3G国际漫游GRX网络系统培训讲义part2

1Aicent,Inc.ProprietaryandConfidentialAICENT2Aicent,Inc.ProprietaryandConfidentialAgenda(Part2)3GRXNetworkTopology3GRXConnectionSetup3GRXEnd-to-EndQoSDNSConfigurationandSetupFirewallConfigurationSetupNew3GRoamingPartnerNetworkSupportProcedure3Aicent,Inc.ProprietaryandConfidentialAicentGRX/3GRXNetworkOneofthelargestglobalGRXproviders‰60+GPRS/3Goperatorsinallmajorcontinents‰4world’slargestGSMoperators‰1+billiondirectlycoveredsubscribers‰19Peeringarrangements‰450+GPRS/3Gnetworksworldwide‰4500+roamingcommercialroutes4Aicent,Inc.ProprietaryandConfidentialAicentGRX/3GRXArchitecture2.5G/3GoperatorBorderGatewayPOPPOPPOPPOPPOPCoreBackboneAcessLayerPPPPPEPEPERootDNSLANIO-MMSetc.VASLANNMSLANPEPEPE2.5G/3GoperatorBorderGateway2.5G/3GoperatorBorderGatewayPeerPeeringGRXandGPRS5Aicent,Inc.ProprietaryandConfidentialAicentGRXNetwork-NetworkSupportedbyBusinessPartnersASIA-PACSub-MarineCableChina–USAJapan–USAAPCNAPCN2SouthCrossingSee-Me-WePrivateCable:ANC(AGC),FLAG,REACH,C2CJAPAN-USAUSTRALIA-JAPANSouthernCrossFlagSouthAsiaLoopFlagNorthAsiaLoopAustraliaJapanMalaysiaSingaporeChinaSouthKoreaGuamHawaiiHongKongNewZealandFijiUSCHINA-USPC-1EACTaiwan6Aicent,Inc.ProprietaryandConfidentialNetworkTopology-IPLCoverEACasthebackuproute7Aicent,Inc.ProprietaryandConfidentialAgenda(Part2)3GRXNetworkTopology3GRXConnectionSetup3GRXEnd-to-EndQoSDNSConfigurationandSetupFirewallConfigurationSetupNew3GRoamingPartnerNetworkSupportProcedure8Aicent,Inc.ProprietaryandConfidentialIPVPNandLLCConnectionsIPVPN:GREoverIPSecTunnel„IPSec:(SecureInternetProtocol):toencryptpacketsoverInternet„GRE(GenericRoutingEncapsulation):tosolveroutingissuePro:„IPVPNcansavemuchcostwhenGRPSRoamingtrafficissmallCon:„IPVPNdependsonthereliabilityofpublicInternetInternetAicentOperatorISPISPPhysicalconnectiontoISPGREIPSecGPRSRoamingtraffic:--BGP--GTP--DNS--ICMP--etc.9Aicent,Inc.ProprietaryandConfidentialIPVPNandLLCConnectionsLocalLeasedlineCircuit„DirectphysicalconnectionbetweenOperatorandAicent„LLChastheguaranteedend-to-endsecurity,noIPSecisneededanymore„Pro:LLCismorereliablethanIPVPN„Con:MorecostisforLeaseLineCircuitCircuitSwitchingnetworkAicentOperatorPhysicalConnectionGPRSRoamingtraffic:--BGP--GTP--DNS--ICMP--etc.10Aicent,Inc.ProprietaryandConfidentialAccesstoAicentCRXNetworkRemoteAccessOption1AccessLinkServiceProviderAicentCRX/GRXNetworkPLMNPEBGAicent抯ResponsibilityMobileOperator抯ResponsibilitySLAcommitmentboundaryAicentPOPCustomerPOP11Aicent,Inc.ProprietaryandConfidentialAccesstoAicentCRXNetworkRemoteAccessOption2AccessLinkServiceProviderAicentCRX/GRXNetworkPLMNPEBGAicent抯ResponsibilityMobileOperator抯ResponsibilitySLAcommitmentboundaryAicentPOPCustomerPOP12Aicent,Inc.ProprietaryandConfidentialAccesstoAicentCRXNetworkLocalAccessOptionAccessLinkServiceProviderAicentCRX/GRXNetworkPLMNPBGAicent抯ResponsibilityMobileOperator抯ResponsibilitySLAcommitmentboundaryPECustomerPOPAicentPOP13Aicent,Inc.ProprietaryandConfidentialNetworkConnectionSetupInternetconnectionfromOperatorgatewayroutertoAicentGRXedgerouter(IPVPN)ConfigureIPSectunnelonbothsidesrouters(IPVPN)GRE/IPSecTunnelSetup(IPVPN)BGPRoutingsetup(IPVPN&LLC)14Aicent,Inc.ProprietaryandConfidentialNetworkConnectionSetup(IPVPN)Step1:InternetconnectionfromOperatorgatewayroutertoAicentGRXedgerouter„BothfirewallsettingsneedtoallowIPtrafficbetweentwoIPaddresses„Or,onlyopenthefollowingtrafficbetweentwoIPaddresses:ŠUDPisakmptraffic—IPSecsignalingpacketsŠESPtraffic–IPSecencryptedpacketsŠICMPtraffic--fortroubleshootingpurpose15Aicent,Inc.ProprietaryandConfidentialNetworkConnectionSetup(IPVPN)Step2:ConfigureIPSectunnelonbothsidesrouters.Step3:GRE/IPSecTunnelSetup„Parametersinclude:ŠTunnelIPaddress:64.124.206.125ŠTunnelsourceIPaddress:202.75.143.110ŠTunneldestinationIPaddress:203.208.128.120ŠOthers:„MTUmightneedtobechangedfrom1476bytesto1500bytesinsomecases.16Aicent,Inc.ProprietaryandConfidentialNetworkConnectionSetupBothIPVPNandLLCStep4:BGPRoutingsetup„Parametersinclude:ŠASNumbersassignedfromGSMAssociationforGPRSRoamingorassignedfromInternetNICŠInterfaceIPthatBGPwillusetobuildupBGPsession„ForIPVPNconnection,GRETunnelIPwillbeused„ForLLCconnection,serialinterfaceIPwillbeusedŠNetworksubnetsinformationthatwillbeadvertisedtoBGPneighborsinBGPsession.„ForOperator,allGnsubnetsshouldbeadvertisedtoAicent„ForAicent,allRPGnsubnetswillbeadvertisedtoOperator17Aicent,Inc.ProprietaryandConfidentialNetworkConnectionSetupStep5:NetworkConnectionCheck„AicentÆOperatorŠICMPPINGtestfromAicentGRXservicesubnetIPtoOperatorGnsubnetIPaddress„OperatorÆAicentŠICMPPINGtestfromOperatorGnsubnetIPtoAicentGRXServicesubnetIPaddress„Forexample:„OnOperatorDNS:ping202.123.213.94.“202.123.213.94isalive”isexpected.„OnAicentROOTDNS:ping202.75.170.172.“202.75.170.172isalive”isexpected202.123.213.94202.75.170.172ICMPPING18Aicent,Inc.ProprietaryandConfidential网络连接方案Aicent在联通北京，广州机房放置CPE，以以太网连接联通北京/广州的网关路由器由Aicent提供155M专线，从北京，广州连接到Aicent香港POPAicentGRXChinaUnicomAicentHKPOP2BGAicentHKPOP1CUBJDDF/ODFBGCUGZDDF/ODFBGDDF/ODFBGDDF/ODFCU’sResponsibilityAicent’sResponsibilityCPECPESDH155MSDH155M1