull Very cost-effective DPI processing of 10s and 100s Gbps of traffic
bull Scalability ndash ldquobuy as you growrdquo approach (add SCE as needed) for scaling up to 240Gbps with 8 30Gbps SCE8000s
bull High Availability ndash Provides N+1 device-level high availability addressing ALL failure scenarios
bull Technical concept7600 dispatches the flows to a unique port served by a SCE
The SCE performs DPI functionality and returns the packets to the original data path
All the flows of the subscriber are dispatched to the same SCE for maintaining flow amp subscriber states
Internet
N+1
Flows Return Flows
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 88
N+1
Network ArchitecturesSCElsquos Open amp Extensible Architecture
1+1 HA
Bypass HAs
GGSN
BRASLACLNS
AccountingPolicy Control
DSLFiber
Mobile
Internet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 89
Packet Inspection
Tunneling EnvironmentSCE Supports Tunneled IP Traffic
Supports Various Packet Encapsulation or Tunneling Techniques including
VLAN 8021q Tagging
MPLS Traffic Engineering
L2TP Tunneling
IP-in-IP Tunneling
GRE amp GTP planned for end of 2009
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
l2tp mpls
Payload
TCP
IP
ppp
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 90
Management and Integration
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 91
Subscriber
Manager
AAA
DHCP
RadiusBilling
Reporting
ToolEngage
Console
Service Portal
Collection Manager
Policy
ServerPortal
Service Control
EngineSubscribers
Network
What does an SCE solution look likeSCE sits at the access or aggregation layer
Modular Solution Includes SCE Devices Management Tools and Integration APIs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 92
Management and Integrations
Network Management
PolicyService Configuration
Subscriber Management
Data Collection
Description FCAPS
Definition of Policies and Dissemination to SE Devices
Dynamic Management of Subscriber Contexts
Collection of Usage Data for Reporting and Billing
Protocols and Tools
SNMP CLI SSH
SCA-API
GUI Scripts
XML
SM API
RADIUS
NetFlow v9
RDR-Protocol
External Software Modules
NAService Control Application Suite GUI
Subscriber Manager
CollectionManager
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 93
Network Management (FCAPS)
SNMP (v2)
MIB-II
Proprietary SE MIBLink throughput
Flows statistics
Subscriber statistics
Device performance
RDR statistics
TrapsMIB-II traps
RDR-link updown
Link status updown
CLI
TelenetSSH
Cisco look and feel
CLI Configuration wizard
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 94
Management - Network NavigatorSingle Interface to Manage All Solution Components
Group devices into sites
SCE CM SM database
Batch management of devicessites
Apply configuration
Update signatures
Update software
Common management operations
View device status
Retrieve log
Activatebypass
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 95
Signature Editor
Customer defined signatures
GUI based
Rich signature language
Multi-packet Bi-Directional Patterns Binary Characters String-Match HTTP
User-Agent HTTP X-Header
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 96
Integrated Reporter
Integrated Java-based reporting tool
Works with Oracle MySQL or Sybase CM backend
Context sensitive
Drill down between reports and configuration
INTERACTIVE Click on Top Subscriber to Activate Subscriber
Real-Time Report
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 97
Service Security Dashboard
Integrated console to manage service security functionality
Viewloadedit signatures
Configuration identification thresholds
Setup mitigation actions
View reports
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 98
Subscriber Management
Cisco Subscriber Manager (SM) serves as integration point
―Subscriber-aware solutions
Manages Subscriber-Contexts
Subscriber-ID ID of subscriber-context
Network-ID IP addresses used to map traffic to context
Policy-ID ID of policy (package) defining rules
Subscriber-Quotas setaddread usage quota buckets
Integration into back-officeAAA
RADIUS AAA
DHCP servers
Policy Control Systems
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 99
Subscriber Manager ndash Roles
Abstracts SCE device network layoutmdashsingle point of integration
Persists subscriber policies across logins
Push and pull mode
Push Login messages sent directly to relevant SCE device
Pull SCE device queries SM for mapping of IP addresses
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 100
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Push
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
3
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 101
Radius
Ra
diu
s
Subscriber ManagerRadius Integration - Pull
Internal SDB
SCE device Controller
Event Manager
B-RAS
NETWORK
Cisco Subscriber Manager
(RADIUS)
ACCT Start
Username=Joe
Framed-IP-Address=1234
1
(RADIUS RELAY)
ACCT Start
Username=Joe
Framed-IP-Address=1234
SCE-VAS-PID=12
2
(SM-API)
Set Subscriber
(Joe1234 12)
4
Who is using IP
12343
Traffic from joe (IP 1234)
SUBSCRIBERS
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 102
RADIUS attributes
User-Name
NAS-Identifier
Framed-IP-Address
Vendor-Specific
DHCP
yiaddr chaddr ciaddr
Options Relay-agent-information-remote-ID (822) lease-time (51) vendor-specific (43) message-type (53)
Radius IntegrationLEGs translation in Brief
SM
SCE-Sniffer
RADIUS LEG
RADIUS Listener
LEG
CNR LEGSCE-Sniffer
DHCP LEG
DHCP lease
query LEG
Login
Subscriber ID
Domain
Mappings
Lease time
Policy
Logout
Subscriber ID
Mappings
RADIUS LEGs
DHCP LEGs
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 103
Policy Server IntegrationAPI Overview
SCA BB exposes several APIs for external utilities
The following APIs available for integration
SCE API ndash allows direct Subscriber Management with the SCE (provided in Java)
SM API ndash allows dynamic Subscriber management (provided in C Java)
SCE MIB ndash allows integration for maintenance operation
RDRs ndash allows integration for billingquota provisioning issues
NetFlow v9 - allows integration for billingquota provisioning cases
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 104
Policy Servers IntegrationTopology Example
SCMS SM is responsible for mapping Network ID to Subscriber ID with one or more policy servers
The number of policy servers depends on whether the SM is used for policy profile provisioning in addition to the network ID
API
SCE
SubscriberManager
Policy Server
API
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 105
PCEF - Subscriber Policy Enforcement
GGSN
Access Aggregation
and Service Control
bullConverged
Packet
Core
bullInternet
35
Subscriber Service Control
VideoVoIP
Applications and Services
1
2
4
PCEF SCE
SCE acting as a 3GPPP PCEF
Applying per user policies (eg
bandwidth control VoIP
detection etc) after requesting
the subscriberrsquos profile from a
PCRF Policy Server
Communication with the PCRF
through a standard Gx interface
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 106
Gx Interface And Radius VSAs SCE supports policy provisioning via the Gx interface over
Diameter
SCE policy attributes that can be provisioned include package-ID subscriber-monitor upstream-virtual-link and downstream-virtual-link
3GPP Subscriber Attributes can be provisioned to the SCE by the PCRF over the SCE API and included in SCE outgoing GxGy messages
Attributes supported include
Called-Station-Id
3GPP-SGSN-IP-Address
3GPP-SGSN-MCC-MNC
3GPP-GPRS-Negotiated-QoS-Profile
3GPP-Charging-Characteristics
The Gx interface is still under development and will be available in a future release
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 107
Collection Manager
Analysis and data processing functions of the SCE result in the generation of NetFlow v9 records and Raw Data Records (RDRs)
NetFlow v9 Records sent to external NetFlow Collector
RDRs are sent to ―Collection Manager for processing
Cisco Bundled Collection Manager
Third party database
Configurable data granularity
Interval between RDRs
Sample rates
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 108
Collection ManagerRDR Protocol
Usage Data streamed from device using RDR Protocol
TCP binary encoded
Support for multiple destination failover subscriptions
RDR-Protocol integrated directly into 3rd party systems
Policy-Control Mediation Home grown customer
RDR Protocol
MediationCollectionPlatformTCP
Header Field 0 Field 1 Field n
RDR RDR RDR RDR RDRRDR Stream
RDR
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 109
Collection ManagerNetFlow v9 Export
NetFlow Export v9 to support L7 report records
Regulatory bodies extended protocol to include L7 fields as part of Cisco pre-standard
SCE supports new extensions
Records equivalent to existing RDR groups
Subscriber Usage (NUR)
Package Usage (PUR)
Link Usage (LUR)
Format supported by various NetFlow collectors including Cisco NFC 60
NetFlow ReporterSCMS Reporter
SCMS Collection Manager NetFlow Collector
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 110
Collection ManagerSoftware Overview
CM-Software
Unix (Solaris Linux) Java software
Collection software stores data in any JDBC compliant database (Oracle MySQL Sybase)
Template-driven reporting tool (100+ report templates)
CM-Bundle
Cisco provides collection software pre-packaged with a DB (Sybase)
Template-driven reporting tool (100+ report templates)
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 111
ToS Marking
ToS Marking decoupled from the queuing mechanism
Provides a simplified GUI configuration based on 7 selective DSCP values
Once an application was classified the SCE ToS Marking capability provides the ability to mark traffic
ndashPer Package
ndashPer Service
ndashPer Direction (aka Upstream Downstream)
NetworkSubscriber
Side
Network
Side
Upstream FlowsDownstream Flows
BrowsingP2PVoIP
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 112
SCE provides traffic classification based no ToS bits
ToS based classification assumes that DSCP or IP-Precedence have been set by another element in the network
The main goal of this functionality is to classify the traffic based on this ToS marking and provide the appropriate service level accordingly
DSCP-based classification takes precedence over other classification methods (signatures etc) and is based on the Flavor mechanism
ToS Classification
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 113
Summary
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 114
Mobile Mobile
DSL DSL
Cable Cable
Cisco SCE Sample Customers
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 115
Security amp ContentFiltering
Policy amp Billing
URL Black-listing
NTTCable amp WirelessTiscali
VodacomCable amp WirelessWatanyaNTT
CamiantOpenetHP MediationBroadhopBridgewaterFTS
AladdinWebsenseAdaptive Mobile
WebsenseIn platform Cache
ONOYouSeeT-Mobile
VodafoneKDG
RogersT-MalaysiaT-MobileTV CaboCampW
Advertising
PhormFeevaAdzillaLocal ChinaLocal Italy
UK DSL providerItalian DSL providerCTT China MobileKorean Telecom
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 116
Flash CachingVideo
ContentInfringement
ManagementReporting
Data Warehousing
OversiCDS
Audible MagicAdvestigoAltnet
ProxyBusiness ObjectivesComabilityAqsacomInfo Vista
Business ObjectsOracle
Various European and AsianOperators
EuropeanLegislators
Content providersInitial POClsquos
Telecom Italia
CYTA
OrangeT-MobileTelenet
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117
copy 2007 Cisco Systems Inc All rights reserved Cisco ConfidentialPresentation_ID 117